P. 1
3006537 60 Administration Guide

3006537 60 Administration Guide

|Views: 81|Likes:
Published by lcole02

More info:

Published by: lcole02 on Jan 11, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/11/2011

pdf

text

original

Sections

  • Introduction
  • Antivirus protection
  • Web content filtering
  • Spam filtering
  • NAT/Route mode
  • Transparent mode
  • VLANs and virtual domains
  • Introduction Intrusion Prevention System (IPS)
  • Intrusion Prevention System (IPS)
  • High availability
  • Secure installation, configuration, and management
  • Web-based manager
  • Command line interface
  • Logging and reporting
  • Document conventions
  • Fortinet documentation
  • Comments on Fortinet technical documentation
  • Customer service and technical support Introduction
  • Customer service and technical support
  • System status
  • Console access
  • Status
  • Viewing system status
  • Changing unit information
  • To change FortiGate host name
  • To update the firmware version
  • To update the antivirus definitions manually
  • To update the attack definitions manually
  • To change to Transparent mode
  • To change to NAT/Route mode
  • Session list
  • Changing the FortiGate firmware
  • Upgrading to a new firmware version
  • Upgrading the firmware using the web-based manager
  • Reverting to a previous firmware version
  • Installing firmware images from a system reboot using the CLI
  • Testing a new firmware image before installing it
  • System network
  • Interface
  • Interface settings
  • Configuring interfaces
  • To bring down an interface that is administratively up
  • To start up an interface that is administratively down
  • To add interfaces to a zone
  • To add an interface to a virtual domain
  • To change the static IP address of an interface
  • To configure an interface for DHCP
  • To configure an interface for PPPoE
  • To add a secondary IP address
  • To control administrative access to an interface
  • Zone
  • Zone settings
  • To delete a zone
  • Management
  • Routing table (Transparent Mode)
  • Routing table list
  • Transparent mode route settings
  • Configuring the modem interface
  • Connecting a modem to the FortiGate unit
  • Configuring modem settings
  • Connecting and disconnecting the modem
  • Backup mode configuration
  • Standalone mode configuration
  • Adding firewall policies for modem connections
  • VLAN overview
  • FortiGate units and VLANs
  • VLANs in NAT/Route mode
  • Rules for VLAN IDs
  • Rules for VLAN IP addresses
  • Adding VLAN subinterfaces
  • To add firewall policies for VLAN subinterfaces
  • VLANs in Transparent mode
  • Transparent mode virtual domains and VLANs
  • Transparent mode VLAN list
  • Transparent mode VLAN settings
  • To add a VLAN subinterface in Transparent mode
  • FortiGate IPv6 support
  • System DHCP
  • Service
  • DHCP service settings
  • To configure an interface to be a DHCP server
  • Server
  • DHCP server settings
  • Exclude range
  • DHCP exclude range settings
  • IP/MAC binding
  • DHCP IP/MAC binding settings
  • Dynamic IP
  • System config
  • System time
  • Options
  • HA
  • HA configuration
  • Standalone Mode
  • High Availability
  • Override Master
  • Priorities of Heartbeat Device
  • Monitor priorities
  • Configuring an HA cluster
  • Managing an HA cluster
  • SNMP
  • Configuring SNMP
  • SNMP community
  • FortiGate MIBs
  • FortiGate traps
  • Fortinet MIB fields
  • Replacement messages
  • Replacement messages list
  • Changing replacement messages
  • FortiManager
  • System administration
  • Administrators
  • Administrators list
  • Administrators options
  • Access profiles
  • Access profile list
  • Access profile options
  • System maintenance
  • Backup and restore
  • Backing up and Restoring
  • Update center
  • Updating antivirus and attack definitions
  • To enable scheduled updates through a proxy server
  • Enabling push updates
  • Enabling push updates through a NAT device
  • Support
  • Sending a bug report
  • Registering a FortiGate unit
  • Shutdown
  • System virtual domain
  • Virtual domain properties
  • Exclusive virtual domain properties
  • Shared configuration settings
  • Administration and management
  • Virtual domains
  • Adding a virtual domain
  • Selecting a virtual domain
  • Selecting a management virtual domain
  • To select a management virtual domain
  • To select a management virtual domain and add a management IP
  • Configuring virtual domains
  • Adding interfaces, VLAN subinterfaces, and zones to a virtual domain
  • To add physical interfaces to a virtual domain
  • To add VLAN subinterfaces to a virtual domain
  • To add zones to a virtual domain
  • Configuring routing for a virtual domain
  • Configuring firewall policies for a virtual domain
  • To add firewall policies to a virtual domain
  • To add firewall addresses to a virtual domain
  • To add IP pools to a virtual domain
  • To add Virtual IPs to a virtual domain
  • Configuring IPSec VPN for a virtual domain
  • To configure VPN for a virtual domain
  • Router
  • Static route
  • Static route list
  • Static route options
  • Policy
  • Policy route list
  • Policy route options
  • General
  • Networks list
  • Networks options
  • Interface list
  • Interface options
  • Distribute list
  • Distribute list options
  • Offset list
  • Offset list options
  • Router objects
  • Access list
  • New access list
  • New access list entry
  • Prefix list
  • New Prefix list
  • New prefix list entry
  • Route-map list
  • New Route-map
  • Route-map list entry
  • Key chain list
  • New key chain
  • Key chain list entry
  • Monitor
  • Routing monitor list
  • Firewall
  • How policy matching works
  • Policy list
  • Policy options
  • Advanced policy options
  • Configuring firewall policies
  • Address
  • Address list
  • Address options
  • Configuring addresses
  • Address group list
  • Address group options
  • Configuring address groups
  • Predefined service list
  • Custom service list
  • Custom service options
  • Configuring custom services
  • Service group list
  • Service group options
  • Configuring service groups
  • Schedule
  • One-time schedule list
  • One-time schedule options
  • Configuring one-time schedules
  • Recurring schedule list
  • Recurring schedule options
  • Configuring recurring schedules
  • Virtual IP
  • Virtual IP list
  • Virtual IP options
  • Configuring virtual IPs
  • IP pool
  • IP pool list
  • IP pool options
  • Configuring IP pools
  • IP Pools for firewall policies that use fixed ports
  • IP pools and dynamic NAT
  • Protection profile
  • Protection profile list
  • Default protection profiles
  • Protection profile options
  • Configuring web category filtering options
  • Configuring protection profiles
  • To add a protection profile to a policy
  • Users and authentication
  • Setting authentication timeout
  • Local
  • Local user list
  • Local user options
  • RADIUS
  • RADIUS server list
  • RADIUS server options
  • LDAP
  • LDAP server list
  • LDAP server options
  • User group
  • User group list
  • User group options
  • CLI configuration
  • peer
  • peergrp
  • IPSec VPN
  • Phase 1
  • Phase 1 list
  • Phase 1 basic settings
  • Phase 1 advanced options
  • Configuring XAuth
  • Phase 2
  • Phase 2 list
  • Phase 2 basic settings
  • Phase 2 advanced options
  • Manual Key
  • Manual key list
  • Manual key options
  • Concentrator
  • Concentrator list
  • Concentrator options
  • Configuring the hub
  • Configuring the spoke
  • Dialup monitor
  • Static IP and dynamic DNS monitor
  • IPSec VPN ping generator IPSec VPN
  • IPSec VPN ping generator
  • Ping generator options
  • IPSec VPN AutoIKE IPSec VPN with preshared keys
  • AutoIKE IPSec VPN with preshared keys
  • AutoIKE IPSec VPN with certificates IPSec VPN
  • AutoIKE IPSec VPN with certificates
  • Peer to peer VPN
  • Dialup VPN
  • Dynamic DNS VPN
  • Manual key IPSec VPN IPSec VPN
  • Manual key IPSec VPN
  • Adding firewall policies for IPSec VPN
  • IPSec VPN firewall policy direction
  • Source addresses for IPSec VPN firewall policies
  • Destination addresses for IPSec VPN firewall policies
  • Adding IPSec firewall policies
  • DHCP over IPSec
  • Internet browsing through a VPN tunnel IPSec VPN
  • Internet browsing through a VPN tunnel
  • Configuring Internet browsing through a VPN tunnel
  • IPSec VPN IPSec VPN in Transparent mode
  • IPSec VPN in Transparent mode
  • Special rules
  • Hub and spoke VPNs
  • Configuring spokes
  • IPSec VPN Redundant IPSec VPNs
  • Redundant IPSec VPNs
  • Configuring redundant IPSec VPNs
  • Managing digital certificates
  • Peer identification
  • Local certificates
  • Generating the certificate request
  • Local certificate list
  • Importing the signed local certificate
  • Uploading a local certificate
  • To import the signed local certificate
  • Backing up and restoring the local certificate and private key
  • CA certificates
  • Troubleshooting
  • PPTP and L2TP VPNs
  • PPTP
  • General configuration steps
  • Specifying a PPTP range
  • Configuring a Windows 98 client for PPTP
  • To configure a PPTP dialup connection
  • Configuring a Windows 2000 client for PPTP
  • Configuring a Windows XP client for PPTP
  • PPTP passthrough
  • Configuring PPTP passthrough
  • L2TP
  • Specifying an L2TP range
  • Configuring a Windows 2000 client for L2TP
  • Configuring a Windows XP client for L2TP
  • Signature
  • Predefined
  • Custom
  • Backing up and restoring custom signature files
  • Anomaly
  • Configuring IPS logging and alert email IPS
  • Configuring IPS logging and alert email
  • Antivirus
  • File block
  • File block list
  • Configuring the file block list
  • Quarantine
  • Quarantined files list
  • Quarantined files list options
  • AutoSubmit list
  • AutoSubmit list options
  • Configuring the AutoSubmit list
  • Config
  • Virus list
  • Grayware
  • Grayware options
  • heuristic
  • quarantine
  • service http
  • service ftp
  • service pop3
  • service imap
  • service smtp
  • Web filter
  • Content block
  • Web content block list
  • Web content block options
  • Configuring the web content block list
  • URL block
  • Web URL block list
  • Web URL block options
  • Configuring the web URL block list
  • Web pattern block list
  • Web pattern block options
  • Configuring web pattern block
  • URL exempt
  • URL exempt list
  • URL exempt list options
  • Configuring URL exempt
  • Category block
  • FortiGuard managed web filtering service
  • Category block configuration options
  • Figure 52:Category block configuration
  • Configuring web category block
  • Category block reports
  • Category block reports options
  • Generating a category block report
  • CLI Configuration
  • Script filter
  • Web script filter options
  • Spam filter
  • IP address
  • IP address list
  • IP address options
  • Configuring the IP address list
  • RBL & ORDBL
  • RBL & ORDBL list
  • RBL and ORDBL options
  • Configuring the RBL & ORDBL list
  • Email address
  • Email address list
  • Email address options
  • Configuring the email address list
  • MIME headers
  • MIME headers list
  • MIME headers options
  • Configuring the MIME headers list
  • Banned word
  • Banned word list
  • Banned word options
  • Configuring the banned word list
  • Using Perl regular expressions
  • Log & Report
  • Log config
  • Log Setting options
  • Log file upload settings
  • Alert E-mail options
  • Log filter options
  • Configuring log filters
  • Enabling traffic logging
  • Log access
  • Local disk log access
  • Memory buffer log access
  • fortilog setting
  • syslogd setting
  • FortiGuard categories
  • FortiGate maximum values
  • Glossary
  • Index

FortiGate 60

Administration Guide

INTERNAL PWR STATUS 1 LINK 100 2 LINK 100 3 LINK 100 4 LINK 100 DMZ LINK 100 WAN1 LINK 100 WAN2 LINK 100

FortiGate-60 Administration Guide Version 2.80
16 July 2004 01-28003-0002-20040716

© Copyright 2004 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-60 Administration Guide Version 2.80 build184 16 July 2004 01-28003-0002-20040716 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders. Regulatory Compliance FCC Class A Part 15 CSA/CUS CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

Contents

Table of Contents
Introduction .......................................................................................................... 13
Antivirus protection ........................................................................................................... Web content filtering ......................................................................................................... Spam filtering .................................................................................................................... Firewall.............................................................................................................................. NAT/Route mode .......................................................................................................... Transparent mode......................................................................................................... VLANs and virtual domains............................................................................................... Intrusion Prevention System (IPS).................................................................................... VPN................................................................................................................................... High availability ................................................................................................................. Secure installation, configuration, and management ........................................................ Web-based manager .................................................................................................... Command line interface ................................................................................................ Logging and reporting ................................................................................................... Document conventions ..................................................................................................... Fortinet documentation ..................................................................................................... Comments on Fortinet technical documentation........................................................... Customer service and technical support........................................................................... 14 14 15 15 16 16 16 17 17 18 18 18 19 19 19 21 21 22

System status....................................................................................................... 23
Console access................................................................................................................. Status................................................................................................................................ Viewing system status .................................................................................................. Changing unit information ............................................................................................. Session list........................................................................................................................ Changing the FortiGate firmware...................................................................................... Upgrading to a new firmware version ........................................................................... Reverting to a previous firmware version...................................................................... Installing firmware images from a system reboot using the CLI ................................... Testing a new firmware image before installing it ......................................................... 23 24 24 27 29 30 31 33 35 38

System network ................................................................................................... 41
Interface ............................................................................................................................ Interface settings........................................................................................................... Configuring interfaces ................................................................................................... Zone.................................................................................................................................. Zone settings ................................................................................................................ Management ..................................................................................................................... DNS .................................................................................................................................. 41 42 47 51 52 53 54

FortiGate-60 Administration Guide

01-28003-0002-20040716

3

Contents

Routing table (Transparent Mode) .................................................................................... Routing table list ........................................................................................................... Transparent mode route settings .................................................................................. Configuring the modem interface...................................................................................... Connecting a modem to the FortiGate unit ................................................................... Configuring modem settings ......................................................................................... Connecting and disconnecting the modem................................................................... Backup mode configuration .......................................................................................... Standalone mode configuration .................................................................................... Adding firewall policies for modem connections ........................................................... VLAN overview ................................................................................................................. FortiGate units and VLANs ........................................................................................... VLANs in NAT/Route mode .............................................................................................. Rules for VLAN IDs....................................................................................................... Rules for VLAN IP addresses ....................................................................................... Adding VLAN subinterfaces .......................................................................................... VLANs in Transparent mode............................................................................................. Rules for VLAN IDs....................................................................................................... Transparent mode virtual domains and VLANs ............................................................ Transparent mode VLAN list......................................................................................... Transparent mode VLAN settings................................................................................. FortiGate IPv6 support......................................................................................................

55 55 56 56 57 57 59 59 60 61 61 62 63 63 63 64 65 67 68 68 68 70

System DHCP ....................................................................................................... 71
Service .............................................................................................................................. DHCP service settings .................................................................................................. Server ............................................................................................................................... DHCP server settings ................................................................................................... Exclude range ................................................................................................................... DHCP exclude range settings....................................................................................... IP/MAC binding ................................................................................................................. DHCP IP/MAC binding settings .................................................................................... Dynamic IP........................................................................................................................ 71 72 73 74 75 76 76 77 77

System config ...................................................................................................... 79
System time ...................................................................................................................... Options.............................................................................................................................. HA ..................................................................................................................................... HA configuration ........................................................................................................... Configuring an HA cluster ............................................................................................. Managing an HA cluster................................................................................................ 79 80 82 83 88 91

4

01-28003-0002-20040716

Fortinet Inc.

Contents

SNMP................................................................................................................................ 94 Configuring SNMP ........................................................................................................ 95 SNMP community ......................................................................................................... 95 FortiGate MIBs.............................................................................................................. 98 FortiGate traps .............................................................................................................. 98 Fortinet MIB fields ....................................................................................................... 100 Replacement messages ................................................................................................. 103 Replacement messages list ........................................................................................ 103 Changing replacement messages .............................................................................. 104 FortiManager................................................................................................................... 105

System administration ...................................................................................... 107
Administrators ................................................................................................................. Administrators list........................................................................................................ Administrators options ................................................................................................ Access profiles................................................................................................................ Access profile list ........................................................................................................ Access profile options ................................................................................................. 107 108 108 109 109 110

System maintenance ......................................................................................... 111
Backup and restore......................................................................................................... Backing up and Restoring........................................................................................... Update center ................................................................................................................. Updating antivirus and attack definitions .................................................................... Enabling push updates ............................................................................................... Support ........................................................................................................................... Sending a bug report .................................................................................................. Registering a FortiGate unit ........................................................................................ Shutdown ........................................................................................................................ 111 112 113 116 118 121 121 123 125

System virtual domain....................................................................................... 127
Virtual domain properties ................................................................................................ Exclusive virtual domain properties ............................................................................ Shared configuration settings ..................................................................................... Administration and management ................................................................................ Virtual domains ............................................................................................................... Adding a virtual domain .............................................................................................. Selecting a virtual domain........................................................................................... Selecting a management virtual domain..................................................................... Configuring virtual domains ............................................................................................ Adding interfaces, VLAN subinterfaces, and zones to a virtual domain ..................... Configuring routing for a virtual domain ...................................................................... Configuring firewall policies for a virtual domain ......................................................... Configuring IPSec VPN for a virtual domain ............................................................... 128 128 129 130 130 131 131 131 132 132 134 134 136

FortiGate-60 Administration Guide

01-28003-0002-20040716

5

Contents

Router ................................................................................................................. 137
Static route...................................................................................................................... 137 Static route list ............................................................................................................ 137 Static route options ..................................................................................................... 138 Policy .............................................................................................................................. 139 Policy route list............................................................................................................ 139 Policy route options..................................................................................................... 140 RIP .................................................................................................................................. 141 General ....................................................................................................................... 141 Networks list................................................................................................................ 143 Networks options ........................................................................................................ 143 Interface list................................................................................................................. 143 Interface options ......................................................................................................... 144 Distribute list ............................................................................................................... 145 Distribute list options................................................................................................... 146 Offset list ..................................................................................................................... 147 Offset list options ........................................................................................................ 147 Router objects................................................................................................................. 148 Access list ................................................................................................................... 148 New access list ........................................................................................................... 149 New access list entry .................................................................................................. 149 Prefix list ..................................................................................................................... 150 New Prefix list ............................................................................................................. 150 New prefix list entry..................................................................................................... 151 Route-map list............................................................................................................. 152 New Route-map .......................................................................................................... 152 Route-map list entry.................................................................................................... 153 Key chain list............................................................................................................... 154 New key chain............................................................................................................. 154 Key chain list entry...................................................................................................... 155 Monitor ............................................................................................................................ 156 Routing monitor list ..................................................................................................... 156

Firewall................................................................................................................ 157
Policy .............................................................................................................................. 158 How policy matching works......................................................................................... 158 Policy list ..................................................................................................................... 159 Policy options.............................................................................................................. 160 Advanced policy options ............................................................................................. 162 Configuring firewall policies ........................................................................................ 164

6

01-28003-0002-20040716

Fortinet Inc.

Contents

Address........................................................................................................................... Address list ................................................................................................................. Address options .......................................................................................................... Configuring addresses ................................................................................................ Address group list ....................................................................................................... Address group options ................................................................................................ Configuring address groups........................................................................................ Service ............................................................................................................................ Predefined service list................................................................................................. Custom service list...................................................................................................... Custom service options............................................................................................... Configuring custom services....................................................................................... Service group list ........................................................................................................ Service group options ................................................................................................. Configuring service groups ......................................................................................... Schedule ......................................................................................................................... One-time schedule list ................................................................................................ One-time schedule options ......................................................................................... Configuring one-time schedules ................................................................................. Recurring schedule list................................................................................................ Recurring schedule options ........................................................................................ Configuring recurring schedules ................................................................................. Virtual IP ......................................................................................................................... Virtual IP list ................................................................................................................ Virtual IP options......................................................................................................... Configuring virtual IPs................................................................................................. IP pool............................................................................................................................. IP pool list ................................................................................................................... IP pool options ............................................................................................................ Configuring IP pools.................................................................................................... IP Pools for firewall policies that use fixed ports......................................................... IP pools and dynamic NAT ......................................................................................... Protection profile ............................................................................................................. Protection profile list.................................................................................................... Default protection profiles ........................................................................................... Protection profile options ............................................................................................ Configuring protection profiles .................................................................................... CLI configuration.........................................................................................................

165 166 166 167 168 168 169 169 170 173 173 174 175 176 176 177 177 178 178 179 180 180 181 181 182 183 185 186 186 187 187 187 188 188 189 189 193 194

Users and authentication .................................................................................. 199
Setting authentication timeout......................................................................................... Local ............................................................................................................................... Local user list .............................................................................................................. Local user options....................................................................................................... 200 200 200 201

FortiGate-60 Administration Guide

01-28003-0002-20040716

7

........................................ 211 Phase 1...................................... Manual Key ............................................... LDAP.................................... Dialup monitor........................................................................................... AutoIKE IPSec VPN with preshared keys.................................................................................................................................................................................................................................................................. Phase 1 basic settings ................................................................................................................................................. AutoIKE IPSec VPN with certificates ...................................... User group ............................................................................................................................................................................................................................................................................ 212 212 213 214 215 216 216 217 217 219 219 219 220 221 221 221 223 224 224 225 226 226 227 228 228 229 229 230 8 01-28003-0002-20040716 Fortinet Inc.............................. Concentrator options................. Static IP and dynamic DNS monitor....................................... RADIUS server list ................................................................................................................................................................................. Monitor ................... CLI configuration....................................................... Phase 2 list .....................................Contents RADIUS ................. Concentrator ........................................................................................................................................................................................................................................................................................... ........................................ RADIUS server options.............. Phase 1 advanced options................................................................................................................... Manual key list .................................................................................................................................................................................................................................... Ping generator options............................................................................................... Configuring XAuth............................................ peer........................................................................................................................................................ Manual key IPSec VPN........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... Manual key options ....................................... User group options.......................................................................... Phase 2 basic settings .................................... Configuring the hub....... LDAP server list .............................................................................. Phase 2............................................................................................................................................................................................................................................................... Configuring the spoke ................................................................................... User group list............................................................................................................................................... 202 202 202 203 203 204 205 205 206 207 207 208 IPSec VPN............................... Concentrator list... Dynamic DNS VPN ................................. peergrp........ Peer to peer VPN...................... Phase 1 list ..... Phase 2 advanced options............................................................................................................................................................. LDAP server options ....................................................................... IPSec VPN ping generator............................................................................................................................................................................................................................. Dialup VPN .......................................................................................................................................................................................

................................... L2TP ................................... General configuration steps ............................ 247 247 248 249 250 250 251 251 252 253 253 254 255 IPS ................................................................... PPTP passthrough.......................................................................................................................................................................................................................................................................................................................................................... Peer identification ....... Configuring a Windows 98 client for PPTP ................................. Local certificates .......................................................... CA certificates................................... 268 FortiGate-60 Administration Guide 01-28003-0002-20040716 9 .................................... Configuring a Windows 2000 client for PPTP .............................. Configuring redundant IPSec VPNs.............................................................................................................. Troubleshooting ................................... 263 Anomaly ................................................................. 265 Configuring IPS logging and alert email.................................................................................Contents Adding firewall policies for IPSec VPN ........................................................................................................................................................ Hub and spoke VPNs..................................................................... 259 Signature........................................................................................................................................................................................... Configuring Internet browsing through a VPN tunnel............ IPSec VPN firewall policy direction ........................................................................................................................................... Adding IPSec firewall policies ............................................................................................................................................... Managing digital certificates................................................................................................... Configuring spokes ................. 259 Predefined............................................................................................................................................................................................................................................ Configuring the hub........................ 247 PPTP................ General configuration steps ........................................................................................................................................................................................................... DHCP over IPSec . Destination addresses for IPSec VPN firewall policies .............................. Specifying a PPTP range........................................................................... Special rules ..................................................................................................... IPSec VPN in Transparent mode................................................................................................................................................................................................................................................................................... Source addresses for IPSec VPN firewall policies........................................................................................................................ Specifying an L2TP range....................... 260 Custom............................................... Uploading a local certificate .......................... Configuring a Windows XP client for PPTP ..................................................................................................................................... Redundant IPSec VPNs............................................................................................................. Configuring a Windows XP client for L2TP ......................... Configuring a Windows 2000 client for L2TP...................................................... Configuring PPTP passthrough ............................................................................................ Local certificate list............................................................................................................................... 230 231 231 231 232 233 234 234 235 236 236 237 238 239 240 241 241 242 242 244 245 246 PPTP and L2TP VPNs .................................................................................................................................................................................................................................................................................. Internet browsing through a VPN tunnel ..................

......................................................................... Configuring the web URL block list ...................................................................................................................... Quarantine ............................................................................................................................................................................................................................................................................................................................................ Configuring web pattern block .................. Configuring URL exempt.................................................................................................................................. service http........................................................................................ Web URL block list................................................................................................ service smtp....................................... Grayware options...................................................................................................................................... Virus list ..... Configuring the AutoSubmit list................................................................................................... service imap..................................................................... service ftp.......................................................... Config............................................................................................................................................. Configuring the web content block list ............................................................................... service pop3.................................. heuristic............................... quarantine ......................................................................................................................................................................................................................................................................................................................... URL exempt list options ..................................................................................... AutoSubmit list options .............................. AutoSubmit list ............................................................................................................................................................................................................................................... .... URL exempt list..................................................................................................................................................... 269 File block..................................................................................... Config....... Grayware .................................................................................................................................................................................................................................................................................................................................................................................................. Quarantined files list ......................... Web content block list ......................................................................................................................................................... 289 Content block .................................................... Web pattern block options ..................................... 270 271 272 272 272 273 273 274 274 275 276 276 276 277 277 279 279 280 280 282 284 285 286 Web filter.................................................................................................... Web URL block options .................................................................................................................................................................................................................................................................................................................................................. Config.................................... Web content block options...................................................................... File block list .................................. URL exempt ....................... URL block ......................... 290 291 291 291 292 293 293 293 294 295 295 295 295 296 296 10 01-28003-0002-20040716 Fortinet Inc.......... Web pattern block list.................................................................................................................................................................................... Configuring the file block list ...... Quarantined files list options....................................................... CLI configuration.......................................................................................................................................Contents Antivirus ........................................................................

............ Banned word list ...................... RBL and ORDBL options ..................................................................................................................................................................................................................................... Banned word.... IP address list ......................................................... Email address list.............................................................. Banned word options ............................ Local disk log access ....................................................................... Memory buffer log access......................................................................................................................................................... FortiGuard managed web filtering service .................. Using Perl regular expressions .................................. Configuring the IP address list .. 297 297 298 299 299 300 300 300 302 302 Spam filter ...................................................................................................................................................................................................................................................................................................................................................................................... MIME headers list .............................................................................................................. Category block reports................... MIME headers options ....................... Configuring log filters .................................................................................................................................. Log access................................. Configuring the banned word list ........................................................................................................................ 318 318 322 323 326 326 327 327 329 FortiGate-60 Administration Guide 01-28003-0002-20040716 11 ............................................................. MIME headers...............................Contents Category block ..................................................................................................................................... RBL & ORDBL list...... Log Setting options ...................................................................................................................... Enabling traffic logging.................................................... Category block configuration options........................... 305 305 305 306 306 307 307 307 308 308 308 309 309 310 310 311 311 312 312 313 314 Log & Report ........................................................................................... Category block reports options ............................................................. Script filter ...... 303 IP address.......................................................................................................................................................... Web script filter options................................................................................................ Configuring the MIME headers list................................ Log filter options............. Email address ............ Configuring the email address list............................................................................................................................................................ Configuring web category block................................................ IP address options ............................................................................................................................................................................................................................................................................................................................................................................................ Email address options........................................ CLI Configuration ..................................................................................... Generating a category block report................................................................................................................................ 317 Log config .......................................................................................... Alert E-mail options.............................................................................................................................................................. Configuring the RBL & ORDBL list ..................................................................................................................................................................................................................................................................................................................................................... RBL & ORDBL ..................................................................................................................................................................................................................................................................................................

.....................................................................................Contents CLI configuration....................................................... 330 syslogd setting ............................ 345 Index ........................................................................................................................ 341 Glossary ... 349 12 01-28003-0002-20040716 Fortinet Inc............................. 331 FortiGuard categories ......................................... 330 fortilog setting................................ 335 FortiGate maximum values ...................................................................................................................................................................................................................................................................... .................................................................

networking.1Q VLANs. retail stores. FortiGate Antivirus Firewalls are ICSA-certified for firewall. The FortiGate-60 Antivirus Firewall features dual WAN link support for redundant internet connections. virtual domains.80 Introduction FortiGate Antivirus Firewalls support network-based deployment of application-level services. and content analysis. and help you use communications resources more efficiently without compromising the performance of your network. The FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include: • • application-level services such as virus protection and content filtering. where they are most effective at protecting your networks. intrusion detection. and enables new applications and services while greatly lowering costs for equipment. and traffic shaping. reduce network misuse and abuse. The unique ASIC-based architecture analyzes content and behavior in real-time. The FortiGate series complements existing solutions. and antivirus services. and maintenance. administration. high availability (HA). The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology. such as hostbased antivirus protection. FortiGate-60 Administration Guide 01-28003-0002-20040716 13 . The FortiGate-60 model is ideally suited for small businesses. which leverages breakthroughs in chip design. IPSec. security. remote offices.FortiGate-60 Administration Guide Version 2. including antivirus protection and full-scan content filtering. Networked devices connect directly to the FortiGate-60 unit. and broadband telecommuter sites. FortiGate Antivirus Firewalls improve network security. network-level services such as firewall. INTERNAL PWR STATUS 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 The FortiGate-60 also supports advanced features such as 802. and an integrated 4-port switch that eliminates the need for an external hub or switch. and the RIP and OSPF routing protocols. enabling key applications to be deployed right at the network edge. VPN.

FortiGate antivirus protection uses pattern matching and heuristics to find viruses. and email (SMTP. URL patterns. detect viruses in email that has been encoded using MIME encoding. detect viruses in compressed files using the PKZip format. antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient. You can configure URL blocking to block all or some of the pages on a web site.org). and web page content.wildlist. The web and email content can be in normal network traffic or encrypted IPSec VPN traffic. infected or blocked files and grayware files can be quarantined. The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager. If a virus is found. You can also configure the FortiGate unit to automatically delete quarantined files after a specified time. For extra protection. or a web page contains a word or phrase that is in the content block list. The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. detect viruses in email that has been encoded using uuencode format. Using web category blocking you can restrict or allow access to web pages based on content ratings of web pages. log all actions taken while scanning. file transfer (FTP). FortiGate web content filtering also supports FortiGuard web category blocking. and forwarded to the intended recipient. POP3. but these programs can cause system performance problems or be used for malicious means. often without the user’s consent or knowledge. The FortiGate administrator can download quarantined files so that they can be virus scanned. Grayware programs are generally considered an annoyance. Using this feature. Web content filtering FortiGate web content filtering can scan all HTTP content protocol streams for URLs. . You can use the feature to stop files that might contain new viruses. cleaned. and IMAP) content as it passes through the FortiGate unit. the FortiGate unit blocks the web page. 14 01-28003-0002-20040716 Fortinet Inc.Antivirus protection Introduction Antivirus protection FortiGate ICSA-certified antivirus protection scans web (HTTP). FortiGate antivirus protection can also identify and remove known grayware programs. If there is a match between a URL on the URL block list. ICSA Labs has certified that FortiGate Antivirus Firewalls: • • • • • detect 100% of the viruses listed in the current In The Wild List (www. Grayware programs are usually unsolicited commercial software programs that get installed on PCs. you can configure antivirus protection to block specified file types from passing through the FortiGate unit. you can deny access to parts of a web site without denying access to it completely. If the FortiGate unit contains a hard disk.

and ActiveX. and IMAP email content for spam. the FortiGate adds an email tag to the subject line of the email. providing assurance that FortiGate firewalls successfully screen and secure corporate networks against a range of threats from public or other untrusted networks. control standard and user defined network services individually or in groups. Firewall The FortiGate ICSA-certified firewall protects your computer networks from Internet threats.Introduction Spam filtering To prevent unintentionally blocking legitimate web pages. block or allow access for all policy options. You can configure spam filtering to filter mail according to IP address. mime headers. You can also add the names of known Real-time Blackhole List (RBL) and Open Relay Database List (ORDBL) servers. The exempt list also exempts web traffic this address from virus scanning. apply antivirus protection and web content filtering. Spam filtering can also be configured to delete SMTP email messages identified as spam. cookies. Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets. Mail messages can be identified as spam or clear. ICSA has granted FortiGate firewalls version 4. These services contain lists of known spam sources. SMTP. require users to authenticate before gaining access. control when individual policies are in effect. email address. you can add URLs to an exempt list that overrides the URL blocking and content blocking lists. control encrypted VPN traffic.0 firewall certification. You can configure the firewall to put controls on access to the Internet from the protected networks and to allow controlled access to internal networks. FortiGate-60 Administration Guide 01-28003-0002-20040716 15 . and content. The recipient can use the mail client software to filter messages based on the email tag. the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. Spam filtering FortiGate spam filtering can scan all POP3. After basic installation of the FortiGate unit. FortiGate policies include a range of options that: • • • • • • • • control all incoming and outgoing network traffic. accept or deny traffic to and from individual addresses. If an email message is found to be spam.

one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network. you enter VLAN subinterfaces to receive and send VLAN packets. include mixed NAT and Route mode policies. include Network Address Translation (NAT) mode and Route mode policies. include logging to track connections for individual policies. However. FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. Route mode policies accept or deny connections between networks without performing address translation. multiple security domains according to the VLAN IDs added to VLAN packets. firewall policies. .1Q-compliant virtual LAN (VLAN) tags. Transparent mode Transparent mode provides the same basic firewall protection as NAT mode. VLANs and virtual domains Fortigate Antivirus Firewalls support IEEE 802. In NAT/Route mode. content filtering. The FortiGate firewall can operate in NAT/Route mode or Transparent mode.VLANs and virtual domains Introduction • • • • include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy. Using virtual domains. routing. and VPN configuration for each virtual domain separately. Packets that the FortiGate unit receives are forwarded or blocked according to firewall policies. VPN and some advanced firewall features are available only in NAT/Route mode. The FortiGate unit supports VLANs in NAT/Route and Transparent mode. and antivirus protection to VLAN-tagged network and VPN traffic. and control connections between. VLAN subinterfaces. NAT/Route mode In NAT/Route mode. You can develop and manage interfaces. you can create NAT mode policies and Route mode policies. • • NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network. The FortiGate unit can be inserted in the network at any point without having to make changes to your network or its components. each virtual domain is functionally similar to a single FortiGate unit. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain. For these configuration settings. a single FortiGate unit can provide security services to. This separation simplifies configuration because you do not have to manage as many routes or firewall policies at one time. zones. 16 01-28003-0002-20040716 Fortinet Inc. Using VLAN technology. The FortiGate unit can also apply authentication.

IPSec VPN using local or CA certificates. IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network. can send alert email to system administrators. Replay Detection. PPTP for easy connectivity with the VPN standard supported by the most popular operating systems. and AES hardware accelerated encryption. Both the IPS predefined signatures and the IPS engine are upgradeable through the FortiProtect Distribution Network (FDN). ESP security in tunnel mode. DES. The FortiGate unit can record suspicious traffic in logs. IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel. reset. XAuth authentication. Firewall policy based control of IPSec VPN traffic. including: • • • • • • • • • • • • • • • • • • • • • IPSec VPN in NAT/Route and Transparent mode. and can log. DHCP over IPSec. and 5. you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network. Dead peer detection. 3DES (triple-DES). FortiGate VPN features include the following: • Industry standard and ICSA-certified IPSec VPN. Aggressive and Main Mode. You can also create custom signatures. HMAC MD5 and HMAC SHA1 authentication and data integrity. VPN Using FortiGate virtual private networking (VPN). Manual Keys tunnels. pass. or clear suspicious packets or sessions. L2TP for easy connectivity with a more secure VPN standard. Diffie-Hellman groups 1. 2. Secure Internet browsing. VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiGate unit.Introduction Intrusion Prevention System (IPS) Intrusion Prevention System (IPS) The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly based intrusion detection and prevention. also supported by many popular operating systems. AutoIKE key based on pre-shared key tunnels. IPSec. Perfect Forward Secrecy. drop. FortiGate-60 Administration Guide 01-28003-0002-20040716 17 .

You can also use the web-based manager to monitor the status of the FortiGate unit.High availability Introduction High availability Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Connect to the web-based manager. Active-active and active-passive clusters can run in either NAT/Route or Transparent mode. and management The first time you power on the FortiGate unit. The primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to all the FortiGate units in the HA cluster. Secure installation. Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster. An active-passive (A-P) HA cluster. You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface. you can download and save it. The web-based manager supports multiple languages. 18 01-28003-0002-20040716 Fortinet Inc. Each FortiGate unit in an HA cluster must be the same model and must be running the same FortiOS firmware image. Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. configuration. FortiGate HA supports link redundancy and device redundancy. you can configure and manage the FortiGate unit. You can add up to 32 FortiGate units to an HA cluster. consists of a primary FortiGate unit that processes traffic. set the operating mode. You can use the web-based manager to configure most FortiGate settings. also referred to as hot standby HA. and one or more subordinate FortiGate units. FortiGate units can be configured to operate in active-passive (A-P) or active-active (A-A) HA mode. . You can also create a basic configuration using the FortiGate command line interface (CLI). An active-active HA cluster consists of a primary FortiGate unit that processes traffic and one or more secondary units that also process traffic. and use the Setup wizard to customize FortiGate IP addresses for your network. Web-based manager Using HTTP or a secure HTTPS connection from any computer running Internet Explorer. it is already configured with default IP addresses and security policies. The subordinate FortiGate units are connected to the network and to the primary FortiGate unit but do not process traffic. Once you are satisfied with a configuration. and the FortiGate unit is ready to protect your network. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. You can then use the web-based manager to customize advanced FortiGate features. The saved configuration can be restored at any time.

For example: execute restore config <filename_str> FortiGate-60 Administration Guide 01-28003-0002-20040716 19 . Document conventions This guide uses the following conventions to describe command syntax. The CLI supports the same configuration and monitoring functionality as the web-based manager. • Angle brackets < > to indicate variables. and web page blocking. report attacks detected by the IPS. Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. For a more complete description about connecting to and using the FortiGate CLI. report events such as configuration changes and other management events. Some models can also save logs to an optional internal hard drive. In addition. report traffic that was denied by firewall policies. IPSec tunnel negotiation. report network services used. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiGate unit. This Administration Guide contains information about basic and advanced CLI commands. Logging and reporting The FortiGate unit supports logging for various categories of traffic and configuration changes. you can configure most FortiGate units to log the most recent events and attacks detected by the IPS to the system memory. If a hard drive is not installed. intrusions. You can configure logging to: • • • • • • • report traffic that connects to the firewall. attacks. you can use the CLI for advanced configuration options that are not available from the web-based manager. see the FortiGate CLI Reference Guide. send alert email to system administrators to report virus incidents. and firewall or VPN events or violations. including the Internet. report traffic that was permitted by firewall policies.Introduction Document conventions Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial console connector. virus detection.

• A space to separate options that can be entered in any combination and must be separated by spaces. To show the settings for the internal interface. <xxx_ipv6mask> indicates a dotted decimal IPv6 address followed by a dotted decimal IPv6 netmask. you can enter show system interface internal. <xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask. <xxx_octet> indicates a hexadecimal string that uses the digits 0-9 and letters A-F. <xxx_ipv6> indicates a dotted decimal IPv6 address. mutually exclusive required keywords. For example: set opmode {nat | transparent} You can enter set opmode nat or set opmode transparent.bak <xxx_str> indicates an ASCII string that does not contain new-lines or carriage returns. <xxx_ipv4> indicates a dotted decimal IPv4 address. For example: set allowaccess {ping https ssh snmp http telnet} You can enter any of the following: set allowaccess ping set allowaccess ping https ssh set allowaccess https ping ssh set allowaccess snmp In most cases to make changes to lists that contain options separated by spaces. <xxx_integer> indicates an integer string that is a decimal (base 10) number. • Square brackets [ ] to indicate that a keyword or variable is optional. • Vertical bar and curly brackets {|} to separate alternative. <xxx_v4mask> indicates a dotted decimal IPv4 netmask. For example: show system interface [<name_str>] To show the settings for all interfaces. 20 01-28003-0002-20040716 Fortinet Inc. you can enter show system interface. <xxx_v6mask> indicates a dotted decimal IPv6 netmask.Document conventions Introduction You enter: execute restore config myfile. . you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.

and basic configuration procedures. The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage the FortiGate unit. or any Fortinet technical documentation. IPS. For a complete list of FortiGate documentation visit Fortinet Technical Support at http://support. web content filtering. spam filtering. Configuration information includes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to configure VPN.Introduction Fortinet documentation Fortinet documentation Information about FortiGate products is available from the following FortiGate User Manual volumes: • FortiGate QuickStart Guide Each QuickStart Guide provides the basic information required to connect and install a FortiGate model. Includes hardware reference. antivirus. The administration guide also describes how to use protection profiles to apply intrusion prevention. web filtering. • FortiGate Administration Guide Each Administration Guide describes how to configure a FortiGate model.com. • FortiGate Installation Guide Each Installation Guide provides detailed information required to install a FortiGate model. antivirus protection. to techdoc@fortinet. connection procedures.fortinet.com. • FortiGate High Availability Guide Contains in-depth information about FortiGate High Availability and the FortiGate Clustering Protocol (FGCP). default configuration. FortiGate-60 Administration Guide 01-28003-0002-20040716 21 . installation procedures. Comments on Fortinet technical documentation You can send information about errors or omissions in this document. and spam filtering to traffic passing through the FortiGate unit. • FortiGate Log Message Reference Guide Describes the structure of FortiGate log messages and provides information on all log messages generated by the FortiGate unit. • FortiGate CLI Reference Guide Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands.

Mexico. updated product documentation. Singapore. . apac_support@fortinet.Customer service and technical support Introduction Customer service and technical support For antivirus and attack definition updates. eu_support@fortinet.fortinet. and the Middle East.com For customers in the United States.com and change your registration information at any time.com For customers in Japan. You can also register FortiGate Antivirus Firewalls from http://support.com. and other resources. please provide the following information: • • • • • • • • • Your name Company name Location Email address Telephone number FortiGate unit serial number FortiGate model FortiGate FortiOS firmware version Detailed description of the problem 22 01-28003-0002-20040716 Fortinet Inc. Mainland Europe. Hong Kong. Scandinavia. Canada. Fortinet email support is available from the following addresses: amer_support@fortinet. When requesting technical support. see http://support.fortinet. Malaysia. all other Asian countries.fortinet.com. Korea. please visit the Fortinet technical support web site at http://support. firmware updates. technical support information. For information on Fortinet telephone support. China. Latin America and South America. and Australia. Africa.com For customers in the United Kingdom.

80 System status You can connect to the web-based manager and view the current system status of the FortiGate unit. and session log. Figure 1: Console access FortiGate-60 Administration Guide 01-28003-0002-20040716 23 . The status information that is displayed includes the system status.FortiGate-60 Administration Guide Version 2. This chapter includes: • • • • Console access Status Session list Changing the FortiGate firmware Console access An alternative to the web-based manager discussed in this manual is text-based Console Access. see the FortiGate CLI Reference Guide. system resources. You can get console access by selecting Console Access button in the upper right corner of the web-based manager.3 or higher installed. using the FortiGate command line interface (CLI). unit information. The management computer must have Java version 1. For information on how to use the CLI.

Select Clear screen to start a new page. Select to manually update the system status display. Interval Go Refresh Select to set the selected automatic refresh interval. • • Viewing system status Changing unit information Viewing system status Figure 2: System status Automatic Refresh Select to control how often the web-based manager updates the system status display. For information on access profiles. System status UP Time System Time Log Disk The time in days. and minutes since the FortiGate unit was last started. Status View the system status page for a snap shot of the current operating status of the FortiGate unit. The current time according to the FortiGate unit internal clock. 24 01-28003-0002-20040716 Fortinet Inc. All FortiGate administrators can view system status information. . The FortiGate unit uses the hard disk to store log messages and quarantine files infected with a virus or blocked by antivirus file blocking.Status System status Connect Disconnect Clear screen Select Connect to connect to the CLI. Select Disconnect to disconnect from the CLI. Displays hard disk capacity and free space if the FortiGate unit contains a hard disk or Not Available if no hard disk is installed. hours. FortiGate administrators whose access profiles contain system configuration write privileges can change or update FortiGate unit information. see “Access profiles” on page 109.

The current installed version of the FortiGate Attack Definitions used by the Intrusion Prevention System (IPS). The source and destination addresses of the virus. Host Name Firmware Version Attack Definitions Serial Number Operation Mode The host name of the current FortiGate unit. Memory usage for management processes (for example. either up (green up arrow) or down (red down arrow). The serial number is The operation mode of the current FortiGate unit. The current memory status. Antivirus Definitions The current installed version of the FortiGate Antivirus Definitions. or SMTP. specific to the FortiGate unit and does not change with firmware upgrades. Memory Usage Hard Disk Usage Active Sessions FortiGate-60 Administration Guide 01-28003-0002-20040716 25 . The web-based manager displays CPU usage for core processes only. The web-based manager displays memory usage for core processes only. For information on access profiles. HTTP. for HTTPS connections to the web-based manager) is excluded. FTP. Interface Status All interfaces in the FortiGate unit are listed in the table. The serial number of the current FortiGate unit. System Resources CPU Usage The current CPU status. The IP address and netmask of the interface. The name of the virus detected. The version of the firmware installed on the current FortiGate unit. The number of communications sessions being processed by the FortiGate unit. CPU usage for management processes (for example. POP3. CPU usage for management processes (for example. Recent Virus Detections Time Src / Dst Service Virus Detected The time at which the recent virus was detected. Interface IP / Netmask Status The name of the interface. The web-based manager displays hard disk usage for core processes only. The current hard disk (local disk) status.System status Status Unit Information Admin users and administrators whose access profiles contain system configuration read and write privileges can change or update the unit information. IMAP. for HTTPS connections to the web-based manager) is excluded. The status of the interface. The service from which the virus was delivered. see “Access profiles” on page 109. for HTTPS connections to the web-based manager) is excluded.

The name of the attack. sessions. The intrusion detection history over the last 20 hours. The source and destination addresses of the attack. POP3. and network usage. 26 01-28003-0002-20040716 Fortinet Inc. Memory Usage History Memory usage for the previous minute. . HTTP. Figure 3: Sample system resources history History The history page displays 6 graphs representing the following system resources and protection: CPU Usage History Session History Network Utilization History Virus History Intrusion History CPU usage for the previous minute.Status System status Network Utilization History The total network bandwidth being used through all FortiGate interfaces and the percentage of the maximum network bandwidth that can be processed by the FortiGate unit. Network utilization for the previous minute. IMAP. The service from which the attack was delivered. The virus detection history over the last 20 hours. Select History to view a graphical representation of the last minute of CPU. Recent Intrusion Detections Time Src / Dst Service Attack Name The time at which the recent intrusion was detected. or SMTP. FTP. memory. This page also shows the virus and intrusion detections over the last 20 hours. Session history for the previous minute.

In the New Name field. select Change. Start the web-based manager and go to System > Status > Status. see “Changing the FortiGate firmware” on page 30. To update the firmware version For information on updating the firmware. or select Browse and locate the antivirus definitions update file. Note: If the FortiGate unit is part of a high-availability (HA) cluster. type the path and filename for the antivirus definitions update file.System status Status Changing unit information Administrators with system configuration write access can use the unit information area of the System Status page: • • • • • • To change FortiGate host name To update the firmware version To update the antivirus definitions manually To update the attack definitions manually To change to Transparent mode To change to NAT/Route mode To change FortiGate host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. and in the CLI prompt. select Update. This takes about 1 minute. In the Host Name field of the Unit Information section. To update the antivirus definitions manually Note: For information about configuring the FortiGate unit for automatic antivirus definitions updates. In the Update File field. 1 2 3 4 Go to System > Status > Status. Select OK to copy the antivirus definitions update file to the FortiGate unit. In the Antivirus Definitions field of the Unit Information section. FortiGate-60 Administration Guide 01-28003-0002-20040716 27 . and is added to the SNMP System Name. The new host name is displayed in the Host Name field. type a new host name. The host name is also used as the SNMP system name. you should set a unique name to distinguish the unit from others in the cluster. see “SNMP” on page 94. Select OK. For information about the SNMP system name. The FortiGate unit updates the antivirus definitions. 1 2 3 4 5 Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. The default host name is FortiGate-50. see “Update center” on page 113.

The following items are not set to Transparent mode factory defaults: • • The admin administrator account password (see “To configure an administrator account” on page 109) HA settings (see“HA” on page 82) To change to Transparent mode: 1 2 3 4 5 Go to System > Status > Status.Status System status 6 Go to System > Status to confirm that the Antivirus Definitions Version information has updated.1. most of the configuration resets to Transparent mode factory defaults. select Change. Select OK to copy the attack definitions update file to the FortiGate unit. In the Operation Mode field of the Unit Information section. To reconnect to the web-based manager. most of the configuration resets to NAT/Route mode factory defaults. To change to Transparent mode After you change the FortiGate unit from the NAT/Route mode to Transparent mode. Go to System > Status > Status to confirm that the Attack Definitions Version information has updated. By default in Transparent mode. select Transparent. 28 01-28003-0002-20040716 Fortinet Inc. The default Transparent mode management IP address is 10. To update the attack definitions manually Note: For information about configuring the FortiGate unit for automatic attack definitions updates. The Intrusion Detection System Definitions Update dialog box appears. or select Browse and locate the attack definitions update file. . The FortiGate unit updates the attack definitions. This takes about 1 minute. In the Attack Definitions field of the Unit Information section. type the path and filename for the attack definitions update file. In the Update File field. see “Update center” on page 113. To change to NAT/Route mode After you change the FortiGate unit from the Transparent mode to the NAT/Route mode. 1 2 3 4 5 6 Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status > Status. Select OK. select Update. In the Operation Mode field. connect to the interface configured for Transparent mode management access and browse to https:// followed by the Transparent mode management IP address. The FortiGate unit changes operation mode.10. you can connect to the internal or DMZ interface.10.

you can connect to the internal or DMZ interface. Session list The session list displays information about the communications sessions currently being processed by the FortiGate unit. Select All to view sessions being processed by all virtual domains. In the Operation Mode field of the Unit Information section. you must connect to the interface configured by default for management access. The default Transparent mode management IP address is 192. To reconnect to the web-based manager. Figure 4: Sample session list From IP From Port To IP To Port Apply Filter Set source IP address for list filtering Set source port for list filtering Set destination IP address for list filtering Set destination port for list filtering Select to filter session list Total Number of Total number of sessions currently being conducted through the FortiGate unit. select Change.System status Session list The following items are not set to NAT/Route mode factory defaults: • • 1 2 3 4 5 The admin administrator account password (see “To configure an administrator account” on page 109) HA settings (see “HA” on page 82) To change to NAT/Route mode: Go to System > Status > Status. You can use the session list to view current sessions.99. FortiGate-60 Administration Guide 01-28003-0002-20040716 29 . In the Operation Mode field.168. Sessions Virtual Domain Select a virtual domain to list the sessions being processed by that virtual domain. you can connect to the internal or DMZ interface. By default in NAT/Route mode. Select OK. By default in NAT/Route mode. select NAT/Route.1.1. The FortiGate unit changes operation mode.99. The default Transparent mode management IP address is 192.168.

The time. for example. or icmp. Protocol From IP From Port To IP To Port Expire The service protocol of the connection. The destination IP address of the connection. The destination port of the connection. udp. This section describes: • • • • Upgrading to a new firmware version Reverting to a previous firmware version Installing firmware images from a system reboot using the CLI Testing a new firmware image before installing it 30 01-28003-0002-20040716 Fortinet Inc. Select to view the next page in the session list. 2 3 4 Changing the FortiGate firmware FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. To navigate the list of sessions. The source IP address of the connection. To view the session list 1 Go to System > Status > Session. . Select to update the session list Page up icon. before the connection expires. tcp. Select to view previous page in the session list Page down icon. The web-based manager displays the total number of active sessions in the FortiGate unit session table and lists the top 16.Changing the FortiGate firmware System status Refresh icon. in seconds. you can use the procedures listed in Table 1 to install the firmware image on your FortiGate unit. you can select Clear to stop an active session. select Page Up or Page Down. After you download a FortiGate firmware image from Fortinet. Select Refresh to update the session list. Delete icon. The source port of the connection. If you are logged in as an administrative user with read and write privileges or as the admin user. Select to stop an active communication session.

Testing a new Use this procedure to test a new firmware image before installing it. 7 FortiGate-60 Administration Guide 01-28003-0002-20040716 31 . or an administrator account that has system configuration read and write privileges. restarts. Under Unit Information > Firmware Version. or select Browse and locate the file. Use the web-based manager or CLI procedure to revert to a previous firmware version. 3 4 5 6 Go to System > Status. This procedure reverts the FortiGate unit to its factory default configuration. If the firmware image works correctly you can use one of the other procedures listed in this table to install it permanently. firmware image before To use this procedure you must connect to the CLI using the FortiGate console port and a null-modem cable. This procedure reverts the FortiGate unit to its factory default configuration. After you install new firmware. and displays the FortiGate login. This procedure installing it temporarily installs a new firmware image using your current configuration. To use this procedure you must connect to the CLI using the FortiGate console port and a null-modem reboot using the CLI cable. Upgrading the firmware using the web-based manager Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. You can test the firmware image before installing it permanently. This process takes a few minutes. Select OK. Log into the web-based manager. Type the path and filename of the firmware image file. use the procedure “To update antivirus and attack definitions” on page 116 to make sure that antivirus and attack definitions are up to date. Log into the web-based manager as the admin administrative user. select Update. Installing firmware Use this procedure to install a new firmware version or revert to a images from a system previous firmware version. The FortiGate unit uploads the firmware image file. To upgrade the firmware using the web-based manager 1 2 Copy the firmware image file to your management computer. Upgrading to a new firmware version Use the following procedures to upgrade the FortiGate unit to a newer firmware version. Note: To use this procedure you must login using the admin administrator account. upgrades to the new firmware version.System status Changing the FortiGate firmware Table 1: Firmware upgrade procedures Procedure Upgrading to a new firmware version Reverting to a previous firmware version Description Use the web-based manager or CLI procedure to upgrade to a new FortiOS firmware version or to a more recent build of the same firmware version.

. To confirm that the new firmware image is successfully installed. You can use the following command to ping the computer running the TFTP server.1. enter: get system status 32 01-28003-0002-20040716 Fortinet Inc.168.168 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server.Changing the FortiGate firmware System status 8 9 Go to System > Status and check the Firmware Version to confirm that the firmware upgrade is successfully installed. This process takes a few minutes.1.168.1. To upgrade the firmware using the CLI 1 2 3 Make sure that the TFTP server is running. or an administrator account that has system configuration read and write privileges.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n) 5 6 Type y.168.168.1. For example. 7 8 Reconnect to the CLI. see “Update center” on page 113. For example. use the procedure “To update antivirus and attack definitions” on page 116 to make sure that antivirus and attack definitions are up to date. Update antivirus and attack definitions. 4 Make sure the FortiGate unit can connect to the TFTP server. For information about updating antivirus and attack definitions.out and the IP address of the TFTP server is 192. After you install new firmware. if the IP address of the TFTP server is 192. The FortiGate unit uploads the firmware image file. enter: execute restore image FGT_300-v280-build183-FORTINET. You can also use the CLI command execute update_now to update the antivirus and attack definitions.168: execute ping 192. upgrades to the new firmware version. and restarts.168. Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. Note: To use this procedure you must login using the admin administrator account. Log into the CLI. if the firmware image file name is FGT_300-v280-build183-FORTINET.out 192. Copy the new firmware image file to the root directory of the TFTP server. Upgrading the firmware using the CLI To use the following procedure you must have a TFTP server that the FortiGate unit can connect to.

Back up the IPS custom signatures. you might not be able to restore the previous configuration from the backup configuration file. see “Backing up and Restoring” on page 112. Reverting to a previous firmware version using the web-based manager The following procedures revert the FortiGate unit to its factory default configuration and deletes IPS custom signatures. Type the path and filename of the firmware image file. 7 FortiGate-60 Administration Guide 01-28003-0002-20040716 33 . If you are reverting to a previous FortiOS version (for example. email filtering lists. 3 4 5 6 Go to System > Status.80 to FortiOS v2. or an administrator account that has system configuration read and write privileges. or from the CLI. web content lists. For information. select Update. Log into the FortiGate web-based manager. enter: execute update_now Reverting to a previous firmware version Use the following procedures to revert your FortiGate unit to a previous firmware version. Log into the web-based manager. restarts. The FortiGate unit uploads the firmware image file. This process takes a few minutes. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. and changes to replacement messages. After you install new firmware.System status Changing the FortiGate firmware 9 Use the procedure “To update antivirus and attack definitions” on page 116 to update antivirus and attack definitions.50). reverting from FortiOS v2. To revert to a previous firmware version using the web-based manager 1 2 Copy the firmware image file to the management computer. or select Browse and locate the file. reverts to the old firmware version. resets the configuration. Back up web content and email filtering lists. Note: To use this procedure you must login using the admin administrator account. and displays the FortiGate login. Before beginning this procedure you can: • • • Back up the FortiGate unit configuration. Under Unit Information > Firmware Version. use the procedure “To update antivirus and attack definitions” on page 116 to make sure that antivirus and attack definitions are up to date. Select OK.

Restore your configuration. reverting from FortiOS v2. You can use the following command to ping the computer running the TFTP server. 10 Reverting to a previous firmware version using the CLI This procedure reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures.168.168 34 01-28003-0002-20040716 Fortinet Inc. Update antivirus and attack definitions. For information about restoring your configuration. For example. if the TFTP server's IP address is 192. use the procedure “To update antivirus and attack definitions” on page 116 to make sure that antivirus and attack definitions are up to date. and changes to replacement messages. . To revert to a previous firmware version using the CLI 1 2 3 Make sure that the TFTP server is running.1. After you install new firmware. For information about antivirus and attack definitions. Copy the firmware image file to the root directory of the TFTP server.168: execute ping 192. or an administrator account that has system configuration read and write privileges. see “To update antivirus and attack definitions” on page 116. you might not be able to restore your previous configuration from the backup configuration file. 4 Make sure the FortiGate unit can connect to the TFTP server. see “Backup and restore” on page 111.Changing the FortiGate firmware System status 8 9 Go to System > Status and check the Firmware Version to confirm that the firmware is successfully installed.1.80 to FortiOS v2. Before beginning this procedure you can: • • • Back up the FortiGate unit system configuration using the command execute backup config.50). see “Backing up and Restoring” on page 112. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.168. To use the following procedure you must have a TFTP server that the FortiGate unit can connect to. You can also use the CLI command execute update_now to update the antivirus and attack definitions. email filtering lists. Back up the IPS custom signatures using the command execute backup ipsuserdefsig Back up web content and email filtering lists. If you are reverting to a previous FortiOS version (for example. web content lists. Note: To use this procedure you must login using the admin administrator account. For information. Log into the FortiGate CLI.

FortiGate-60 Administration Guide 01-28003-0002-20040716 35 .out 192. or re-install the current firmware version. and restarts. enter: execute restore image FGT_300-v280-build158-FORTINET. For information. For example. Note: This procedure varies for different FortiGate BIOS versions. or from the CLI. The FortiGate unit uploads the firmware image file. To confirm that the new firmware image has been loaded. enter: execute update_now 7 8 9 10 11 Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiGate unit to default settings. see “To update antivirus and attack definitions” on page 116.System status Changing the FortiGate firmware 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. enter: get system status To restore your previous configuration if needed. The version of the BIOS running on the FortiGate unit is displayed when you restart the FortiGate unit using the CLI through a console connection.1. You can use this procedure to upgrade to a new firmware version. This operation will downgrade the current firmware version! Do you want to continue? (y/n) Type y. if the firmware image file name is FGT_300-v280-build158-FORTINET. The FortiGate unit reverts to the old firmware version.168. Reconnect to the CLI. Check image OK. resets the configuration to factory defaults.out and the IP address of the TFTP server is 192. revert to an older firmware version.168. After the file uploads. a message similar to the following is displayed: Get image from tftp server OK. This process takes a few minutes.168. use the command: execute restore config <name_str> <tftp_ipv4> Update antivirus and attack definitions.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n) 6 Type y.1. These variations are explained in the procedure steps that are affected.

see “Backing up and restoring custom signature files” on page 265. Before beginning this procedure you can: • To install firmware from a system reboot 1 2 3 4 Connect to the CLI using the null-modem cable and FortiGate console port. you might not be able to restore your previous configuration from the backup configuration file. After you install new firmware. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. see “Web filter” on page 289 and “ Spam filter” on page 303. reverting from FortiOS v2. if the IP address of the TFTP server is 192. Copy the new firmware image file to the root directory of the TFTP server. The TFTP server should be on the same subnet as the internal interface. • Back up web content and email filtering lists. enter: execute ping 192. • Back up the IPS custom signatures.168.80 to FortiOS v2.Changing the FortiGate firmware System status For this procedure you: • • access the CLI by connecting to the FortiGate console port using a null-modem cable. For example.168. see “Backing up and Restoring” on page 112. Make sure that the internal interface is connected to the same network as the TFTP server.168. For information. use the procedure “To update antivirus and attack definitions” on page 116 to make sure that antivirus and attack definitions are up to date. If you are reverting to a previous FortiOS version (for example. For information.168 Enter the following command to restart the FortiGate unit: execute reboot The FortiGate unit responds with the following message: This operation will reboot the system ! Do you want to continue? (y/n) 5 6 36 01-28003-0002-20040716 Fortinet Inc. Make sure that the TFTP server is running. To confirm that the FortiGate unit can connect to the TFTP server. use the following command to ping the computer running the TFTP server. install a TFTP server that you can connect to from the FortiGate internal interface.1. Back up the FortiGate unit configuration. For information. .50).1.

. Note: You have only 3 seconds to press any key. The following message appears: Enter File Name [image..1.. Boot with backup firmware and set as default. The IP address can be any IP address that is valid for the network that the interface is connected to.Q. The following message appears: Enter Local Address [192.1. When one of the following messages appears: • FortiGate unit running v2. Enter G. The following message appears: Enter TFTP server address [192. the FortiGate unit reboots and you must log in and repeat the execute reboot command... one of the following messages appears: • FortiGate unit running v2.x BIOS Press Any Key To Download Boot Image..x BIOS [G]: [F]: [B]: [Q]: [H]: Get firmware image from TFTP server.x BIOS Enter TFTP Server Address [192.168.B. ..168]: Type the address of the TFTP server and press Enter.168..168]: Go to step 9.. If you do not press a key soon enough. Make sure you do not enter the IP address of another device on this network.x BIOS Press any key to display configuration menu. • FortiGate unit running v3.188]: Type an IP address that can be used by the FortiGate unit to connect to the FTP server. Quit menu and continue to boot with default firmware.out]: 9 10 FortiGate-60 Administration Guide 01-28003-0002-20040716 37 . If you successfully interrupt the startup process.1. Display this list of options. .F. a series of system startup messages is displayed. Immediately press any key to interrupt the system startup.System status Changing the FortiGate firmware 7 Type y.168... As the FortiGate units starts. Format boot device.or H: 8 Type G to get the new firmware image from the TFTP server. • FortiGate unit running v3.

see “Backup and restore” on page 111. you might not be able to restore your previous configuration from the backup up configuration file. To restore email filtering lists.x BIOS Save as Default firmware/Run image without saving:[D/R] or Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] 12 Type D. If the new firmware image operates successfully.50). see “Updating antivirus and attack definitions” on page 116. 38 01-28003-0002-20040716 Fortinet Inc. Restoring the previous configuration Change the internal interface address if required. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following are displayed: • FortiGate unit running v2. it operates with the originally installed firmware image using the current configuration. The installation might take a few minutes to complete. • FortiGate unit running v3. • • • • • To restore the FortiGate unit configuration. see “Backup and restore” on page 111. you can access the FortiGate unit from the web-based manager and restore the configuration.x BIOS Do You Want To Save The Image? [Y/n] Type Y. Testing a new firmware image before installing it You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. If you are reverting to a previous firmware version (for example. see “Backup and restore” on page 111. you can install it permanently using the procedure “Upgrading to a new firmware version” on page 31. reverting from FortiOS v2. .80 to FortiOS v2. see “Backing up and restoring custom signature files” on page 265. You can do this from the CLI using the command: config system interface edit internal set ip <address_ipv4mask> set allowaccess {ping https ssh telnet http} end After changing the interface address. After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration. To update the virus and attack definitions to the most recent version. To restore IPS custom signatures. To restore web content filtering lists.Changing the FortiGate firmware System status 11 Enter the firmware image filename and press Enter. The FortiGate unit installs the new firmware image and restarts. The next time the FortiGate unit restarts. This new firmware image is not permanently installed.

one of the following messages appears: • FortiGate unit running v2.System status Changing the FortiGate firmware For this procedure you: • • access the CLI by connecting to the FortiGate console port using a null-modem cable. .1.1. Make sure the TFTP server is running. if the TFTP server's IP address is 192.. For example.. Note: You have only 3 seconds to press any key.x BIOS Press any key to display configuration menu. The TFTP server should be on the same subnet as the internal interface...168.168. The following message appears: Enter TFTP server address [192..168. a series of system startup messages are displayed.168. 6 Immediately press any key to interrupt the system startup. Display this list of options. press any key to interrupt the system startup.168]: FortiGate-60 Administration Guide 01-28003-0002-20040716 39 .168 Enter the following command to restart the FortiGate unit: execute reboot As the FortiGate unit reboots..168]: Go to step 8.. 4 5 If you successfully interrupt the startup process. Copy the new firmware image file to the root directory of the TFTP server.1.Q. Enter G. Format boot device. • FortiGate unit running v3.or H: 7 Type G to get the new firmware image from the TFTP server. If you do not press a key soon enough.x BIOS Press Any Key To Download Boot Image.. Quit menu and continue to boot with default firmware.. As the FortiGate units starts. • FortiGate unit running v3.168: execute ping 192. the FortiGate unit reboots and you must log in and repeat the execute reboot command. .F.. You can use the following command to ping the computer running the TFTP server. When one of the following messages appears: • FortiGate unit running v2.x BIOS Enter TFTP Server Address [192.x BIOS [G]: [F]: [Q]: [H]: Get firmware image from TFTP server. install a TFTP server that you can connect to from the FortiGate internal interface..1. To test a new firmware image 1 2 3 Connect to the CLI using a null-modem cable and FortiGate console port.

40 01-28003-0002-20040716 Fortinet Inc.1.out]: Enter the firmware image file name and press Enter.x BIOS Save as Default firmware/Run image without saving:[D/R] or Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] 9 10 11 Type R. The IP address can be any IP address that is valid for the network that the interface is connected to. • FortiGate unit running v2. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image but with its current configuration. The following message appears: Enter Local Address [192. . The following message appears: Enter File Name [image.188]: Type an IP address that can be used by the FortiGate unit to connect to the FTP server. Make sure you do not enter the IP address of another device on this network. To confirm that the new firmware image has been loaded. 12 13 You can log into the CLI or the web-based manager using any administrative account. • FortiGate unit running v3.x BIOS Do You Want To Save The Image? [Y/n] Type N.Changing the FortiGate firmware System status 8 Type the address of the TFTP server and press Enter. from the CLI enter: get system status You can test the new firmware image as required. The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.168.

FortiGate-60 Administration Guide Version 2. For information about VLANs in Transparent mode. More advanced network settings include adding VLAN subinterfaces and zones to the FortiGate network configuration. Note: Unless stated otherwise. Basic network settings start with configuring FortiGate interfaces to connect to your network and configuring the FortiGate DNS settings. see “VLANs in NAT/Route mode” on page 63.80 System network System network settings control how the FortiGate unit connects to and interacts with your network. go to System > Network > Interface to configure FortiGate interfaces and to add and configure VLAN subinterfaces. FortiGate-60 Administration Guide 01-28003-0002-20040716 41 . see “VLANs in Transparent mode” on page 65. • • • • • • • • • • Interface Zone Management DNS Routing table (Transparent Mode) Configuring the modem interface VLAN overview VLANs in NAT/Route mode VLANs in Transparent mode FortiGate IPv6 support Interface In NAT/Route mode. • • For information about VLANs in NAT/Route mode. in this section the term interface can refer to a physical FortiGate interface or to a FortiGate VLAN subinterface.

The administrative status for the interface. select Bring Down or Bring Up. If the administrative status is a red arrow. Use interface settings to configure a new VLAN subinterface or to change the configuration of a FortiGate interface or VLAN subinterface. Only available if you have added a virtual domain.Interface Figure 5: Interface list System network Create New Virtual Domain Name Select Create New to create a VLAN. For more information. the interface is up and can accept network traffic. Select a virtual domain to display the interfaces added to this virtual domain. • Interface names indicate the default function of the interface (For example. Status Interface settings Interface settings displays the current configuration of a selected FortiGate interface or VLAN subinterface. . Delete. If the administrative status is a green arrow. IP Netmask Access The current IP address of the interface. The names of the physical interfaces available to your FortiGate unit. The netmask of the interface. See “To control administrative access to an interface” on page 50 for information about administrative access options. and view icons. below the physical interface that they have been added to. 42 01-28003-0002-20040716 Fortinet Inc. the interface is administratively down and cannot accept traffic. see “To bring down an interface that is administratively up” on page 48 and “To start up an interface that is administratively down” on page 48. they also appear in the name list. The administrative access configuration for the interface. edit. interface names that include ha are configured with an HA heartbeat device priority (see “Priorities of Heartbeat Device” on page 86) • The modem interface is available if a modem is connected to the USB port (see “Configuring the modem interface” on page 56) If you have added VLAN subinterfaces. To change the administrative status. See “VLAN overview” on page 61. internal and wan1) • By default.

see “VLAN overview” on page 61. The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802. For more information on VLANs. All VLAN subinterfaces must be associated with a physical interface. VLAN ID Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. FortiGate-60 Administration Guide 01-28003-0002-20040716 43 . the VLAN is listed below its physical interface in the Interface list.1Q-compliant router or switch connected to the VLAN subinterface.System network Interface Figure 6: Interface settings See the following procedures for configuring interfaces: • • • • • • • • • • • • To bring down an interface that is administratively up To start up an interface that is administratively down To add interfaces to a zone To add an interface to a virtual domain To change the static IP address of an interface To configure an interface for DHCP To configure an interface for PPPoE To add a secondary IP address To add a ping server to an interface To control administrative access to an interface To change the MTU size of the packets leaving an interface To configure traffic logging for connections to an interface Name The name of the Interface. Interface Select the name of the physical interface to add the VLAN subinterface to. Once created.

100/255. Retrieve default gateway and DNS from server Connect to server Status 44 01-28003-0002-20040716 Fortinet Inc. Disable this option if you are configuring the interface offline. Select Status to refresh the addressing mode status message. The interface retrieves an IP address. The IP address of the interface must be on the same subnet as the network the interface is connecting to. 192. initializing connected failed No activity. the FortiGate unit automatically broadcasts a DHCP request. Displays DHCP status messages as the FortiGate unit connects to the DHCP server and gets addressing information.1. Note: Where you can enter both an IP address and a netmask in the same field.100/24.168. For more information on virtual domains. specifies the relative priority of a route when there are multiple routes to the same destination.255. Distance Enter the administrative distance for the default gateway retrieved from the DHCP server. you can use the short form of the netmask. The administrative distance. an integer from 1-255.168. The default distance for the default gateway is 1. The default gateway is added to the static routing table and the DNS server IP addresses are added to the DNS page.0 can also be entered as 192. Enable Connect to Server so that the interface automatically attempts to connect to a DHCP server. A lower administrative distance indicates a more preferred route. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the DHCP request. Manual Select Manual and enter an IP address and netmask for the interface. Virtual domain is only available if you have added a virtual domain.1. For example. DHCP If you configure the interface to use DHCP. Addressing mode Select Manual. netmask. Enable Retrieve default gateway and DNS from server to retrieve a default gateway IP address and DNS server IP addresses from a PPPoE server. see “System virtual domain” on page 127. Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet. and other settings from the DHCP server.255. The interface was unable to retrieve an IP address and other information from the DHCP server. or PPPoE to set the addressing mode for this interface.Interface System network Virtual Domain Select a virtual domain to add the interface or VLAN subinterface to this virtual domain. . connecting The interface is attempting to connect to the DHCP server. DHCP.

PADT must be supported by your ISP. the FortiGate unit automatically broadcasts a PPPoE request. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. Specify the IP address to be borrowed by the interface. The default distance for the default gateway is 1. The administrative distance. Initial discovery timeout. Enter the administrative distance for the default gateway retrieved from the PPPoE server. Figure 7: PPPoE settings User Name Password Unnumberd IP The PPPoE account user name. Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. an integer from 1-255. DNS Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server. The default gateway is added to the static routing table.System network Interface PPPoE If you configure the interface to use PPPoE. you can add any of these IP addresses to the Unnumbered IP. The PPPoE account password. initial discovery timeout that times and PPPoE Active Discovery Terminate (PADT). A lower administrative distance indicates a more preferred route. The time to wait before retrying to start a PPPoE discovery. FortiGate-60 Administration Guide 01-28003-0002-20040716 45 . If you have been assigned a block of IP addresses by your ISP for example. You can disable connect to server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request. Initial Disc Timeout Initial PADT timeout Distance Retrieve default gateway from server Override internal Enable Override internal DNS to replace the DNS server IP addresses on the DNS page with the DNS addresses retrieved from the PPPoE server. This IP address can be the same as the IP address of another interface or can be any IP address. Disable this option if you are configuring the interface offline. Enable IP unnumbered mode for PPPoE. FortiGate units support many of the PPPoE RFC features (RFC 2516) including unnumbered IPs. Set Initial Disc to 0 to disable. Enable Retrieve default gateway from server to retrieve a default gateway IP address from a PPPoE server. Set initial PADT timeout to 0 to disable. The Unnumbered IP may be used for PPPoE interfaces for which no unique local address is provided. specifies the relative priority of a route when there are multiple routes to the same destination.

Interface

System network

Status

Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message. No activity. The interface retrieves an IP address, netmask, and other settings from the PPPoE server. The interface was unable to retrieve an IP address and other information from the PPPoE server.

initializing connected failed

connecting The interface is attempting to connect to the PPPoE server.

DDNS
Enable or disable using a Dynamic DNS service (DDNS). If the FortiGate unit uses a dynamic IP address, you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your network whenever the IP address changes.
Server Select a DDNS server to use. The client software for these services is built into the FortiGate firmware. The FortiGate unit can only connect automatically to a DDNS server for the supported clients. The domain name to use for the DDNS service.

Domain

Username The user name to use when connecting to the DDNS server. Password The password to use when connecting to the DDNS server.

Ping server
Add a ping server to an interface if you want the FortiGate unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See “To add or edit a static route” on page 138. The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiGate unit can connect to this IP address. To configure dead gateway detection, see “To modify the dead gateway detection settings” on page 82.

Administrative access
Configure administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect. You can select the following administrative access options:
HTTPS PING HTTP SSH SNMP TELNET To allow secure HTTPS connections to the web-based manager through this interface. If you want this interface to respond to pings. Use this setting to verify your installation and for testing. To allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. To allow SSH connections to the CLI through this interface. To allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page 95. To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.

46

01-28003-0002-20040716

Fortinet Inc.

System network

Interface

MTU
To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger, they are broken up or fragmented, which slows down transmission. Experiment by lowering the MTU to find an MTU size for best network performance. To change the MTU, select Override default MTU value (1500) and enter the maximum packet size. For manual and DHCP addressing mode the MTU size can be from 576 to 1500 bytes. For PPPoE addressing mode the MTU size can be from 576 to 1492 bytes.
Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.

Log
Select Log to record logs for any traffic to or from the interface. To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower. Go to Log & Report > Log Config to configure logging locations and types. For information about logging see “Log & Report” on page 317.

Configuring interfaces
Use the following procedures to configure FortiGate interfaces and VLAN subinterfaces. You cannot use the following procedures for the modem interface. • • • • • • • • • • • To bring down an interface that is administratively up To add interfaces to a zone To add an interface to a virtual domain To change the static IP address of an interface To configure an interface for DHCP To configure an interface for PPPoE To add a secondary IP address To add a ping server to an interface To control administrative access to an interface To change the MTU size of the packets leaving an interface To configure traffic logging for connections to an interface

To add a VLAN subinterface See “To add a VLAN subinterface in NAT/Route mode” on page 64.

FortiGate-60 Administration Guide

01-28003-0002-20040716

47

Interface

System network

To bring down an interface that is administratively up You can bring down physical interfaces or VLAN subinterfaces. Bringing down a physical interface does not bring down the VLAN subinterfaces added to it. 1 2 Go to System > Network > Interface. The interface list is displayed. Select Bring Down for the interface that you want to stop. To start up an interface that is administratively down You can start up physical interfaces and VLAN subinterfaces. Starting a physical interface does not start the VLAN subinterfaces added to it. 1 2 Go to System > Network > Interface. The interface list is displayed. Select Bring Up for the interface that you want to start. To add interfaces to a zone If you have added zones to the FortiGate unit, you can use this procedure to add interfaces or VLAN subinterfaces to the zone. To add a zone, see “To add a zone” on page 52. You cannot add an interface to a zone if you have added firewall policies for the interface. Delete firewall policies for the interface and then add the interface to the zone. 1 2 3 4 Go to System > Network > Zone. Choose the zone to add the interface or VLAN subinterface to and select Edit. Select the names of the interfaces or VLAN subinterfaces to add to the zone. Select OK to save the changes. To add an interface to a virtual domain If you have added virtual domains to the FortiGate unit, you can use this procedure to add an interface or VLAN subinterface to a virtual domain. To add a virtual domain, see “To add a virtual domain” on page 131. You cannot add an interface to a virtual domain if you have added firewall policies for the interface. Delete firewall policies for the interface and then add the interface to the virtual domain. 1 2 3 4 5 Go to System > Network > Interface. Choose the interface or VLAN subinterface to add to a virtual domain and select Edit. From the Virtual Domain list, select the virtual domain that you want to add the interface to. Select OK to save the changes. Repeat these steps to add more interfaces or VLAN subinterfaces to virtual domains. To change the static IP address of an interface You can change the static IP address of any FortiGate interface. 1 2 Go to System > Network > Interface. Choose an interface and select Edit.

48

01-28003-0002-20040716

Fortinet Inc.

System network

Interface

3 4 5

Set Addressing Mode to Manual. Change the IP address and Netmask as required. Select OK to save your changes. If you changed the IP address of the interface to which you are connecting to manage the FortiGate unit, you must reconnect to the web-based manager using the new interface IP address. To configure an interface for DHCP You can configure any FortiGate interface to use DHCP.

1 2 3 4

Go to System > Network > Interface. Choose an interface and select Edit. In the Addressing Mode section, select DHCP. Select the Retrieve default gateway and DNS from server check box if you want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server. Select the Connect to Server check box if you want the FortiGate unit to connect to the DHCP server. Select Apply. The FortiGate unit attempts to contact the DHCP server from the interface to set the IP address, netmask, and optionally the default gateway IP address, and DNS server IP addresses. Select Status to refresh the addressing mode status message. Select OK. To configure an interface for PPPoE Use this procedure to configure any FortiGate interface to use PPPoE. See “PPPoE” on page 45 for information on PPPoE settings.

5 6

7 8

1 2 3 4 5 6 7

Go to System > Network > Interface. Choose an interface and select Edit. In the Addressing Mode section, select PPPoE. Enter your PPPoE account User Name and Password. Enter an Unnumbered IP if required by your PPPoE service. Set the Initial Disc Timeout and Initial PADT Timeout if supported by your ISP. Select the Retrieve default gateway and DNS from server check box if you want the FortiGate unit to obtain a default gateway IP address and DNS server IP addresses from the PPPoE server. Select the Connect to Server check box if you want the FortiGate unit to connect to the PPPoE server. Select Apply. The FortiGate unit attempts to contact the PPPoE server from the interface to set the IP address, netmask, and optionally default gateway IP address and DNS server IP addresses.

8 9

FortiGate-60 Administration Guide

01-28003-0002-20040716

49

Interface

System network

10 11

Select Status to refresh the addressing mode status message. Select OK. To add a secondary IP address You can use the CLI to add a secondary IP address to any FortiGate interface. The secondary IP address cannot be the same as the primary IP address but it can be on the same subnet. From the FortiGate CLI, enter the following commands: config system interface edit <intf_str> config secondaryip edit 0 set ip <second_ip> <netmask_ip> Optionally, you can also configure management access and add a ping server to the secondary IP address: set allowaccess ping https ssh snmp http telnet set gwdetect enable Save the changes: end To add a ping server to an interface

1 2 3 4 5

Go to System > Network > Interface. Choose an interface and select Edit. Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box. Select OK to save the changes. To control administrative access to an interface For a FortiGate unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiGate unit and the FortiGate interfaces to which administrators can connect. Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of your FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • • • Use secure administrative user passwords, Change these passwords regularly, Enable secure administrative access to this interface using only HTTPS or SSH, Do not change the system idle timeout from the default value of 5 minutes (see “To set the system idle timeout” on page 81).

50

01-28003-0002-20040716

Fortinet Inc.

System network

Zone

To configure administrative access in Transparent mode, see “To configure the management interface” on page 54. 1 2 3 4 Go to System > Network > Interface. Choose an interface and select Edit. Select the Administrative Access methods for the interface. Select OK to save the changes. To change the MTU size of the packets leaving an interface 1 2 3 4 Go to System > Network > Interface. Choose an interface and select Edit. Select Override default MTU value (1500). Set the MTU size. To configure traffic logging for connections to an interface 1 2 3 4 Go to System > Network > Interface. Choose an interface and select Edit. Select the Log check box to record log messages whenever a firewall policy accepts a connection to this interface. Select OK to save the changes.

Zone
You can use zones to group related interfaces and VLAN subinterfaces. Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. If you group interfaces and VLAN subinterfaces into a zone, you can configure policies for connections to and from this zone, rather than to and from each interface and VLAN subinterface. You can add zones, rename and edit zones, and delete zones from the zone list. When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Zones are added to virtual domains. If you have added multiple virtual domains to your FortiGate configuration, make sure you are configuring the correct virtual domain before adding or editing zones.
Figure 8: Zone list

FortiGate-60 Administration Guide

01-28003-0002-20040716

51

Zone

System network

Create New Name Block intra-zone traffic

Select Create New to create a zone. The names of the zones that you have added. Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. Edit/View icons. Select to edit or view a zone. Delete icon. Select to remove a zone.

Interface Members The names of the interfaces added to the zone.

• • •

Zone settings To add a zone To delete a zone

Zone settings
Figure 9: Zone options

Name Block intra-zone traffic

Enter the name to identify the zone. Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone.

Interface members Enable check boxes to select the interfaces that are part of this zone.

To add a zone 1 2 3 4 5 6 7 If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone. Go to System > Network > Zone. Select Create New. In the New Zone dialog box, type a name for the zone. Select the Block intra-zone traffic check box if you want to block traffic between interfaces or VLAN subinterfaces in the same zone. Select the names of the interfaces or VLAN subinterfaces to add to the zone. Select OK. To delete a zone You can only delete zones that have the Delete icon beside them in the zone list. 1 If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain from which to delete the zone.

52

01-28003-0002-20040716

Fortinet Inc.

System network

Management

2 3 4

Go to System > Network > Zone. Select Delete to remove a zone from the list. Select OK to delete the zone. To edit a zone

1 2 3 4 5 6 7

If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain in which to edit the zone. Go to System > Network > Zone. Select Edit to modify a zone. Select or deselect Block intra-zone traffic. Select the names of the interfaces or VLAN subinterfaces to add to the zone. Clear the check box for the names of the interfaces or VLAN subinterfaces to remove from the zone. Select OK.

Management
Configure the management interface in Transparent mode to set the management IP address of the FortiGate unit. Administrators connect to this IP address to administer the FortiGate unit. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see “Update center” on page 113). You can also configure interfaces to control how administrators connect to the FortiGate unit for administration. See “To control administrative access to an interface” on page 50. Controlling administrative access to a FortiGate interface connected to the Internet allows remote administration of the FortiGate unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • • • Use secure administrative user passwords, Change these passwords regularly, Enable secure administrative access to this interface using only HTTPS or SSH, Do not change the system idle timeout from the default value of 5 minutes (see “To set the system idle timeout” on page 81).

FortiGate-60 Administration Guide

01-28003-0002-20040716

53

The DNS servers you specify provide DNS services on interfaces where you enable DNS Forwarding.DNS System network Figure 10: Management Management IP/Netmask Default Gateway Enter the management IP address and netmask. Select Apply. DNS Several FortiGate functions. Enter the Default Gateway. 6 Click on the message to connect to the new Management IP. You can add the IP addresses of the DNS servers that your FortiGate unit can connect to. To configure the management interface 1 2 3 4 5 Go to System > Network > Management. The FortiGate unit displays the following message: Management IP address was changed. Enter the default gateway address. including sending email alerts and URL blocking. use DNS. This must be a valid IP address for the network that you want to manage the FortiGate unit from. Management Select the virtual domain from which you want to perform system Virtual Domain management. . DNS server IP addresses are usually supplied by your ISP. Enter the Management IP/Netmask. 54 01-28003-0002-20040716 Fortinet Inc. Click here to redirect. Select the Management Virtual Domain.

Delete icon. Routing table (Transparent Mode) In Transparent mode. Primary DNS Server Enable DNS forwarding from Enter the primary DNS server IP address. The destination IP address for this route. Move To icon. you can configure routing to add static routes from the FortiGate unit to local routers. Select Apply to save the changes. Select to view or edit a route. Select to remove a route. # IP Mask Gateway Distance Route number. The the relative preferability of this route. View/edit icon. To add DNS server IP addresses 1 2 3 Go to System > Network > DNS. The IP address of the next hop router to which this route directs traffic. Change the primary and secondary DNS server IP addresses as required. Enable the check boxes of the interfaces to which DNS Forwarding applies. The netmask for this route. Secondary DNS Server Enter the secondary DNS server IP address. Routing table list Figure 12: Routing table Create New Select Create New to add a new route.System network Routing table (Transparent Mode) Figure 11: DNS Obtain DNS server When DHCP is used on an interface. Select to change the order of a route in the list. also obtain the DNS server IP address automatically address. 1 is most preferred. FortiGate-60 Administration Guide 01-28003-0002-20040716 55 .

0. the modem interface is the connection from the FortiGate unit to the Internet. only the default route closest to the top of the routing table is active.0. Select OK to save the route. When connecting to the ISP. For an Internet connection. /Mask Gateway Distance Enter the IP address of the next hop router to which this route directs traffic The the relative preferability of this route. the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable.Configuring the modem interface System network Transparent mode route settings Figure 13: Transparent mode route options Destination IP Enter the destination IP address and netmask for this route. Set the Destination IP and Mask to 0. • • In backup mode.0. • • • • • • Connecting a modem to the FortiGate unit Configuring modem settings Connecting and disconnecting the modem Backup mode configuration Standalone mode configuration Adding firewall policies for modem connections 56 01-28003-0002-20040716 Fortinet Inc. set the Destination IP and Mask to 0. In standalone mode. 4 5 Set Gateway to the IP address of the next hop routing gateway. Note: Only one default route can be active at a time. For the default route. 1 is most preferred. .0. If two default routes are added to the routing table. in either configuration. the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP. Select Create New to add a new route.0.0. Configuring the modem interface You can connect a modem to the FortiGate unit and use it as either a backup interface or standalone interface in NAT/Route mode. To add a Transparent mode route 1 2 3 Go to System > Network > Routing Table. the next hop routing gateway routes traffic to the Internet.

configure how the modem dials. FortiGate-60 Administration Guide 01-28003-0002-20040716 57 . install a USB-to-serial converter between one of the two USB ports on the FortiGate unit and the serial port on the modem.System network Figure 14: Example modem interface network connection INTERNAL Configuring the modem interface FortiGate-60 PWR STATUS 1 LINK 100 2 LINK 100 3 LINK 100 4 LINK 100 DMZ LINK 100 WAN1 LINK 100 WAN2 LINK 100 USB connector USB-to-serial converter serial connector External modem V. and select the FortiGate interface that the modem is redundant for.92 Internet Connecting a modem to the FortiGate unit The FortiGate unit can operate with most standard external serial interface modems that support standard Hayes AT commands. Configuring modem settings Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts. The FortiGate unit does not support a direct USB connection between the two devices. You can also enable and disable FortiGate modem support. To connect. You can configure the modem to connect to up to three dialup accounts.

The maximum number of times (1-10) that the FortiGate unit dials the ISP to restore an active connection on the modem interface. The FortiGate unit try connecting to each account in order until a connection can be established. . Phone Number The phone number required to connect to the dialup account. and other functions as required by your modem to connect to your dialup account. Configure a higher value if you find the FortiGate unit switching repeatedly between the primary interface and the modem interface. Select None to allow the modem to never stop redialing. Select Dial Up to manually connect to a dialup account. If the modem is connected. after the primary interface has been restored. The default redial limit is 1. When the modem is dialing modem status shows whether the modem is active or not active. The password sent to the ISP. To configure modem settings You can configure and use the modem in NAT/Route mode only.Configuring the modem interface Figure 15: Modem settings System network Enable USB Modem Dial Up/Hang Up Redial Limit Select to enable the FortiGate modem. Select Enable USB Modem. For backup configurations. User Name Password The user name (maximum 63 characters) sent to the ISP. Change any of the following dialup connection settings: Enter the following Dialup Account 1 settings: 58 01-28003-0002-20040716 Fortinet Inc. country codes. you can select Hang Up to manually disconnect the modem. Do not add spaces to the phone number. Make sure to include standard special characters for pauses. To associate the modem interface with the ethernet interface that you want to either back up (backup configuration) or replace (standalone configuration). 1 2 3 4 Go to System > Network > Modem. The time (1-60 seconds) that the FortiGate unit waits before switching from the modem interface to the primary interface. The default is 1 second. Holddown Timer Redundant for Dialup Account Configure up to three dialup accounts.

The IP address and netmask assigned to the modem interface appears on the System Network Interface page of the web-based manager. When the modem connects to a dialup account. Backup mode configuration The modem interface in backup mode backs up a selected ethernet interface. The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface can again connect to its network. To disconnect the modem Use the following procedure to disconnect the modem from a dialup account. If that ethernet interface disconnects from its network. 1 2 Go to System > Network > Modem. Connecting and disconnecting the modem To connect to a dialup account 1 2 3 4 5 Go to System > Network > Modem. User Name. Select Dial Up. The modem interface is attempting to connect to the ISP. the modem automatically dials the configured dialup accounts. enter Phone Number. A green check mark indicates the active dialup account. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces. and Password for Dialup Account 2 and Dialup Account 3.System network Configuring the modem interface 5 6 If you have multiple dialup accounts. Select Apply. the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface. Make sure there is correct information in one or more Dialup Accounts. Modem status is one of the following: not active active The modem interface is not connected to the ISP. For the FortiGate unit to be able to switch from an ethernet interface to the modem you must select the name of the interface in the modem configuration and configure a ping server for that interface. FortiGate-60 Administration Guide 01-28003-0002-20040716 59 . Select Enable USB Modem. Select Apply if you make any configuration changes. or is connected to the ISP. To disconnect the modem 1 Go to System > Network > Modem. The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP. Select Hang Up if you want to disconnect from the dialup account.

Note: Do not add firewall policies for connections between the ethernet interface that the modem replaces and other interfaces.Configuring the modem interface System network Note: Do not add policies for connections between the modem interface and the interface that the modem is backing up. The modem redials the number of times specified by the redial limit. See “To add a ping server to an interface” on page 50. Configure firewall policies for connections to the modem interface. The modem interface operates as the primary connection to the Internet. which remains permanently connected to the dialup account. In standalone mode the modem interface replaces the WAN1 or WAN2 ethernet interface. you manually connect the modem to a dialup account. you must set Redundant for to the name of the ethernet interface that the modem interface replaces. See “Configuring modem settings” on page 57. If the connection to the dialup account fails. Note: Do not add a default route to the ethernet interface that the modem interface replaces. To configure backup mode 1 2 3 4 5 Go to System > Network > Modem. select the ethernet interface that the modem is replacing. Standalone mode configuration In standalone mode. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces. From the Redundant for list. The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP. or until it connects to a dialup account. . Configure other modem settings as required. the FortiGate unit redials the modem. Select Dial Up. Make sure there is correct information in one or more Dialup Accounts. Configure other modem settings as required. When configuring the modem. Configure a ping server for the ethernet interface selected in step 2. See “Adding firewall policies for modem connections” on page 61. To operate in standalone mode 1 2 3 Go to System > Network > Modem. From the Redundant for list. 4 60 01-28003-0002-20040716 Fortinet Inc. The FortiGate unit routes traffic through the modem interface. select the ethernet interface that you want the modem to back up. See “Configuring modem settings” on page 57.

You can add one or more addresses to the modem interface. Each VLAN is treated as a broadcast domain. When you add addresses. efficient network segmentation.System network VLAN overview 5 Configure firewall policies for connections to the modem interface. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information. the modem interface appears on the policy grid. VLAN overview A VLAN is group of PCs. Devices in VLAN 1 can connect with other devices in VLAN 1. You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit. enabling users and resources to be grouped logically. servers. and other network devices that communicate as if they were on the same LAN segment. A VLAN segregates devices logically instead of physically. see “To add an address” on page 167. even though they may not be. the workstations and servers for an accounting department could be scattered throughout an office. FortiGate-60 Administration Guide 01-28003-0002-20040716 61 .1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. The communication among devices on a VLAN is independent of the physical network. but cannot connect with devices in other VLANs. VLANs allow highly flexible. regardless of physical locations. See “Adding firewall policies for modem connections” on page 61. For example. see “To add a firewall policy” on page 164. For information about adding addresses. but they can still belong to the same VLAN. Adding firewall policies for modem connections The modem interface requires firewall addresses and policies. A VLAN segregates devices by adding 802. For information about adding firewall policies. connected to numerous network segments.

and other firewall policy features for network and VPN traffic that is allowed to pass between security domains. . Traffic from each security domain is given a different VLAN ID. protection profiles. The FortiGate unit can also apply authentication. or layer 3 switch. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains. Packets passing between devices in the same VLAN can be handled by layer 2 switches. Packets passing between devices in different VLANs must be handled by a layer 3 device such as router.VLAN overview Figure 16: Basic VLAN topology System network Internet Untagged packets Esc Enter Firewall or Router VLAN trunk VLAN 1 VLAN 2 POWER VLAN Switch or router VLAN 1 VLAN 2 VLAN 1 network VLAN 2 network • • • FortiGate units and VLANs VLANs in NAT/Route mode VLANs in Transparent mode FortiGate units and VLANs In a typical VLAN configuration. firewall. 802. • • VLANs in NAT/Route mode VLANs in Transparent mode 62 01-28003-0002-20040716 Fortinet Inc. Using VLANs. a single FortiGate unit can provide security services and control connections between multiple security domains.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets.

That is. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add a different VLAN tags to outgoing packets. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. The FortiGate unit directs packets with VLAN IDs. Figure 17 shows a simplified NAT/Route mode VLAN configuration. you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. to subinterfaces with matching VLAN IDs.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). and the external interface connects to an upstream Internet router untagged. Note: If you are unable to change your existing configurations to prevent IP overlap. You can also define VLAN subinterfaces on all FortiGate interfaces. This rule applies to both physical interfaces and to VLAN subinterfaces.1Q-compliant switch (or router) and the FortiGate unit. The FortiGate unit can also remove VLAN tags from incoming VLAN packets and forward untagged packets to other networks. In NAT/Route mode. the FortiGate unit functions as a layer 3 device to control the flow of packets between VLANs. you add VLAN subinterfaces to the FortiGate internal interface that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. FortiGate internal interface connects to a VLAN switch using an 802. such as the Internet. In this configuration. the FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch.System network VLANs in NAT/Route mode VLANs in NAT/Route mode Operating in NAT/Route mode. This command is recommended for advanced users only. Their relationship is the same as the relationship between any two FortiGate network interfaces. • • • Rules for VLAN IDs Rules for VLAN IP addresses Adding VLAN subinterfaces Rules for VLAN IDs In NAT/Route mode. multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. If you enter this command. two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. The external interface is not configured with VLAN subinterfaces. The external interface connects to the Internet. The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface. However. enter the CLI command config system global and set ip-overlap enable to allow IP address overlap. FortiGate-60 Administration Guide 01-28003-0002-20040716 63 . the IP addresses of all interfaces must be on different subnets. In this example. Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap.

110. 8 64 01-28003-0002-20040716 Fortinet Inc. See “Interface settings” on page 42.0 Internet 10. The VLAN ID can be any number between 1 and 4096.1.168.126 External 172. it applies VLAN tags and forwards the packets to local ports and across the trunk to the FortiGate unit.0 VLAN 200 network 10. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface.1. Select the virtual domain to which to add this VLAN subinterface. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.2 10.1. .1Q-compliant router.2 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802. You can only select a zone that has been added to virtual domain selected in the previous step. Figure 17: FortiGate unit in Nat/Route mode VLAN switch POWER FortiGate Esc Enter Fa0/3 Fa0/9 Fa0/24 802.21. Select Create New to add a VLAN subinterface. Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. Each VLAN subinterface must also be configured with its own IP address and netmask.2 VLAN 100 VLAN 200 VLAN 100 network 10.2. Enter a Name to identify the VLAN subinterface. The FortiGate unit is configured with policies that allow traffic to flow between the VLANs and from the VLANs to the external network.16.1Q Trunk Internal 192. See “System virtual domain” on page 127 for information about virtual domains.1.1.VLANs in NAT/Route mode System network When the VLAN switch receives packets from VLAN 100 and VLAN 200. • • To add a VLAN subinterface in NAT/Route mode To add firewall policies for VLAN subinterfaces To add a VLAN subinterface in NAT/Route mode 1 2 3 4 5 6 7 Go to System > Network > Interface. See “Zone” on page 51 for information about zones. Configure the VLAN subinterface settings as you would for any FortiGate interface. Select the name of a zone if you want this VLAN subinterface to belong to a zone.2.1.

1 VLAN trunk. If these VLAN subinterfaces have the same VLAN IDs. If these VLAN subinterfaces have different VLAN IDs. In a virtual domain. the FortiGate unit can apply firewall policies and services. To add firewall policies for VLAN subinterfaces Once you have added VLAN subinterfaces you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface. such as authentication. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. you can also use firewall policies to control connections between VLANs. 3 4 VLANs in Transparent mode In Transparent mode. a zone can contain one or more VLAN subinterfaces. 1 2 Go to Firewall > Address. you add virtual domains to the FortiGate unit configuration. and other firewall features. to traffic on an IEEE 802. you can configure a FortiGate unit operating in Transparent mode to provide security for network traffic passing between different VLANs. A virtual domain consists of two or more VLAN subinterfaces or zones. Go to Firewall > Policy.1 VLAN tags to segment your network traffic. If the network uses IEEE 802. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk. The FortiGate unit adds the new VLAN subinterface to the interface that you selected in step 4. or if you add more than two VLAN subinterfaces. You can insert the FortiGate unit operating in Transparent mode into the trunk without making changes to your network. protection profiles. the FortiGate unit applies firewall policies to the traffic on this VLAN. the FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. For VLAN traffic to be able to pass between the FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface. Add firewall policies as required. See “Address” on page 165. To support VLAN traffic in Transparent mode.System network VLANs in Transparent mode 9 Select OK to save your changes. FortiGate-60 Administration Guide 01-28003-0002-20040716 65 . In a typical configuration.

If the packet is accepted by the firewall. the FortiGate unit forwards the packet to the destination VLAN subinterface. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. web content filtering. .VLANs in Transparent mode System network When the FortiGate unit receives a VLAN tagged packet at an interface. Figure 18: FortiGate unit with two virtual domains in Transparent mode VLAN Switch or router FortiGate unit VLAN1 Internal VLAN1 VLAN2 VLAN3 VLAN trunk root virtual domain VLAN1 VLAN1 External VLAN1 VLAN2 VLAN3 VLAN Switch VLAN trunk or router VLAN2 Internet New virtual domain VLAN2 VLAN2 VLAN3 VLAN3 VLAN3 Figure 19 shows a FortiGate unit operating in Transparent mode and configured with three VLAN subinterfaces. The destination VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN trunk. The firewall policies for this source and destination VLAN subinterface pair are applied to the packet. and other services to each VLAN. 66 01-28003-0002-20040716 Fortinet Inc. the packet is directed to the VLAN subinterface with matching VLAN ID. In this configuration the FortiGate unit could be added to this network to provide virus scanning.

However. you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces.System network Figure 19: FortiGate unit in Transparent mode VLAN 1 VLAN ID = 100 VLAN 2 VLAN ID = 200 VLANs in Transparent mode VLAN 3 VLAN ID = 300 VLAN switch POWER FortiGate unit operating in Transparent mode Esc Enter VLAN Trunk Internal VLAN 1 VLAN 2 VLAN 3 External VLAN 1 VLAN VLAN 2 Trunk VLAN 3 VLAN switch POWER Untagged packets Router Internet • • • • Rules for VLAN IDs Transparent mode virtual domains and VLANs Transparent mode VLAN list Transparent mode VLAN settings Rules for VLAN IDs In Transparent mode two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. FortiGate-60 Administration Guide 01-28003-0002-20040716 67 .

Select to view or edit an interface or VLAN subinterface. Figure 20: Sample Transparent mode VLAN list Create New Select Create New to add a VLAN subinterface to a FortiGate interface. If the administrative status is a green arrow. If the administrative status is a red arrow. View/Edit icon. You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains. 68 01-28003-0002-20040716 Fortinet Inc. The administrative access configuration for the interface. To change the administrative status.VLANs in Transparent mode System network Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains. The administrative status for the interface. For information on adding and configuring virtual domains. By default the FortiGate configuration includes one virtual domain. . see “To bring down an interface that is administratively up” on page 48 and “To start up an interface that is administratively down” on page 48. go to System > Network > Interface to add VLAN subinterfaces. Virtual Domain Select a virtual domain to display the VLAN interfaces added to this virtual domain. and you can add as many VLAN subinterfaces as you require to this virtual domain. Delete icon. Name Access Status The name of the interface or VLAN subinterface. named root. the interface is administratively down and cannot accept traffic. Transparent mode VLAN settings VLAN settings displays the current configuration of a selected FortiGate interface or VLAN subinterface. See “To control administrative access to an interface” on page 50 for information about administrative access options. Select to delete a VLAN subinterface. the interface is up and can accept network traffic. see “System virtual domain” on page 127 Transparent mode VLAN list In Transparent mode. Use VLAN settings to configure a new VLAN subinterface or to change the configuration of a FortiGate interface or VLAN subinterface.

The FortiGate unit adds the new subinterface to the interface that you selected. Select Bring up to start the VLAN subinterface. Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. The VLAN ID can be any number between 1 and 4096. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. Select OK to save your changes. Select Create New to add a VLAN subinterface. you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your network whenever the IP address changes.System network Figure 21: VLAN settings VLANs in Transparent mode See “Interface settings” on page 42 for descriptions of all VLAN settings. See “System virtual domain” on page 127 for information about virtual domains. See “Interface settings” on page 42 for more descriptions of these settings. 1 2 3 4 5 6 7 Go to System > Network > Interface.1Q-compliant router or switch. If the FortiGate unit uses a dynamic IP address. and log settings as you would for any FortiGate interface. Enable or disable using a Dynamic DNS service (DDNS). MTU. You add VLAN subinterfaces to the physical interface that receives VLANtagged packets. Select the virtual domain to which to add this VLAN subinterface. 8 9 10 FortiGate-60 Administration Guide 01-28003-0002-20040716 69 . Configure the administrative access. • • To add a VLAN subinterface in Transparent mode To add firewall policies for VLAN subinterfaces To add a VLAN subinterface in Transparent mode The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802. Enter a Name to identify the VLAN subinterface.

Add firewall policies as required. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. See the FortiGate CLI Reference Guide for information on the following commands: Table 2: IPv6 CLI commands Feature CLI Command Interface configuration. The interface functions as two interfaces. Go to Firewall > Policy. . config ip6-prefix-list Static routing IPv6 tunneling config router static6 config system ipv6_tunnel 70 01-28003-0002-20040716 Fortinet Inc. one for IPv4-addressed packets and another for IPv6-addressed packets. All of these features must be configured through the Command Line Interface (CLI). including periodic config system interface router advertisements See the keywords beginning with “ip6”. FortiGate units support static routing. 1 2 Go to Firewall > Address.FortiGate IPv6 support System network To add firewall policies for VLAN subinterfaces Once you have added VLAN subinterfaces you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface. See “Address” on page 165. 3 4 FortiGate IPv6 support You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit. and tunneling of IPv6-addressed traffic over an IPv4-addressed network. periodic router advertisements.

Edit/View icon. FortiGate-60 Administration Guide 01-28003-0002-20040716 71 . Note: To configure DHCP server or DHCP relay functionality on an interface. A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. Select to view or modify the DHCP service configuration for an interface. the FortiGate unit must be in NAT/Route mode and the interface must have a static IP address. DHCP Relay. The DHCP service provided by the interface (none.80 System DHCP You can configure DHCP server or DHCP relay agent functionality on any FortiGate interface or VLAN subinterface. You can configure each interface to be a DHCP relay or a DHCP server or you can turn off DHCP services.FortiGate-60 Administration Guide Version 2. An interface cannot provide both functions at the same time. or DHCP Server). This section describes: • • • • • Service Server Exclude range IP/MAC binding Dynamic IP Service Go to System > DHCP > Service to configure the DHCP service provided by each FortiGate interface. Figure 1: DHCP service list Interface Service List of FortiGate interfaces.

Select OK. Select the type of DHCP relay agent. For more information. Configure the interface to be a DHCP relay agent only for remote VPN clients with an IPSec VPN connection to this interface that uses DHCP over IPSec. see “DHCP over IPSec” on page 233. See “To configure an interface as a regular DHCP relay agent” on page 72. Configure the interface to be a DHCP relay agent for computers on the network connected to this interface. Figure 2: View or edit DHCP service settings for an interface Interface None Type Regular The name of the interface. See “To configure an interface to be a DHCP server” on page 73. . Select DHCP Relay Agent. Select DHCP Server if you want the FortiGate unit to be the DHCP server. The DHCP server must have a route to the FortiGate unit that is configured as the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive at the FortiGate performing DHCP relay. 1 2 3 4 5 6 Go to System > DHCP > Service. DHCP Relay Agent Select to configure the interface to be a DHCP relay agent. the FortiGate interface configured for DHCP relay forwards DHCP requests from DHCP clients through the FortiGate unit to a DHCP server. enter the IP address of the DHCP server used by the computers on the network connected to the interface. Set type to Regular. The FortiGate unit also returns responses from the DHCP server to the DHCP clients. Enter the DHCP Server IP address. If you select DHCP Relay Agent. 72 01-28003-0002-20040716 Fortinet Inc.Service System DHCP DHCP service settings Go to System > DHCP > Service and select an edit or view icon to view to modify the DHCP service configuration for an interface. Select Edit for the interface that you want to be a DHCP relay agent. No DHCP services provided by the interface. IPSEC DHCP Server IP DHCP Server To configure an interface as a regular DHCP relay agent In a DHCP relay configuration.

1 2 3 4 5 Go to System > DHCP > Service.System DHCP Server To configure an interface to be a DHCP server You can configure a DHCP server for any FortiGate interface. Add a DHCP server configuration for this interface. For more information. The interface for which the DHCP server is configured. Server You can configure one or more DHCP servers for any FortiGate interface. FortiGate-60 Administration Guide 01-28003-0002-20040716 73 . Select DHCP Server. The DHCP server configuration default gateway Delete a DHCP server configuration. You can add more than one DHCP server to a single interface to be able to provide DHCP services to multiple networks. View or modify a DHCP server configuration. Name of the DHCP server. As a DHCP server. Select Edit beside the interface to which you want to add a DHCP server. the interface dynamically assigns IP addresses to hosts on a network connected to the interface. Figure 3: DHCP Server list Create New Name Interface Default Gateway Delete Edit/View icon Add a new DHCP server. You can also configure a DHCP server for more than one FortiGate interface. see “To configure multiple DHCP servers for an interface” on page 75. See “To configure a DHCP server for an interface” on page 74. the interface dynamically assigns IP addresses to hosts on the network connected to the interface. As a DHCP server. Select OK.

Select the interface for which to configure the DHCP server. Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients. Select Create New. DHCP Options and BOOTP Vendor Extensions. Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients. you must configure a DHCP server for the interface. Enter the domain that the DHCP server assigns to DHCP clients. . see RFC 2132. DNS Server WINS Server Option To configure a DHCP server for an interface After configuring an interface to be a DHCP server (using the procedure “To configure an interface to be a DHCP server” on page 73). Select Unlimited for an unlimited lease time or enter the interval in days.Server System DHCP DHCP server settings Figure 4: Server options Name Interface Domain Default Gateway IP Range Network Mask Lease Time Enter a name for the DHCP server configuration. Enter the starting IP and ending IP for the range of IP addresses that this DHCP server assigns to DHCP clients. hours. 74 01-28003-0002-20040716 Fortinet Inc. and minutes after which a DHCP client must ask the DHCP server for new settings. 1 2 Go to System > DHCP > Server. Up to three custom DHCP options that can be sent by the DHCP server. The lease time can range from 5 minutes to 100 days. For detailed information about DHCP options. Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients. Enter the netmask that the DHCP server assigns to DHCP clients. Option is an even number of hexadecimal characters and is not required for some option codes. Code is the DHCP option code in the range 1 to 255.

Figure 5: Exclude range list Create New # Select Create New to add an exclude range. The starting IP of the exclude range. The FortiGate unit selects the DHCP server configuration with an IP range that matches the subnet address from which the DHCP request was received and uses this DHCP server to assign an IP configuration to the computer that made the DHCP request. Usually this would be the subnet connected to the interface for which you are added the DHCP server. The ending IP of the exclude range. Starting IP Ending IP Delete Edit/View icon FortiGate-60 Administration Guide 01-28003-0002-20040716 75 . To configure multiple DHCP servers for an interface If an interface is connected to a network that includes routers connected to different subnets. Configure the routers for DHCP relay. using DHCP relay.System DHCP Exclude range 3 4 5 Add a name for the DHCP server. you can: 6 1 2 3 Configure computers on the subnets to get their IP configuration using DHCP. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client. The ID number of each exclude range. Select the interface Configure the DHCP server. When a computer on one of the connected subnets sends a DHCP request it is relayed to the FortiGate interface by the router. Delete an exclude range. The IP range must match the subnet address of the network from which the DHCP request was received. Exclude range Add up to 16 exclude ranges of IP addresses that FortiGate DHCP servers cannot assign to DHCP clients. View or modify an exclude range. The IP range of each DHCP server must match the subnet addresses. When you add or edit exclude ranges from the CLI you must specify the ID number. Add multiple DHCP servers to the interface. one for each subnet. ID numbers are assigned sequentially by the web-based manager. Select OK to save the DHCP server configuration. Exclude ranges apply to all FortiGate DHCP servers.

IP/MAC binding System DHCP DHCP exclude range settings The range cannot exceed 65536 IP addresses. To add an exclusion range 1 2 3 4 Go to System > DHCP > Exclude Range. The IP address for the IP and MAC address pair. Add the starting IP and ending IP. Delete icon. the DHCP server always assigns this IP address to the MAC address. Delete an IP/MAC binding pair. Figure 7: IP/MAC binding list Create New Name IP Address Select Create New to add a DHCP IP/MAC binding pair. Select Create New. Figure 6: Exclude range settings Starting IP Ending IP Enter the starting IP of an exclude range. • DHCP IP/MAC binding settings 76 01-28003-0002-20040716 Fortinet Inc. IP/MAC binding If you have added DHCP servers. MAC Address The MAC address of the device. you can use DHCP IP/MAC binding to reserve an IP address for a particular device on the network according to the MAC address of the device. When you add the MAC address and an IP address to the IP/MAC binding list. . Select OK to save the exclusion range. View or modify an IP/MAC binding pair. The name for the IP and MAC address pair. IP/MAC binding pairs apply to all FortiGate DHCP servers. Edit/View icon. Enter the ending IP of an exclude range. The IP address must be within the configured IP range.

Dynamic IP You can view the list of IP addresses that the DHCP server has assigned. Select Create New. Enter the IP address for the IP and MAC address pair. The IP addresses that the DHCP server has assigned. Select the interface for which you want to view the list. Add the IP address and MAC address. The expiry time and date for the dynamic IP addresses and their corresponding MAC addresses. Enter the MAC address of the device. FortiGate-60 Administration Guide 01-28003-0002-20040716 77 . To view the dynamic IP list 1 2 Go to System > DHCP > Dynamic IP. To add a DHCP IP/MAC binding pair 1 2 3 4 5 Go to System > DHCP > IP/MAC Binding. The corresponding MAC addresses for the dynamic IP addresses. Interface IP MAC Expire Select to display its dynamic IP list. Add a name for the IP/MAC pair. Select OK to save the IP/MAC pair. and the expiry time and date for these addresses. their corresponding MAC addresses.System DHCP Dynamic IP DHCP IP/MAC binding settings Figure 8: IP/MAC binding options Name IP Address MAC Address Enter a name for the IP/MAC address pair. The IP address must be within the configured IP range.

.Dynamic IP System DHCP 78 01-28003-0002-20040716 Fortinet Inc.

80 System config Use the System Config page to make any of the following changes to the FortiGate system configuration: • • • • • • System time Options HA SNMP Replacement messages FortiManager System time Go to System > Config > Time to set the FortiGate system time.FortiGate-60 Administration Guide Version 2. Select Refresh to update the display of the current FortiGate system date and time. FortiGate-60 Administration Guide 01-28003-0002-20040716 79 . the FortiGate system time must be accurate. Select the current FortiGate system time zone. For effective scheduling and logging. You can either manually set the FortiGate system time or you can configure the FortiGate unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server. Figure 1: System time System Time Refresh Time Zone The current FortiGate system date and time.

Optionally. select Automatically adjust clock for daylight saving changes check box. Select Set Time to set the FortiGate system date and time to the correct date and time. Select Apply. day. Enter the IP address or domain name of the NTP server that the FortiGate unit can use to set its time and date. Options Go to System > Config > Options to set the following options: • • • Timeout settings including the idle timeout and authentication timeout The language displayed by the web-based manager Dead gateway detection interval and failover detection 80 01-28003-0002-20040716 Fortinet Inc. Select Apply. second. Select Set Time and set the FortiGate system date and time. Set the hour. Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to automatically set the system date and time. For more information about NTP and to find the IP address of an NTP server that you can use. see http://www.org.Options System config Automatically adjust clock for daylight saving changes Set Time Synchronize with NTP Server Server Syn Interval Select the Automatically adjust clock for daylight saving changes check box if you want the FortiGate system clock to be adjusted automatically when your time zone changes to daylight saving time and back to standard time. Specify how often the FortiGate unit should synchronize its time with the NTP server. Enter the IP address or domain name of the NTP server that the FortiGate unit can use to set its time and date. A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its time once a day. minute. month. . Select Refresh to display the current FortiGate system date and time. Select your Time Zone from the list.ntp. and year as required. To manually set the FortiGate date and time 1 2 3 4 5 6 7 Go to System > Config > Time. To use NTP to set the FortiGate date and time 1 2 3 4 5 Go to System > Config > Time. Specify how often the FortiGate unit should synchronize its time with the NTP server. Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to automatically set the system time and date.

To set the system idle timeout 1 2 3 Go to System > Config > Options. Select a language for the web-based manager to use. The maximum authtimeout is 480 minutes (8 hours).System config Options Figure 2: System config options Idle Timeout Set the idle time out to control the amount of inactive time before the administrator must log in again. To select a language for the web-based manager 1 2 Go to System > Config > Options. Traditional Chinese. Select Apply. Korean. For Auth Timeout. or French. Choose from English. type a number in minutes. For Idle Timeout. From the Languages list. The maximum admintimeout is 480 minutes (8 hours). Japanese. see “Users and authentication” on page 199. To set the Auth timeout 1 2 3 Go to System > Config > Options. Set the dead gateway detection failover interval. type a number in minutes. Enter the number of times that ping fails before the FortiGate unit assumes that the gateway is no longer functioning. Set the firewall user authentication time out to control the amount of inactive time before a user must authenticate again. To improve security keep the idle timeout at the default value of 5 minutes. Simplified Chinese. select a language for the web-based manager to use. FortiGate-60 Administration Guide 01-28003-0002-20040716 81 . The default Auth Timeout is 15 minutes. Enter a number in seconds to specify how often the FortiGate unit pings the target. Select Apply. Auth Timeout Language Detection Interval Fail-over Detection Set the ping server dead gateway detection failover number. For more information.

You can add up to 32 FortiGate units to an HA cluster.HA does not provide session failover for PPPoE. For Detection Interval. Active-active and active-passive clusters can run in either NAT/Route or Transparent mode. all established firewall connections. This communication is called the HA heartbeat. FortiGate HA supports link failover. synchronize the cluster configuration. 82 01-28003-0002-20040716 Fortinet Inc. To modify the dead gateway detection settings Modify dead gateway detection to control how the FortiGate unit confirms connectivity with a ping server added to an interface configuration. all functions. type a number in seconds to specify how often the FortiGate unit tests the connection to the ping target. HA heartbeat failover You can configure multiple interfaces to be HA heartbeat devices. Each FortiGate unit in an HA cluster must be the same model and must be running the same FortiOS firmware image. all functions. device failover. 1 2 3 4 Go to System > Config > Options. and report individual cluster member status. Note: You should select the language that the management computer operating system uses. For information about link failover. the HA heartbeat is transferred to another interface also configured as an HA heartbeat device. Select Apply. see “Monitor priorities” on page 87. . If an interface functioning as an HA heartbeat device fails. all established firewall connections. FortiGate units can be configured to operate in active-passive (A-P) or active-active (A-A) HA mode. DHCP. and all IPSec VPN sessionsa are maintained by the other FortiGate units in the HA cluster.HA System config 3 Select Apply. PPTP. see “To add a ping server to an interface” on page 50. The units in the cluster are constantly communicating HA status information to make sure that the cluster is operating properly. and L2TP services. type a number of times that the connection test fails before the FortiGate unit assumes that the gateway is no longer functioning. and all IPSec VPN sessions are maintained by the other FortiGate units in the HA cluster. a. Each FortiGate unit in an HA cluster enforces the same overall security policy and shares the same configuration settings. HA Fortinet achieves high availability (HA) using redundant hardware and the FortiGate Clustering Protocol (FGCP). Link failover If one of the links to a FortiGate unit in an HA cluster fails. For information about adding a ping server to an interface. and HA heartbeat failover. The FortiGate units in the cluster use cluster ethernet interfaces to communicate cluster session information. Device failover If one of the FortiGate units in an HA cluster fails. For Fail-over Detection.

The primary FortiGate unit uses a load balancing algorithm to distribute virus scanning to all the FortiGate units in the HA cluster. After selecting High Availability. FortiGate-60 Administration Guide 01-28003-0002-20040716 83 . also referred to as hot standby HA. see the FortiGate High Availability Guide. Select Standalone Mode if you want to stop a cluster unit from operating in HA mode. High Availability Select High Availability to operate the FortiGate unit in HA mode.System config HA An active-passive (A-P) HA cluster. and one or more subordinate FortiGate units. The subordinate FortiGate units are connected to the network and to the primary FortiGate unit but do not process traffic. complete the remainder of the HA configuration. An active-active HA cluster consists of a primary FortiGate unit that processes traffic and one or more subordinate units that also process traffic. Figure 3: HA configuration Standalone Mode Standalone mode is the default operation mode. consists of a primary FortiGate unit that processes traffic. • • • HA configuration Configuring an HA cluster Managing an HA cluster For more information about FortiGate HA and the FGCP. Active-active (A-A) HA load balances virus scanning among all the FortiGate units in the cluster. If Standalone mode is selected the FortiGate unit is not operating in HA mode. HA configuration Go to System > Config > HA and use the options described below to configure HA.

The default unit priority is 128. All other FortiGate units in the cluster passively monitor the cluster status and remain synchronized with the primary FortiGate unit. if you have three FortiGate-3600s in a cluster you can set the unit priorities as shown in Table 2. During HA negotiation. When the FortiGate units in the cluster are switched to HA mode. Active-Passive Failover HA. Table 1: HA group ID and MAC address Group ID 0 1 2 3 … 63 MAC Address 00-09-0f-06-ff-00 00-09-0f-06-ff-01 00-09-0f-06-ff-02 00-09-0f-06-ff-03 . 84 01-28003-0002-20040716 Fortinet Inc. Active-Active Load balancing and failover HA. all of the interfaces of all of the units in the cluster acquire the same virtual MAC address. The primary FortiGate unit in the cluster controls load balancing among all of the cluster units. Each cluster unit can have a different unit priority (the unit priority is not synchronized among cluster members). Each cluster unit actively processes connections and monitors the status of the other FortiGate units in the cluster. 00-09-0f-06-ff-3f If you have more than one HA cluster on the same network. cluster unit B becomes the primary cluster unit because cluster unit B has a higher unit priority than cluster unit C. each cluster should have a different group ID. This virtual MAC address is set according to the group ID. Unit Priority Optionally set the unit priority of the cluster unit.. If cluster unit A fails. Table 1 lists the virtual MAC address set for each group ID. the duplicate MAC addresses cause addressing conflicts on the network. You can use the unit priority to control the order in which cluster units become the primary cluster unit when a cluster unit fails. If two clusters on the same network have the same group ID.HA System config Mode All members of the HA cluster must be set to the same HA mode. For example. The primary FortiGate unit in the cluster processes all connections. Cluster unit A will always be the primary cluster unit because it has the highest priority. . Group ID The group ID range is from 0 to 63. All members of the HA cluster must have the same group ID. The unit priority range is 0 to 255.. the unit with the highest unit priority becomes the primary cluster unit.

Password Enter a password for the HA cluster. if this cluster unit experiences a failure or restarts. However. If you have more than one FortiGate HA cluster on the same network. Override Master Configure a cluster unit to always override the current primary cluster unit and become the primary cluster unit in its place. if you change the unit priority of the current primary cluster unit to a lower priority. Schedule If you are configuring an active-active cluster. if you select override master for a cluster unit the cluster negotiates and may select a new primary cluster unit. the original primary cluster unit cannot return to primary cluster unit status even if its priority number is higher than that of any other cluster unit. when the cluster renegotiates a different cluster unit becomes the primary cluster unit. In a functioning cluster. In a typical FortiGate cluster configuration. You can select a FortiGate unit as the permanent primary cluster unit by giving this cluster unit a high unit priority and by configuring it to override other primary units.System config HA Table 2: Example unit priorities for a cluster of three cluster units Cluster unit A B C Unit priority 200 100 50 The unit priority is not synchronized to all cluster units. FortiGate-60 Administration Guide 01-28003-0002-20040716 85 . In a functioning cluster. Enable Override Master for the cluster unit that you have given the highest unit priority. select a load balancing schedule. you might want to control which unit becomes the primary unit. or is repaired or replaced and added back into cluster. Enabling Override Master means that this cluster unit always becomes the primary cluster unit. Each cluster unit can have a different unit priority. The maximum password length is 15 characters. the primary unit is selected automatically. each cluster should have a different password. The password must be the same for all FortiGate units in the HA cluster. Normally. another cluster unit becomes the primary cluster unit in its place. In some situations. the cluster unit with the highest unit priority becomes the primary cluster unit. When the original primary cluster unit restarts. The override master setting is not synchronized to all cluster units. unless you select Override Master.

Weighted round robin load balancing. select Least Connection to distribute network traffic to the cluster unit currently processing the fewest connections. The interface with the highest priority handles all of the heartbeat traffic. Round robin load balancing. the interface with the next highest priority handles all of the heartbeat traffic. Load balancing if the cluster interfaces are connected to a hub. and report individual cluster member status. but not for VLAN subinterfaces. select Random to randomly distribute traffic to cluster units. the primary unit should have a lower weighted value because it handles scheduling and forwards traffic. but weighted values are assigned to each of the units in a cluster based on their capacity and on how many connections they are currently processing. LeastConnection Round-Robin Weighted Round-Robin Random IP IP Port Priorities of Heartbeat Device Configure the heartbeat priority for each interface in the cluster. Note: You can enable heartbeat device for physical interfaces. select IP to distribute traffic to units in a cluster based on the Source IP and Destination IP of the packet. Table 3 lists the default heartbeat device configuration for all FortiGate models. If the cluster units are connected using switches. Similar to round robin. If this interface fails or becomes disconnected. Random load balancing. and destination port of the packet. select IP Port to distribute traffic to units in a cluster based on the source IP. If the cluster units are connected using switches. The heartbeat priority range is 0 to 512. If the cluster units are connected using switches. Least connection load balancing. The HA heartbeat constantly communicates HA status information to make sure that the cluster is operating properly. . Load balancing according to IP address and port. If the cluster units are connected using switches. The cluster units use the ethernet interfaces with HA heartbeat priorities to communicate cluster session information. For example. Weighted round robin distributes traffic more evenly because units that are not processing traffic will be more likely to receive new connections than units that are very busy. two interfaces are configured as heartbeat devices. destination IP. Traffic is distributed to cluster units based on the Source IP and Destination IP of the packet. select Round-Robin to distribute network traffic to the next available cluster unit. Load balancing according to IP address. Table 3: Default heartbeat device configuration FortiGate model FortiGate-60 Default heartbeat device WAN1 DMZ Default priority 50 100 86 01-28003-0002-20040716 Fortinet Inc.HA System config None Hub No load balancing. By default. source port. If the cluster units are connected using switches. synchronize the cluster configuration. Select None when the cluster interfaces are connected to load balancing switches.

Monitor priorities Enable or disable monitoring a FortiGate interface to verify that the interface is functioning properly and connected to its network. If Override Master is enabled for this FortiGate unit (see “Override Master” on page 85). A third cluster unit would be assigned the IP address 10.3 and so on. If a monitored interface fails or is disconnected from its network the interface leaves the cluster. This IP address does not affect the heartbeat traffic. If you can re-establish traffic flow through the interface (for example.0. For most FortiGate models if you do not change the heartbeat device configuration.0. The extra bandwidth used by heartbeat packets could also reduce the capacity of the interface to process network traffic.1 and the subordinate unit is assigned the IP address 10. To optimize bandwidth use. Heartbeat device IP addresses You do not need to assign IP addresses to the heartbeat device interfaces for them to be able to process heartbeat packets.2. heartbeat packets may use a considerable amount of network bandwidth and it is preferable to isolate this traffic from your user networks. Heartbeat packets contain sensitive information about the cluster configuration.0. The heartbeat priority must be set for at least one cluster interface. Setting the heartbeat priority for more interfaces increases the reliability of the cluster. In HA mode the cluster assigns virtual IP addresses to the heartbeat device interfaces. if you re-connect a disconnected network cable) the interface rejoins the cluster. isolate each heartbeat device on its own network. Note: Only monitor interfaces that are connected to networks.System config HA Change the heartbeat device priorities as required to control the interface that is used for heartbeat traffic and the interface to which heartbeat traffic reverts if the interface with the highest heartbeat priority fails or is disconnected. For best results. FortiGate-60 Administration Guide 01-28003-0002-20040716 87 . you can route most heartbeat traffic to interfaces that handle less network traffic. You can also create a failover path by setting heartbeat priorities so that you can control the order in which interfaces are used for heartbeat traffic.0.0. The primary cluster unit heartbeat device interface is assigned the IP address 10. This other cluster unit becomes the new primary cluster unit. this FortiGate unit becomes the primary unit in the cluster again. Also. If you decide to use the heartbeat device interfaces for processing network traffic or for a management connection you can assign the interface any IP address. If heartbeat communication is interrupted the cluster stops processing traffic.0. The cluster reroutes the traffic being processed by that interface to the same interface of another cluster unit in the cluster that still has a connection to the network. you would isolate the HA interfaces of all of the cluster units by connecting them all to the same switch. If the cluster consists of two FortiGate units you can connect the heartbeat device interfaces directly using a crossover cable.

See “To change FortiGate host name” on page 27. Use host names to identify individual cluster units. one of the other units in the cluster becomes the new primary unit to provide better service to the high priority network. 1 2 3 Power on the FortiGate unit to be configured. If a high priority interface on the primary cluster unit fails. if it becomes necessary to negotiate a new primary unit. be selected instead of a unit with a working connection to the low priority interface. Note: The following procedure does not include steps for configuring interface heartbeat devices and interface monitoring. These procedures describe how to configure each of the FortiGate units for HA operation and then how to connect the FortiGate units to form a cluster. • • • • To configure a FortiGate unit for HA operation To connect a FortiGate HA cluster To add a new unit to a functioning cluster To configuring weighted-round-robin weights To configure a FortiGate unit for HA operation Each FortiGate unit in the cluster must have the same HA configuration. 4 5 6 7 88 01-28003-0002-20040716 Fortinet Inc. Both of these HA settings should be configured after the cluster is up and running. If a low priority interface fails on one cluster unit and a high priority interface fails on another cluster unit. Select the HA mode. Go to System > Config > HA. Select HA. Use the following procedure to configure each FortiGate unit for HA operation. but not VLAN subinterfaces. .HA System config Note: You can monitor physical interfaces. Increase the priority of interfaces connected to higher priority networks or networks with more traffic. Once the cluster is connected you can configure it in the same way as you would configure a standalone FortiGate unit. a unit in the cluster with a working connection to the high priority interface would. Connect to the web-based manager. • • Configuring an HA cluster Managing an HA cluster Configuring an HA cluster Use the following procedures to create an HA cluster consisting of two or more FortiGate units. The Group ID must be the same for all FortiGate units in the HA cluster. Give the FortiGate unit a unique host name. Select a Group ID for the cluster. The monitor priority range is 0 to 512.

Fortinet recommends using switches for all cluster connections for the best performance. select Override master. See “Unit Priority” on page 84. Then you must connect these interfaces to their networks using the same hub or switch. See “Schedule” on page 85. If required. The FortiGate unit negotiates to establish an HA cluster.System config HA 8 9 10 11 12 Optionally change the Unit Priority. When you select apply you may temporarily lose connectivity with the FortiGate unit as the HA cluster negotiates. 13 14 15 16 17 18 FortiGate-60 Administration Guide 01-28003-0002-20040716 89 . synchronize the cluster configuration. power off the FortiGate unit and then repeat this procedure for all the FortiGate units in the cluster. To connect a FortiGate HA cluster Use the following procedure to connect a cluster operating in NAT/Route mode or Transparent mode. Go to System > Status. The FortiGate units in the cluster use cluster ethernet interfaces to communicate cluster session information. Select Apply. Connect the FortiGate units in the cluster to each other and to your network. and report individual cluster member status. continue with “To connect a FortiGate HA cluster” on page 89. reconnect to the web-based manager. Repeat this procedure for all of the FortiGate units in the cluster then continue with “To connect a FortiGate HA cluster” on page 89. See “Override Master” on page 85. If you are configuring a NAT/Route mode cluster. Enter and confirm a password for the HA cluster. You must connect all matching interfaces in the cluster to the same hub or switch. This cluster communication is also called the cluster heartbeat. If you are configuring a Transparent mode cluster. select a schedule. Power off the FortiGate unit. If you are configuring Active-Active HA. The units in the cluster are constantly communicating HA status information to make sure that the cluster is operating properly. You may have to wait a few minutes before you can reconnect. Select Change to Transparent Mode and select OK to switch the FortiGate unit to Transparent mode. Once all of the units are configured.

• • • • Connect the internal interfaces of each FortiGate unit to a switch or hub connected to your internal network. This negotiation occurs with no user intervention and normally just takes a few seconds.HA System config Inserting an HA cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluster. Connect the WAN1 interfaces of each FortiGate unit to a switch or hub connected to your external network. they negotiate to choose the primary cluster unit and the subordinate units. Figure 4: HA network configuration Internal WAN1 INTERNAL PWR STATUS 1 LINK 100 2 LINK 100 3 LINK 100 4 LINK 100 DMZ LINK 100 WAN1 LINK 100 WAN2 LINK 100 Hub or Switch DMZ Hub or Switch DMZ INTERNAL PWR STATUS 1 LINK 100 2 LINK 100 3 LINK 100 4 LINK 100 DMZ LINK 100 WAN1 LINK 100 WAN2 LINK 100 Router Internal WAN1 Internet 2 Power on all the FortiGate units in the cluster. . You can now configure the cluster as if it is a single FortiGate unit. Cluster negotiation normally takes just a few seconds. Optionally connect the WAN2 interface of each FortiGate unit to a switch or hub connected a second external network. 1 Connect the cluster units. During system startup and negotiation all network traffic is dropped. starting the cluster interrupts network traffic until the individual FortiGate units in the cluster are functioning and the cluster completes negotiation. Connect the DMZ interfaces of the FortiGate units to another switch or hub. 90 01-28003-0002-20040716 Fortinet Inc. As the units start. Also.

You manage the cluster by connecting to the web-based manager using any cluster interface configured for HTTPS administrative access. Because of this synchronization. you might want to reduce the number of connections processed by the primary cluster unit by increasing the weight assigned to the subordinate cluster units. from the CLI you can use config system ha weight to configure a weight value for each cluster unit. you manage the HA cluster instead of managing the individual FortiGate units in the cluster. the cluster synchronizes the new unit configuration with the configuration of the primary unit. Weight values are entered in order according to the priority of the units in the cluster. After it joins the cluster. on average. change the operating mode of the new FortiGate unit to Transparent mode. Connect the new FortiGate unit to the cluster. and both subordinate units. You can set weight values to control the number of connections processed by each cluster unit.System config HA To add a new unit to a functioning cluster 1 2 3 4 Configure the new FortiGate unit for HA operation with the same HA configuration as the other units in the cluster. To configuring weighted-round-robin weights By default. You can also use SNMP to manage the cluster by configuring a cluster interface for SNMP administrative access. you can enter the following command to configure the weight values for each unit: set system ha weight 1 3 3 This command has the following results: • • • The first connection is processed by the primary unit The next three connections are processed by the first subordinate unit The next three connections are processed by the second subordinate unit The subordinate units process more connections than the primary unit. The weight value sets the maximum number of connections that are sent to a cluster unit before a connection can be sent to the next cluster unit. FortiGate-60 Administration Guide 01-28003-0002-20040716 91 . in active-active HA mode the weighted round-robin schedule assigns the same weight to each FortiGate unit in the cluster. You can also manage the cluster by connecting to the CLI using any cluster interface configured for SSH administrative access. Power on the new FortiGate unit. For example. For example. If you configure a cluster to use the weighted round-robin schedule. Using an SNMP manager you can get cluster configuration information and receive traps. When the unit starts it negotiates to join the cluster. process the same number of connections. For a list of HA MIB fields. if you have a cluster of three FortiGate units. see “HA MIB fields” on page 101 and “FortiGate HA traps” on page 100. If the cluster is running in Transparent mode. Managing an HA cluster The configurations of all of the FortiGate units in the cluster are synchronized so that the FortiGate units can function as a cluster.

A list of cluster members appears. Go to System > Config > HA. Figure 5: Example cluster members list Refresh every Go Cluster ID Select to control how often the web-based manager updates the system status display. The list includes the cluster ID of each cluster member as well as status information for each cluster member. . From the CLI you can use the execute ha manage command to connect to the CLI of each unit in the cluster. See “To manage individual cluster units” on page 94 for more information. Select to set the selected refresh interval. See “To view the status of each cluster member” on page 92 and “To view and manage logs for individual cluster units” on page 93. You can give each cluster unit a unique host name to help to identify cluster members. Select Cluster Members. You can manage individual cluster units by using SSH to connect to the CLI of the cluster. The cluster automatically synchronizes all configuration changes to the subordinate units in the cluster as the changes are made. Use the cluster ID to identify each FortiGate unit in the cluster. The only configuration change that is not synchronized is the FortiGate host name. You can also manage individual cluster units by using a null-modem cable to connect to the primary cluster unit.HA System config You can change the cluster configuration by connecting to the cluster and changing the configuration of the primary FortiGate unit. • • • • To view the status of each cluster member To view and manage logs for individual cluster units To monitor cluster units for failover To manage individual cluster units To view the status of each cluster member 1 2 3 Connect to the cluster and log into the web-based manager. From there you can also use the execute ha manage command to connect to the CLI of each unit in the cluster. 92 01-28003-0002-20040716 Fortinet Inc. You can use the web-based manager to monitor the status and logs of individual cluster members.

The time in days. Select the serial number of one of the FortiGate units in the cluster to display the logs for that FortiGate unit. the new primary FortiGate unit sends the trap message “HA switch”. The new primary unit logs the following messages to the event log: HA slave became master Detected HA member dead If a subordinate unit fails. The failed unit no longer appears on the Cluster Members list. This trap indicates that the primary unit in an HA cluster has failed and has been replaced with a new primary unit. Antivirus log. Go to Log&Report > Log Access. search and manage logs saved to memory or logs saved to the hard disk. Displays system status information for each cluster unit. To monitor cluster units for failover If the primary unit in the cluster fails.System config HA Status Up Time Monitor Indicates the status of the FortiGate unit. hours. You can view. the units in the cluster renegotiate to select a new primary unit. Failure of a subordinate unit results in the following: • • The cluster contains fewer FortiGate units. Attack log. depending on the configuration of the cluster unit. The failed primary unit no longer appears on the Cluster Members list. and minutes since the FortiGate unit was last started. and Email Filter log for the primary unit are displayed. Event log. the cluster continues to function normally. The cluster contains fewer FortiGate units. The HA Cluster pull-down list displays the serial number of the FortiGate unit for which logs are displayed. The master unit logs the following message to the event log: Detected HA member dead 3 • • • FortiGate-60 Administration Guide 01-28003-0002-20040716 93 . See “System Resources” on page 25 for information about individual system status fields. The Traffic log. Web Filter log. The host name and serial number of the primary cluster unit changes. Failure of the primary unit results in the following: • If SNMP is enabled. To view and manage logs for individual cluster units 1 2 Connect to the cluster and log into the web-based manager.

If this subordinate unit has a different host name. see “FortiGate MIBs” on page 98). Enter the following command to return to the primary unit CLI: exit You can use the execute ha manage command to log into the CLI of any of the other subordinate units in the cluster. enter the following command: execute ha manage 1 Press Enter to connect to and log into the CLI of the selected subordinate unit. the CLI prompt changes to this host name. to log into subordinate unit 1. You can use CLI commands to manage this subordinate unit. This section describes: • • • • • Configuring SNMP SNMP community FortiGate MIBs FortiGate traps Fortinet MIB fields 94 01-28003-0002-20040716 Fortinet Inc. You log into the subordinate unit using the ha_admin administrator account. you can access SNMP traps and data from any FortiGate interface configured for SNMP management access. For example.SNMP System config To manage individual cluster units This procedure describes how to log into the primary unit CLI and from there to connect to the CLI of subordinate cluster units. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. You can also use a direct cable connection to log into the primary unit CLI. Each cluster unit is numbered. Enter the following command followed by a space and type a question mark (?): execute ha manage The CLI displays a list of all the subordinate units in the cluster. Using an SNMP manager. 2 3 4 SNMP You can configure the FortiGate SNMP agent to report system information and send traps (alarms or event messages) to SNMP managers. starting at 1. Connect to any cluster interface configured for SSH administrative access to log into the cluster. This built-in administrator account gives you read and write permission on the subordinate unit. . The FortiGate SNMP implementation is read-only. The information displayed for each cluster unit includes the unit serial number and the host name of the unit. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more information. To do this you must know which unit is the primary unit. SNMP v1 and v2c compliant SNMP managers have read-only access to FortiGate system information and can receive FortiGate traps. Complete the command with the number of the subordinate unit to log into. 1 Use SSH to connect to the cluster and log into the CLI.

Select Delete to remove an SNMP community. The list of SNMP communities added to the FortiGate configuration. Add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps. location. The trap status can be enabled or disabled. The status of SNMP traps for each SNMP community. View or modify an SNMP community. Select Enable to activate an SNMP community. Each community can be configured to monitor the FortiGate unit for a different set of events. Select Create New to add a new SNMP community. and contact information. You can add up to three SNMP communities.System config SNMP Configuring SNMP Go to System > Config > SNMP v1/v2c to configure the SNMP agent. The contact information can be up to 35 characters long. The query status can be enabled or disabled. The description can be up to 35 characters long. Enter a descriptive information about the FortiGate unit. FortiGate-60 Administration Guide 01-28003-0002-20040716 95 . Each community can have a different configuration for SNMP queries and traps. The status of SNMP queries for each SNMP community. Figure 6: Configuring SNMP SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete icon Edit/View icon Enable the FortiGate SNMP agent. Enter the contact information for the person responsible for this FortiGate unit. The name of the SNMP community. You can add up to 3 communities. Save changes made to the description. SNMP community An SNMP community is a grouping of equipment for network administration purposes. You can also add the IP addresses of up to 8 SNMP managers to each community. Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.

0. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit. The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit. Select Add to add more SNMP managers. Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. You can also set the IP address to 0. This can occur if the SNMP manager is on the Internet or behind a router. Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.SNMP Figure 7: SNMP community options (part 1) System config Figure 8: SNMP community options (part 2) Community Name Hosts IP Address Enter a name to identify the SNMP community. You can add up to 8 SNMP managers to a single community. Interface Add 96 01-28003-0002-20040716 Fortinet Inc. . Select the Delete icon to remove an SNMP manager.0 to so that any SNMP manager can use this SNMP community.0.

Choose an interface that an SNMP manager connects to and select Edit. and Contact. Configure Hosts. To add an SNMP community 1 2 3 4 5 Go to System > Config > SNMP v1/v2c. Select the Enable check box to enable the FortiGate SNMP Agent. Enter a Community Name to identify the SNMP community. See “To configure the management interface” on page 54. Select the Enable check box to activate traps for each SNMP version. Configure the following SNMP settings: Description. Traps. FortiGate-60 Administration Guide 01-28003-0002-20040716 97 . Enter the Local and Remote port numbers (162 by default) that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community.System config SNMP Queries Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Choose an interface that the SNMP manager connects to and select SNMP. Select Create New. Queries. 1 2 3 Go to System > Network > Management. To enable SNMP and configure basic SNMP settings 1 2 3 4 5 Go to System > Config > SNMP v1/v2c. Location. For Administrative Access. Add one or more SNMP communities. Select OK. Select OK. To configure SNMP access to an interface in Transparent mode Before a remote SNMP manager can connect to the FortiGate agent. 1 2 3 4 Go to System > Network > Interface. select SNMP. Select the Enable check box to activate queries for each SNMP version. and SNMP Events. Select Apply. you must configure one or more FortiGate interfaces to accept SNMP connections. Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community. See “To control administrative access to an interface” on page 50. Select Apply. you must configure one or more FortiGate interfaces to accept SNMP connections. Traps SNMP Event To configure SNMP access to an interface in NAT/Route mode Before a remote SNMP manager can connect to the FortiGate agent.

) do not accurately capture all FortiGate traffic activity. RFC-2665 (Ethernetlike MIB) The FortiGate SNMP agent supports Ethernet-like MIB information with the following exception.80.80. More accurate information can be obtained from the information reported by the Fortinet MIB. You must add the Fortinet proprietary MIBs to this database.10). Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use.mib The Fortinet MIB is a proprietary MIB that includes detailed FortiGate system configuration information. No support for the EGP group from MIB II (RFC 1213.trap. fortinet. For more information about FortiGate traps.2.80.11 and 6. section 3. you must load and compile the Fortinet trap MIB (file name fortinet. The FortiGate SNMP agent supports MIB II groups with the following exceptions. 98 01-28003-0002-20040716 Fortinet Inc.2. The FortiGate MIBs are listed in Table 4. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again.mib RFC-1213 (MIB II) FortiGate traps The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities.mib) onto the SNMP manager. Table 4: FortiGate MIBs MIB file name or RFC Description fortinet. No support for the dot3Tests and dot3Errors groups. To be able to communicate with the SNMP agent. Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc. .trap. see “FortiGate MIBs” on page 98. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration. see “FortiGate traps” on page 98. you must compile all of these MIBs into your SNMP manager. You can obtain these MIB files from Fortinet technical support. For SNMP managers to receive traps. All traps include the trap message as well as the FortiGate unit serial number. The Fortinet trap MIB is a proprietary MIB that is required for your SNMP manager to receive traps from the FortiGate SNMP agent. For more information about FortiGate MIB fields.SNMP System config FortiGate MIBs The FortiGate SNMP agent supports FortiGate proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. Add this MIB to your SNMP manager to monitor all FortiGate configuration settings.2.

An IPSec VPN tunnel shuts down. This trap can be used to track interface IP address changes for interfaces configured with dynamic IP addresses set using DHCP or PPPoE.: <FortiGate_serial_no>) (IntfIpChange) Description Standard traps as described in RFC 1215. When the interface is up it is administratively up but not connected to a network. Table 6: FortiGate system traps Trap message Interface <interface_name> is up. Table 7: FortiGate VPN traps Trap message VPN tunnel is up (VpnTunnelUp) VPN tunnel down (VpnTunnelDown) Description An IPSec VPN tunnel starts up and begins processing network traffic.System config SNMP Table 5: General FortiGate traps Trap message ColdStart WarmStart LinkUp LinkDown The <interface_name> Interface IP is changed to <new_IP> (Serial No. HA switch The primary unit in an HA cluster fails and is replaced with a new primary unit. CPU usage exceeds 90%. and the serial number of the FortiGate unit. Description An interface changes from the up state to the running state. The trap <interface_name> message includes the name of the interface and the serial number of the FortiGate unit. Interface <interface_name> is down. On a FortiGate unit with a hard drive. The trap message includes the name of the interface. When the interface is running it is administratively up and connected to a network. indicating that the interface has been disconnected from a network. Memory usage exceeds 90%. the new IP address of the interface. indicating that the interface has been connected to a network. An interface changes from the running state to the up state. hard drive usage exceeds 90%. CPU usage high (SysCpuHigh) Memory low (SysMemLow) Disk low <FortiGate_serial_no> The configuration of an interface of a FortiGate unit changes. FortiGate-60 Administration Guide 01-28003-0002-20040716 99 . The IP address of an interface of a FortiGate unit changes.

The tables below list the names of the MIB fields and describe the status information available for each one. Table 10: FortiGate logging traps Trap message Log full (SysLogFull) Description On a FortiGate unit with a hard drive. . Table 9: FortiGate antivirus traps Trap message Virus detected (AvVirus) Description The FortiGate unit detects a virus and removes the infected file from an HTTP or FTP download or from an email message. (IdsSynFlood) Port scan attack. hard drive usage exceeds 90%. Fortinet MIB fields The Fortinet MIB contains fields reporting current FortiGate unit status information. (IdsPortScan) Description NIDS attack prevention detects and provides protection from a syn flood attack. On a FortiGate unit without a hard drive.mib file into your SNMP manager and browsing the Fortinet MIB fields.80. Table 11: FortiGate HA traps Trap message Primary unit switch (HaSwitch) Description The different unit in the HA cluster became the primary unit.2. log to memory usage has exceeds 90%.SNMP System config Table 8: FortiGate IPS traps Trap message Syn flood attack. 100 01-28003-0002-20040716 Fortinet Inc. NIDS attack prevention detects and provides protection from a port scan attack. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.

Load balancing schedule for A-A mode. The current IP session count.System config SNMP Table 12: System MIB fields MIB field model serial version versionAv versionNids haMode opMode cpuUsage memUsage sesCount Description FortiGate model number. The current memory utilization (in MB). The current CPU usage (as a percent). The clustering priority of the individual FortiGate unit in a cluster. The number of bytes processed by the FortiGate unit The number of attacks detected by the IPS running on the FortiGate unit in the last 20 hours. memUsage The current FortiGate unit memory usage (in MB). The number of viruses detected by the antivirus system running on the FortiGate unit in the last 20 hours. The master-override setting (enable or disable) for an individual FortiGate unit in a cluster. The FortiGate unit serial number. The current FortiGate unit network utilization (in Mbps). FortiGate unit serial number. Table 13: HA MIB fields MIB field groupId priority override autoSync schedule stats Description HA group ID. 400 for the FortiGate-400. The firmware version currently running on the FortiGate unit. FortiGate-60 Administration Guide 01-28003-0002-20040716 101 . index serial cpuUsage netUsage sesCount pktCount byteCount idsCount avCount The index number of the FortiGate unit. The current FortiGate unit CPU usage as a percent. A-A. The antivirus definition version installed on the FortiGate unit. The attack definition version installed on the FortiGate unit. A-P) The FortiGate unit operation mode (NAT or Transparent). The number of active sessions being processed by the FortiGate unit. The number of packets processed by the FortiGate unit. Auto config synchronization flag. The current FortiGate High-Availability (HA) mode (standalone. Statistics for all of the units in the HA cluster. for example.

and so on) of the IP session. The source port of the active IP session. The authentication type of for the local user. Whether the local user is enabled or disable. The destination IP address of the active IP session. or RADIUS. The access profile assigned to the account. The IP protocol (TCP. Can be password. The destination port of the active IP session. 102 01-28003-0002-20040716 Fortinet Inc.SNMP System config Table 14: Administrator accounts MIB field index name addr mask perm Description The index number of the administrator account added to the FortiGate unit. or RADIUS. Up to three trusted host IP addresses for the administrator account. Whether the local user is enabled or disable. ICMP. UDP. Table 16: Virtual domains MIB field index name auth state Description The index number virtual domain added to the FortiGate unit. The expiry time or time-to-live in seconds for the session. LDAP. Each FortiGate unit includes at least one virtual domain named root. Table 17: Active IP sessions MIB field index proto fromAddr fromPort toPort toAddr expiry Description The index number of the active IP session. The name of the virtual domain added to the FortiGate unit. LDAP. . The user name of the local user added to the FortiGate unit. Table 15: Local users MIB field index name auth state Description The index number of the local user added to the FortiGate unit. The user name of an administrator account added to the FortiGate unit. Can be password. Up to three trusted host netmasks for the administrator account. The source IP address of the active IP session. The authentication type of for the local user.

and FTP sessions. and messages added to web pages blocked by web filter category blocking.System config Replacement messages Replacement messages Change replacement messages to customize alert email and information that the FortiGate unit adds to content streams such as email messages. Select the category of replacement message to edit by clicking on the blue triangle for that category. The FortiGate unit adds replacement messages to a variety of content streams. the file is removed from the email and replaced with a replacement message. web pages. For example. The web-based manager describes where each replacement message is used by the FortiGate unit. Replacement messages list Figure 9: Replacement messages list Name The type of replacement message. web pages in http traffic. select Edit. messages added to smtp email. The same applies to pages blocked by web filtering and email blocked by spam filtering. FortiGate-60 Administration Guide 01-28003-0002-20040716 103 . Edit the content of the message. Description of the replacement message type. messages that are displayed to ftp users. alert mail messages. if a virus is found in an email message. You can change messages added to email. For the replacement message that you want to change. Description To change a replacement message 1 2 3 4 Go to System > Config > Replacement Messages. Edit/View icon. Select to change a replacement message.

replacement messages can include replacement message tags. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed. the replacement message tag is replaced with content relevant to the message. Table 18: Replacement message tags Tag %%FILE%% Description The name of a file that has been removed from a content stream. %%CRITICAL_EVENT%% is replaced with the critical event message that triggered the alert email. . For email this is the IP address of the email server that sent the email containing the virus. This could be a file that contained a virus or was blocked by antivirus file blocking. %%PROTOCOL%% is added to alert email virus messages. %%QUARFILENAME%% can be used in virus and file block messages. ftp. The name of a virus that was found in a file by the antivirus system.Replacement messages System config Changing replacement messages Figure 10: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. In addition. smtp) in which a virus was detected. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked. The IP address of the request originator who would have received the blocked file. The URL of a web page. For HTTP this is the IP address of web page that sent the virus. %%PROTOCOL%% %%SOURCE_IP%% The protocol (http. This could be a file that contained a virus or was blocked by antivirus file blocking. Quarantining is only available on FortiGate units with a local disk. This can be a web page that is blocked by web filter content or URL blocking. %%VIRUS%% %%QUARFILENAME%% %%URL%% %%CRITICAL_EVENT%% Added to alert email critical event email messages. The IP address of the request destination from which a virus was received. imap. %%VIRUS%% can be used virus messages The name of a file that has been removed from a content stream and added to the quarantine. When users receive the replacement message. pop3. %%FILE%% can be used in virus and file block messages. You can add HTML code to HTML messages. %%DEST_IP%% 104 01-28003-0002-20040716 Fortinet Inc. Table 18 lists the replacement message tags that you can add.

Figure 11: FortiManager configuration Enable FortiManager Enable secure IPSec VPN communication between the FortiGate unit and a FortiManager Server. FortiManager Configure the FortiGate unit for IPSec communication between the FortiGate unit and a FortiManager server. The IP Address of the FortiManager Server. The IPS attack message. FortiManager ID FortiManager IP The remote ID of the FortiManager IPSec tunnel. %%NIDSEVENT%% is added to alert email intrusion messages.System config Table 18: Replacement message tags (Continued) Tag %%EMAIL_FROM%% %%EMAIL_TO%% %%NIDSEVENT%% %%SERVICE%% %%CATEGORY%% %%FORTINET%% Description FortiManager The email address of the sender of the message from which the file was removed. The name of the content category of the web site. The name of the web filtering service. all communication between the FortiGate unit and the FortiManager server takes place using VPN. The email address of the intended receiver of the message from which the file was removed. When you enable this feature. The Fortinet logo. FortiGate-60 Administration Guide 01-28003-0002-20040716 105 .

.FortiManager System config 106 01-28003-0002-20040716 Fortinet Inc.

Can access the authorized users feature. option. or both read and write access to the following FortiGate features. This chapter describes: • • Administrators Access profiles Administrators Use the admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. HA. you can add and edit administrator accounts. Can access the log setting. IPS. time. Can access the administrative users feature. and system reboot functions. VPN. You can create access profiles that deny access to or allow read only. SNMP. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator account can connect to the FortiGate unit. write only. Can access the system shutdown. Each administrator account belongs to an access profile. From this administrator account. and replacement message features. interface. virtual domain. it is configured with a single administrator account with the user name admin. System Configuration Log & Report Auth Users Admin Users FortiProtect Update System Shutdown Can access the system status. and antivirus features. Can access the update options feature.FortiGate-60 Administration Guide Version 2. routing.80 System administration When the FortiGate unit is first installed. and log message features. Security Policy Can access the firewall. FortiGate-60 Administration Guide 01-28003-0002-20040716 107 .

the password should be at least 6 characters long. Trusted Host #3 If you want the administrator to be able to access the FortiGate unit from any address. Type a password for the administrator account. Trusted hosts The trusted host IP address and netmask from which the administrator can log in. set the trusted host to the address of your internal network (for example. To limit the administrator to only be able to access the FortiGate unit from a specific network. see “Access profile list” on page 109. 108 01-28003-0002-20040716 Fortinet Inc.0 and the netmask to 0.0. For more information on access profiles.Administrators System administration Administrators list Figure 1: Administrators list Create New Name Add an administrator account.168.0. or Change Password icon.0. set the trusted host to the address of the network and set the netmask to the netmask for the network. Access Profile The access profile for the administrator. set the trusted host to 0. The Delete. to limit an administrator to accessing the FortiGate unit from your internal network.0. Permission The permission profile for the administrator. 192.255. Administrators options Figure 2: Administrator account configuration Administrator Password Confirm Password Enter the login name for the administrator account. The login name for an administrator account. For example. The admin administrator account cannot be deleted. For improved security.0. Edit/View.0) and set the netmask to 255. Trusted Host #1 Optionally type the trusted host IP address and netmask from which the Trusted Host #2 administrator can log into the web-based manager. Type the password for the administrator account a second time to confirm that you have typed it correctly. .1.0.255.

Select Create New to add an administrator account or select the Edit icon to make changes to an existing administrator account. You cannot delete the prof_admin access profile. You can create access profiles that deny access to or allow read only. Optionally type a Trusted Host IP address and netmask from which the administrator can log into the web-based manager. The name of the access profile.System administration Access profiles To configure an administrator account 1 2 3 4 5 6 7 Go to System > Admin > Administrators. Enter and confirm the new password. FortiGate-60 Administration Guide 01-28003-0002-20040716 109 . Each administrator account belongs to an access profile. Select the access profile for the administrator. Select OK. or both read and write access to FortiGate features. write only. Select OK. Type a login name for the administrator account. Select the Change Password icon next to the administrator account you want to change the password for. Access profile list Figure 4: Access profile list Create New Profile Name Add a new access profile. Access profiles Go to System > Admin > Access Profile to add access profiles for FortiGate administrators. Type and confirm a password for the administrator account. The Delete. Figure 3: Change an administrator password To change an administrator password 1 2 3 4 Go to System > Admin > Administrators. and Edit icons.

110 01-28003-0002-20040716 Fortinet Inc. virtual domain. SNMP. and replacement message features. log access.Access profiles System administration Access profile options Figure 5: Access profile option Profile Name Allow Read All Allow Write All System Configuration Log & Report Auth Users Admin Users FortiProtect Update System Shutdown Enter the name of the access profile. Allow or deny access to the system shutdown and reboot functionality. interface. Select Allow Read All to give an administrator read privilege on all the items under Access Control. and antivirus features. To configure an access profile 1 2 3 4 5 Go to System > Admin > Access Profile. routing. IPS. Allow or deny access to the administrative users feature. Enter a name for the access profile. Select or clear the Access Control check boxes as required. VPN. time. Select Allow Write All to give an administrator write privilege on all the items under Access Control. . and alert email features. Access Control Access Control lists the items that can be controlled by the access profile. Select OK. Allow or deny access to the authorized users feature. option. Security Policy Allow or deny access to the firewall. HA. Allow or deny access to the FortiProtect Distribution Network update feature. Allow or deny access to the system status. Allow or deny access to the log setting. or select the edit icon to edit an existing access profile. Select Create New to add an access profile.

VPN certificate. The Restore/Upload. web and spam filtering files from previously downloaded backup files. The date and time of the last backup.80 System maintenance Use the web-based manager to maintain the FortiGate unit.FortiGate-60 Administration Guide Version 2. web and spam filtering files to the management computer. Figure 1: Backup and restore list Category Latest Backup The list of files that can be backed up and restored. You can also restore system configuration. Backup and Reset to factory default icons. VPN certificate. FortiGate-60 Administration Guide 01-28003-0002-20040716 111 . • • • • Backup and restore Update center Support Shutdown Backup and restore You can back up system configuration.

Restore or back up the spam filter RBL and ORDBL list. Restore or back up the spam filter Banned word list. Restore or back up the Web URL Exempt list. See “To upload local or CA certificates” on page 113. Restore or back up the spam filter MIME Headers list. For All Configuration Files. For All Configuration Files. This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration. Select OK . Restore or back up the FortiGate system configuration file.Backup and restore System maintenance All Configuration Files System settings System Configuration Restore or back up all the configuration files. Backing up and Restoring To back up all configuration files 1 2 3 4 5 Go to System > Maintenance > Backup & Restore. Save the file. Restore or back up the Web URL Block list. Reset the FortiGate unit to factory defaults. including resetting interface addresses. To restore all configuration files 1 2 3 Go to System > Maintenance > Backup & Restore. Enter the password you used when backing up All Configuration Files. 112 01-28003-0002-20040716 Fortinet Inc. IPS User-Defined Upload or download IPS signatures. CA Certificate Upload a CA certificate for use in a VPN. Restore or back up the spam filter Email Address list. Download debug log. Restore or back up the Web Content Block list. Signatures VPN certificates Local Certificate Upload a local certificate for use in a VPN. . Enter a password. Debug Log Web Filtering Web Content Block Web URL Block List Web URL Exempt List Spam Filtering IP Address RBL & ORDBL Email Address MIME Headers Banned Word IPS Signatures Restore or back up the spam filter IP Address list. select the Backup icon. select the Restore icon. See “To upload local or CA certificates” on page 113. This procedure does not change the firmware version or the antivirus or attack definitions.

or select Browse and locate the file. For information about configuring scheduled updates. loading the new system settings. Select OK to restore all configuration files to the FortiGate unit. Enter the path and filename of the file. Update center You can configure the FortiGate unit to connect to the FortiProtect Distribution Network (FDN) to update the antivirus and attack definitions and engines. The FortiGate unit restarts. Select OK.System maintenance Update center 4 5 6 Enter the path and filename of the configuration file. or select Browse and locate the file.) To upload local or CA certificates 5 1 2 3 4 Go to System > Maintenance > Backup & Restore. FortiGate-60 Administration Guide 01-28003-0002-20040716 113 . Select the Restore icon for the type of file you want to restore. If you restore the system configuration. loading the new configuration files. Select Return. Before the FortiGate unit can receive antivirus and attack updates. For Local or CA certificates. Save the file. Select OK. To back up individual categories 1 2 3 Go to System > Maintenance > Backup & Restore. You should then reconnect to the web-based manager and review your configuration to confirm that the uploaded system settings have taken effect. The FortiGate unit must be able to route packets to the Internet using port 8890. it must be able to connect to the FortiProtect Distribution Network (FDN). Select the Backup icon for the type of file you want to back up. Enter the path and filename of the configuration file. The FortiGate unit uses HTTPS on port 8890 to connect to the FDN. the FortiGate unit restarts. Reconnect to the web-based manager and review your configuration to confirm that the uploaded configuration files have taken effect. select the Upload icon. or select Browse and locate the file. (This step does not apply if you restore the system configuration. To restore individual categories 1 2 3 4 Go to System > Maintenance > Backup & Restore. see “To enable scheduled updates” on page 117.

To receive scheduled updates and push updates. When the FortiGate unit connects to the FDN it connects to the nearest FDS. Update status including version numbers. To receive push updates. all FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiGate unit. Figure 2: Update center 114 01-28003-0002-20040716 Fortinet Inc. daily. Hourly. . and update dates and times. Push updates from the FDN. Push updates through a NAT device. To do this.Update center System maintenance You can also configure the FortiGate unit to allow push updates. or weekly scheduled antivirus and attack definition and antivirus engine updates from the FDN. the FDN must be able to route packets to the FortiGate unit using UDP port 9443. you must register the FortiGate unit on the Fortinet support web page. The FDN is a world-wide network of FortiProtect Distribution Servers (FDSs). expiry dates. Push updates are provided to the FortiGate unit from the FDN using HTTPS on UDP port 9443. For information about configuring push updates. The FortiGate unit supports the following antivirus and attack definition update features: • • • • • User-initiated updates from the FDN. see “To enable push updates” on page 119.

If the FortiProtect Distribution Network stays set to not available. When you select Refresh. You may also have to connect to an override FortiProtect server to receive updates. the FortiProtect Distribution Network setting changes to available. Check the FortiGate configuration and the network configuration to make sure you can connect to the override FortiProtect server from the FortiGate unit. the FortiGate unit cannot connect to the override server. You can configure the FortiGate unit to receive push updates. Push updates may not be available if you have not registered the FortiGate unit (see “To register a FortiGate unit” on page 124). Allow Push Update FortiGate-60 Administration Guide 01-28003-0002-20040716 115 . Select this check box to allow automatic updates of the FortiGate unit. the FortiGate unit tests its connection to the FDN. you can configure and override server. For example. If after applying the override server address. The date and time on which the FortiGate unit last attempted to download definition and engine updates. Push Update Refresh Use override If you cannot connect to the FDN or if your organization provides antivirus server address and attack updates using their own FortiProtect server. Unknown means that this FortiGate unit has not attempted to connect to the FDN. Available means that the FortiGate unit can connect to the FDN. The version numbers of the definition files and engines currently installed on the FortiGate unit. Unknown means that this FortiGate unit has not attempted to connect to the FDN. No updates means the last update attempt was successful but no new updates were available. The expiry date of your license for definition and engine updates. Select the Use override server address check box and enter the IP address of a FortiProtect server.System maintenance Update center FortiProtect Distribution Network The status of the connection to the FortiProtect Distribution Network (FDN). See “To add an override server” on page 117. See “To enable push updates” on page 119. Not available means that The FortiGate unit cannot connect to the FDN. The result of the last update attempt. you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 8890 to connect to the Internet. Available means that The FDN can connect to the FortiGate unit to send push updates. or if your FortiGate unit connects to the Internet using a proxy server (see “To enable scheduled updates through a proxy server” on page 117). Update Version Expiry date Last update attempt Last update status The antivirus and attack definitions and engines for which update information is displayed. You must configure your FortiGate unit and your network so that the FortiGate unit can connect to the Internet and to the FDN. the FortiGate unit has successfully connected to the override server. Other messages can indicate that the FortiGate was not able to connect to the FDN and other error conditions. You can configure the FortiGate unit for scheduled updates. if there is a NAT device installed between the FortiGate unit and the FDN (see “Enabling push updates through a NAT device” on page 119). See “To enable scheduled updates” on page 117. Not available means that the FDN cannot connect to the FortiGate unit to send push updates. The test results are displayed at the top of the System Update page. Update succeeded or similar messages mean the last update attempt was successful and new updates were installed.

attack definitions or the attack engine. Go to System > Maintenance > Update center. The FortiGate unit sends the override push IP address and Port to the FDN. Select Update Now to manually initiate an update. Select Update Now to update the antivirus and attack definitions and engines. Your database will be updated in a few minutes. Select this check box to enable scheduled updates. the web-based manager displays a message similar to the following: Your update request has been sent. The FortiGate unit tests its connection to the FDN. If the connection to the FDN or override server is successful. . the System Update Center page lists new version information for antivirus definitions. After a few minutes. You can specify the time of day to check for updates. Attempt to update once a day. The test results are displayed at the top of the System Update page. You can specify the day of the week and the time of day to check for updates.Update center System maintenance Use override push Select this check box and enter the override IP address and port number. add the changes to the Use override push configuration and select Apply to update the push information on the FDN. The FDN will now use this IP address and port for push updates to the FortiGate unit on the internal network. For more information. To make sure the FortiGate unit can connect to the FDN 1 2 3 Go to System > Config > Time and make sure the time zone is set to the time zone for the region in which your FortiGate unit is located. Attempt to update once every 1 to 23 hours. the antivirus engine. Select Apply to save update settings. Override push IP addresses and ports are used when there is a NAT device between the FortiGate Unit and the FDN. 116 01-28003-0002-20040716 Fortinet Inc. If the External IP Address or External Service Port change. Select Refresh. Please check your update page for the status of the update. if an update is available. To update antivirus and attack definitions 1 2 Go to System > Maintenance > Update center. The System Status page also displays new dates and version numbers for antivirus and attack definitions. see “Enabling push updates through a NAT device” on page 119. Select the number of hours and minutes between each update request. Scheduled Update Every Daily Weekly Update Now Apply Updating antivirus and attack definitions Use the following procedures to configure the FortiGate unit to connect to the FortiProtect Distribution Network (FDN) to update the antivirus and attack definitions and engines. Messages are recorded to the event log indicating whether the update was successful or not. Attempt to update once a week.

You can specify the time of day to check for updates. As well. Select the number of hours and minutes between each update request. you can add the user name and password required for the proxy server to the autoupdate configuration. To add an override server If you cannot connect to the FDN. Type the IP address of a FortiProtect server. Once a week. You can specify the day of the week and the time of day to check for updates. if the proxy server requires authentication. Once a day. the FortiGate unit has successfully connected to the override server. 1 2 3 4 Go to System > Maintenance > Update center. To enable scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server. the event is recorded in the FortiGate event log. 4 Select Apply. The full syntax for enabling updates through a proxy server is: FortiGate-60 Administration Guide 01-28003-0002-20040716 117 . Whenever the FortiGate unit runs a scheduled update. Every Daily Weekly Once every 1 to 23 hours. Select the Scheduled Update check box. Check the FortiGate configuration and network configuration for settings that would prevent the FortiGate unit from connecting to the override FortiProtect server. If the FortiProtect Distribution Network setting changes to available. Using this command you can specify the IP address and port of the proxy server. Select Apply. Select the Use override server address check box. The FortiGate unit starts the next scheduled update according to the new update schedule. the FortiGate unit cannot connect to the override server.System maintenance Update center To enable scheduled updates 1 2 3 Go to System > Maintenance > Update center. Select one of the following to check for and download updates. you can use the following procedure to add the IP address of an override FortiProtect server. or if your organization provides antivirus and attack updates using their own FortiProtect server. If the FortiProtect Distribution Network stays set to not available. you can use the config system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. The FortiGate unit tests the connection to the override server.

The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN.34.50. new attack definitions or new attack engine are released. For more information.50. The next time a new antivirus engine. See “To register a FortiGate unit” on page 124. Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. if the IP address of the proxy server is 67. You must register the FortiGate unit before it can receive push updates.35.35. they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services. enter the following command: config system autoupdate tunneling set address 67. see “To enable scheduled updates through a proxy server” on page 117.Update center System maintenance config system autoupdate tunneling set address <proxy-address_ip> set port <proxy-port> set username <username_str> set password <password_str> set status enable end For example. your proxy server might have to be configured to allow connections on this port. The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN. Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN. see the FortiGate CLI Reference Guide. the user name is proxy_user and the password is proxy_pwd. its port is 8080. new antivirus definitions. The FortiGate unit connects to the proxy server using the HTTP CONNECT method. .34 set port 8080 set username proxy_user set password proxy_pwd set status enable end For more information about the config system autoupdate tunneling command. as described in RFC 2616. Within 60 seconds of receiving a push notification. the FortiGate unit sends a SETUP message to the FDN. When you configure a FortiGate unit to allow push updates. the FDN notifies all FortiGate units that are configured for push updates that a new update is available. the FortiGate unit requests an update from the FDN. 118 01-28003-0002-20040716 Fortinet Inc. There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers do not allow the CONNECT to connect to any port.

you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. If your FortiGate unit is running in NAT/Route mode. Select Allow Push Update. see “Enabling push updates through a NAT device” on page 119. However. Push updates when FortiGate IP addresses change The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. The FortiGate unit sends the SETUP message if you change the WAN1 IP address manually or if you have set the WAN1 interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address. the FDN can maintain the most up-to-date WAN1 IP address for the FortiGate unit. If your FortiGate unit is running in Transparent mode. FortiGate-60 Administration Guide 01-28003-0002-20040716 119 . the FortiGate unit sends a new SETUP message to notify the FDN of the address change. Also. Using port forwarding. To enable push updates 1 2 3 Go to System > Maintenance > Update center. On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates. The FDN must be able to connect to this IP address for your FortiGate unit to be able to receive push update messages. Whenever the WAN1 IP address of the FortiGate unit changes. the SETUP message includes the FortiGate management IP address. As long as the FortiGate unit sends this SETUP message and the FDN receives it. the SETUP message includes the FortiGate WAN1 IP address. configuring push updates is recommended in addition to configuring scheduled updates. Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example.System maintenance Update center When the network configuration permits. the FDN connects to the FortiGate unit using either port 9443 or an override push port that you specify. scheduled updates make sure that the FortiGate unit receives the latest updates. Enabling push updates is not recommended as the only method for obtaining updates. the FortiGate unit also sends the SETUP message to notify the FDN of the address change. the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to the other Internet connection. Select Apply. If you have redundant connections to the Internet. In Transparent mode if you change the management IP address. The FortiGate unit might not receive the push notification. Enabling push updates through a NAT device If the FDN can connect to the FortiGate unit only through a NAT device. If your FortiGate unit is behind a NAT device. set using PPPoE or DHCP). when the FortiGate unit receives a push notification it makes only one attempt to connect to the FDN and download updates.

1 2 3 4 5 6 7 8 Go to Firewall > Virtual IP. In the External Interface section. Configure the policy with the following settings: Source Destination Schedule Service External_All The virtual IP added above. type the external IP address that the FDN connects to. Note: Before completing the following procedure. you should register the internal network FortiGate unit so that it can receive push updates. Type a name for the virtual IP. select Port Forwarding. To add a port forwarding virtual IP to the FortiGate NAT device Configure a FortiGate NAT device to use port forwarding to forward push update connections from the FDN to a FortiGate unit on the internal network. In the Type section. Select OK. Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP. . In the Map to IP section. Select Create New. If the FortiGate unit is operating in Transparent mode. In the External IP Address section. Set the Map to Port to 9443. select the external interface that the FDN connects to. If the FortiGate unit is operating in NAT/Route mode. enter the management IP address. To add a firewall policy to the FortiGate NAT device 1 2 Add a new external to internal firewall policy. enter the IP address of the external interface.Update center System maintenance General procedure Use the following steps to configure the FortiGate NAT device and the FortiGate unit on the internal network so that the FortiGate unit on the internal network can receive push updates: 1 2 3 Add a port forwarding virtual IP to the FortiGate NAT device. Always ANY 9 10 120 01-28003-0002-20040716 Fortinet Inc. type the IP address of the FortiGate unit on the internal network. Configure the FortiGate unit on the internal network with an override push IP and port. Type the External Service Port that the FDN connects to.

Set IP to the external IP address added to the virtual IP. Push Update changes to Available. FortiGate-60 Administration Guide 01-28003-0002-20040716 121 . add the changes to the Use override push configuration and select Apply to update the push information on the FDN. You can select Refresh to make sure that push updates work. To configure the FortiGate unit on the internal network 1 2 3 4 5 6 Go to System > Maintenance > Update center. 7 Support You can use the Support page to report problems with the FortiGate unit to Fortinet Support or to register your FortiGate unit with the FortiProtect Distribution Server (FDS). Select the Allow Push Update check box. Select Apply. Set Port to the external service port added to the virtual IP. If the external IP address or external service port changes. The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network. Select the Use override push check box.System maintenance Support Action NAT Accept Selected. FDS Registration Select FDS Registration to register the FortiGate unit with FortiNet. 3 Select OK. Sending a bug report Use the Report Bug form to send bug information to Fortinet support. The FortiGate unit sends the override push IP address and port to the FDN. Figure 3: Support Report Bug Select Report Bug to submit problems with the FortiGate unit to Fortinet Support.

enter the password required. . Send diagnostic Send diagnostic information about the FortiGate unit. If the SMTP server requires authentication. customized mailrelay SMTP Server User Name Password Authentication The SMTP server to use for sending bug report email. Bug Description* Enter a description of the problem you have encountered with the FortiGate unit. Send email by Submit the bug report using a customized mail relay. to Fortinet for analysis. To report a bug 1 2 3 4 Go to System > Maintenance > Support. default mail-relay Test Test the default mail relay. 122 01-28003-0002-20040716 Fortinet Inc. Select Submit. Select Report Bug. including its current configuration. information Send email by Submit the bug report using the default mail relay. A valid user name on the specified SMTP server. Fill out the Report Bug form. Select No if the SMTP server does not require authentication. Select Yes if the SMTP server does require authentication. Items marked with an * are required.Support Figure 4: Bug report System maintenance Contact Information Enter the contact information so that FortiNet support can reply to your bug report.

Enter the SMTP server information. Different levels of service are available so you can purchase the support that you need. and the password if required. you must purchase a FortiCare Support Contract from an authorized Fortinet reseller or distributor. or by using a web browser to connect to http://support. You can register multiple FortiGate units in a single session without re-entering your contact information. Registering a FortiGate unit After purchasing and installing a new FortiGate unit. For maximum network protection. Select Send email by customized mail-relay. This information is used to make sure that your registered FortiGate units can be kept up to date. whether or not to use authentication. you can register the unit using the web-based manager by going to the System Update Support page. You can use this user name and password to log on to the Fortinet support web site to: • • • • • • • • • View your list of registered FortiGate units Register additional FortiGate units Add or change FortiCare Support Contract numbers for each FortiGate unit View and change registration information Download virus and attack definitions updates Download firmware upgrades Modify registration information after an RMA Access Fortinet user documentation Access the Fortinet knowledge base Soon you will also be able to: All registration information is stored in the Fortinet Customer Support database. Fortinet sends a Support Login user name and password to your email address.com and selecting Product Registration. Select Report Bug. Owners of a new FortiGate unit are entitled to 90 days of technical support services. See your Fortinet reseller or distributor for details of packages and pricing. Once registration is completed. All information is strictly confidential. Registration consists of entering your contact information and the serial numbers of the FortiGate units that you or your organization purchased. user name. FortiGate-60 Administration Guide 01-28003-0002-20040716 123 .fortinet. Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. To continue receiving support services after the 90-day expiry date.System maintenance Support To configure a customized mail relay 1 2 3 4 Go to System > Maintenance > Support. Fortinet does not share this information with any third-party organizations for any reason.

1 2 3 4 5 6 7 Go to System > Maintenance > Support. The serial number is also available from the CLI using the get system status command. The security question should be a simple question that only you know the answer to. . • The product model and serial number for each FortiGate unit that you want to register. You can view the Serial number from the web-based manager by going to System > Status. You must enter the same service contract number for each of the FortiGate models covered by the service contract. when you purchase a FortiCare Support Contract you can update the registration information to add the support contract number. you require the following information: • Your contact information including: • • • • • • First and last name Company name Email address (Your Fortinet support login user name and password will be sent to this email address. A single FortiCare Support Contract can cover multiple FortiGate units. enter the support contract number. Select FDS Registration. Provide a security question and an answer to the security question.Support System maintenance To activate the FortiCare Support Contract.) Address Contact phone number A security question and an answer to the security question. you must register the FortiGate unit and add the FortiCare Support Contract number to the registration information. Enter the Serial Number of the FortiGate unit. To register a FortiGate unit Before registering a FortiGate unit. The answer should not be easy to guess. Select the model number of the Product Model to register. FortiCare Support Contract numbers. This information is used for password recovery. The serial number is located on a label on the bottom of the FortiGate unit. If you have purchased a FortiCare Support Contract for this FortiGate unit. Enter your contact information on the product registration form. if you purchased FortiCare Support Contracts for the FortiGate units that you want to register. In that case. You can also register the FortiGate unit without purchasing a FortiCare Support Contract. 124 01-28003-0002-20040716 Fortinet Inc.

1 2 3 Go to System > Maintenance > Shutdown. Your Fortinet support user name and password is sent to the email address provided with your contact information. If you do not have a FortiCare Support Contract. A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiGate unit. If the information does not match you can try entering it again. The FortiGate unit shuts down and all traffic flow stops. Select Shutdown. Select Apply. The FortiGate unit restarts. Figure 5: System shut down To log out of the system 1 2 3 Go to System > Maintenance > Shutdown. restart and shut down the FortiGate unit. Select Reboot. a real-time validation is performed to verify that the SCN information matches the FortiGate unit. Select Logout. Select Apply. FortiGate-60 Administration Guide 01-28003-0002-20040716 125 . The FortiGate unit logs out. To restart the system 1 2 3 Go to System > Maintenance > Shutdown. you can select Continue to complete the registration.System maintenance Shutdown 8 Select Finish. If you have entered a support contract number. Select Apply. If you have not entered a FortiCare Support Contract number (SCN) you can return to the previous page to enter the number. 9 Shutdown You can use the Maintenance page to log out. To shut down the system You can restart the FortiGate unit after shutdown only by turning the power off and then on.

Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. The FortiGate unit restarts with the configuration that it had when it was first powered on. This procedure does not change the firmware version or the antivirus or attack definitions. ! 1 2 3 Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration. Select Reset to factory default. Select Apply. . 4 126 01-28003-0002-20040716 Fortinet Inc. including resetting interface addresses.Shutdown System maintenance To reset the FortiGate unit to factory defaults Use the following procedure to reset system settings to the values set at the factory. Go to System > Maintenance > Shutdown.

each virtual domain is functionally similar to a single FortiGate unit. Virtual domains are functionally similar in NAT/Route and in Transparent mode. and VPN configurations are exclusive to each virtual domain and other configuration settings are shared. antivirus and attack databases. zones. one antivirus configuration. firewall policies. virtual domains share firmware versions. one protection profile configuration. you can only create firewall policies for connections between VLAN subinterfaces or zones in the virtual domain. When a packet enters a virtual domain on the FortiGate unit. and VLAN interfaces do not have IP addresses and routing is much simpler.FortiGate-60 Administration Guide Version 2. one FortiGate unit can provide exclusive firewall and routing services to multiple networks so that traffic from each network is effectively separated from every other network. You can develop and manage interfaces. and VPN configuration for each virtual domain separately. This separation simplifies configuration because you do not have to manage as many routes or firewall policies at one time. firewall policies. see “Shared configuration settings” on page 129. As well. and so on shared by all virtual domains. In both cases interfaces. The FortiGate unit supports 2 virtual domains: root and one addition virtual domain. and user databases. VLAN subinterfaces.80 System virtual domain FortiGate virtual domains provide multiple logical firewalls and routers in a single FortiGate unit. A major difference between NAT/Route and Transparent mode is that in Transparent mode. it is confined to that virtual domain. one web filter configuration. For a complete list of shared configuration settings. This chapter describes: • • • Virtual domain properties Virtual domains Configuring virtual domains FortiGate-60 Administration Guide 01-28003-0002-20040716 127 . Using virtual domains. Packets never cross the virtual domain border. routing. For these configuration settings. The remainder of FortiGate functionality is shared between virtual domains. interfaces. This means that there is one IPS configuration. zones. In a given domain. routing. VLAN subinterfaces.

Once you add a virtual domain you can configure it by adding VLAN subinterfaces. VLAN subinterfaces. • System settings • • • • • Physical interfaces (see “To add physical interfaces to a virtual domain” on page 132) VLAN subinterfaces (see “To add VLAN subinterfaces to a virtual domain” on page 133) Zones (see “To add zones to a virtual domain” on page 133) Management IP (Transparent mode) (see “To select a management virtual domain and add a management IP” on page 132) Router configuration in NAT/Route mode (see “To configure routing for a virtual domain in NAT/Route mode” on page 134) Routing table configuration in Transparent mode (see “To configure the routing table for a virtual domain in Transparent mode” on page 134) Policies (see “To add firewall policies to a virtual domain” on page 134) Addresses (see “To add firewall addresses to a virtual domain” on page 135) IP pools (are associated with an interface) (see “To add IP pools to a virtual domain” on page 135) Virtual IPs (are associated with an interface) (see “To add Virtual IPs to a virtual domain” on page 135) IPSec PPTP L2TP Certificates Routing configuration • • • Firewall settings • • • • • VPN (see “To configure VPN for a virtual domain” on page 136) • • • • 128 01-28003-0002-20040716 Fortinet Inc. This virtual domain includes all of the FortiGate physical interfaces. You can also move physical interfaces from the root virtual domain to other virtual domains and move VLAN subinterfaces from one virtual domain to another. . and VPN settings. zones. zones. and VPN settings. This process works the same way in NAT/Route and in Transparent mode. routing settings. Exclusive virtual domain properties The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains. each FortiGate unit runs a virtual domain named root.Virtual domain properties System virtual domain Virtual domain properties By default. firewall policies. routing settings. firewall policies.

System virtual domain Virtual domain properties Shared configuration settings The following configuration settings are shared by all virtual domains. there are no changes to how you configure the following settings. Even if you have configured multiple virtual domains. • Unit configuration • • • • • • • • • Host Name Firmware Version Antivirus Definitions and engine Attack Definitions and engine Serial Number Operation Mode DNS settings Network configuration DHCP configuration DHCP settings are applied per interface no matter which virtual domain the interface has been added to • System Config • • • • • • Time Options HA SNMP v1/v2c Replacement messages FortiManager configuration Administrators Access profiles Update Center Services including custom services and service groups Schedules Protection Profiles • System Admin • • • • System Maintenance • • • • Firewall • • • • • • Users and authentication IPS Antivirus Web filter Spam filter Log and report FortiGate-60 Administration Guide 01-28003-0002-20040716 129 .

Select Change to choose a different domain. Administrators logging into the CLI or web-based manager always log into the root domain and then must enter the virtual domain that they want to administer. A check mark icon in this column indicates that this is the current domain. Select Change to choose a different domain. Virtual domains Go to System > Virtual domain > Virtual domains to view and add virtual domains. A check mark icon in this column indicates that this is the domain used for system management. The default virtual domain is root. Delete icon. logging. Shows the maximum number of virtual domains for this FortiGate unit. Select to delete a virtual domain. Figure 1: Virtual domain list Create New Current Management Max. 130 01-28003-0002-20040716 Fortinet Inc. You can select a different management virtual domain if you want these systems to communicate with network resources that can connect to a different virtual domain. The name of the virtual domain. updates using the FDN. Administrators have access to all of the virtual domains on the FortiGate unit. You cannot delete the root virtual domain or a domain that is used for system management. . Management systems such as SNMP. Virtual Domains Name Current Management Add a new virtual domain. The name of the current virtual domain.Virtual domains System virtual domain Administration and management In addition to the global properties. The name of the virtual domain used for system management. virtual domains share a common administrative model. alert email. and setting system time using NTP use addresses and routing in the root virtual domain to communicate with the network and can only connect to network resources that can communicate with the root virtual domain.

See “To control administrative access to an interface” on page 50. Selecting a management virtual domain In NAT/Router mode. you select a virtual domain to be used for system management. Enter a virtual domain Name. To select a virtual domain to configure 1 2 3 4 Go to System > Virtual domain > Virtual domains. Select Change following the current virtual domain name above the table. Selecting a virtual domain The following procedure applies to NAT/Route and Transparent mode. the footer displays “Virtual Domain: all”. Otherwise. Select Create New. The footer of the web-based manager page displays the selected virtual domain name if the information and configuration options on the page are exclusive to the virtual domain. See “Exclusive virtual domain properties” on page 128. Choose the virtual domain to configure. you must also define a management IP. Select OK. FortiGate-60 Administration Guide 01-28003-0002-20040716 131 .System virtual domain Virtual domains See the following procedures for configuring virtual domains: • • • • • • • • • • • To add VLAN subinterfaces to a virtual domain To view the interfaces in a virtual domain To add zones to a virtual domain To select a management virtual domain and add a management IP To configure routing for a virtual domain in NAT/Route mode To configure the routing table for a virtual domain in Transparent mode To add firewall policies to a virtual domain To add firewall addresses to a virtual domain To add IP pools to a virtual domain To add Virtual IPs to a virtual domain To configure VPN for a virtual domain Adding a virtual domain To add a virtual domain 1 2 3 4 Go to System > Virtual domain. In Transparent mode. Select OK. The interface that you want to use for management access must have Administrative Access enabled.

These can be physical interfaces or VLAN interfaces. 1 Go to System > Network > Interface. By default all physical interfaces are in the root virtual domain and the following procedure describes how to move a physical interface from one virtual domain to another. Note: You cannot delete a management virtual domain. Enter the Default Gateway. Choose the management domain and select OK. You must first select a different domain for system management. VLAN subinterfaces. Delete the firewall policies or remove the interface from the firewall policies first. Enter the Management IP/Netmask. Select the Management Virtual Domain. 132 01-28003-0002-20040716 Fortinet Inc. You cannot remove a physical interface from a virtual domain if firewall policies have been added for it. . Select Change beside the listed Management virtual domain. Configuring virtual domains The following procedures explain how to configure virtual domains: • • • • Adding interfaces. it is removed from the zone when you move it to a different virtual domain. and zones to a virtual domain To add physical interfaces to a virtual domain A virtual domain must contain at least two interfaces. 6 Click on the message to connect to the new Management IP. 1 2 3 4 5 Go to System > Network > Management. VLAN subinterfaces. Click here to redirect. The FortiGate unit displays the following message: Management IP address was changed. To select a management virtual domain and add a management IP The following procedure applies to Transparent mode only. Select Apply. If the interface has been added to a zone. and zones to a virtual domain Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Configuring IPSec VPN for a virtual domain Adding interfaces.Configuring virtual domains System virtual domain To select a management virtual domain The following procedure applies to NAT/Route mode only. 1 2 3 Go to System > Virtual Domain > Virtual Domains.

You should manually delete any routes that include this interface. Select OK. The following procedure describes how to move a VLAN subinterface from one virtual domain to another. Select Edit for the physical interface you want to move. You cannot remove a VLAN subinterface from a virtual domain if firewall policies have been added for it. Firewall IP pools and virtual IP added for this interface are deleted. FortiGate-60 Administration Guide 01-28003-0002-20040716 133 . Firewall IP pools and virtual IP added for this VLAN subinterface are deleted. Choose the Virtual Domain to which to move the VLAN subinterface. see “To add a VLAN subinterface in NAT/Route mode” on page 64. The physical interface moves to the virtual domain. You should manually delete any routes that include this VLAN subinterface. Choose the Virtual domain you want to view. The interfaces added to this virtual domain are listed. it is removed from the zone when you move it to a different virtual domain. To add VLAN subinterfaces to a virtual domain A virtual domain must contain at least two interfaces. Select Edit for the VLAN subinterface you want to move.System virtual domain Configuring virtual domains 2 3 4 5 Set Virtual domain to All or to the name of the virtual domain that currently contains the interface. VLAN subinterfaces are usually not in the same virtual domain as the physical interfaces that they are added to. Select OK. The VLAN subinterface moves to the virtual domain. Set Virtual domain to All or to the name of the virtual domain that currently contains the VLAN subinterface. To add zones to a virtual domain The following procedure applies to NAT/Route and Transparent mode. 1 2 3 Go to System > Virtual domain > Virtual domains. Choose the Virtual Domain to which to move the interface. Choose the virtual domain to add zones to. see “To add a VLAN subinterface in Transparent mode” on page 69. Delete the firewall policies or remove the VLAN subinterface from the firewall policies first. If the VLAN subinterface has been added to a zone. To view the interfaces in a virtual domain 1 2 Go to System > Network > Interface. These can be physical interfaces or VLAN interfaces. To add a new VLAN to a virtual domain in NAT/Route mode. 1 2 3 4 5 Go to System > Network > Interface. Select Change following the current virtual domain name above the table. To add a new VLAN to a virtual domain in Transparent mode.

Configuring routing for a virtual domain To configure routing for a virtual domain in NAT/Route mode 1 2 3 4 5 6 Go to System > Virtual domain > Virtual domains. Configuring firewall policies for a virtual domain To add firewall policies to a virtual domain The following procedure applies to NAT/Route and Transparent mode. To configure the routing table for a virtual domain in Transparent mode 1 2 3 4 5 6 Go to System > Virtual domain > Virtual domains. Select Change following the current virtual domain name above the table. Configure the routing table for the current virtual domain as required.Configuring virtual domains System virtual domain 4 5 6 Select OK. Go to System > Network > Zone. Choose the virtual domain for which to configure firewall policies. See “Router” on page 137. Network traffic entering this virtual domain is routed only by the routing configuration for the current virtual domain. Any zones that you add are added to the current virtual domain. Choose the virtual domain for which to configure routing. See “Zone” on page 51. Select OK. Select Change following the current virtual domain name above the table. Select Create new. Go to Firewall > Policy. 134 01-28003-0002-20040716 Fortinet Inc. See “Routing table (Transparent Mode)” on page 55. Network traffic entering this virtual domain is routed only by the static routes added to the current virtual domain. Configure routing for the current virtual domain as required. Choose the virtual domain for which to configure routing. Select OK. . Go to Router. Select OK. Select Change following the current virtual domain name above the table. 1 2 3 4 5 Go to System > Virtual domain > Virtual domains. Go to System > Network > Routing Table.

Select OK. Add new IP pools as required for the current virtual domain. Select Change following the current virtual domain name above the table. Select OK. To add IP pools to a virtual domain The following procedure applies to NAT/Route mode. address ranges. Network traffic accepted by the interfaces and VLAN subinterfaces added to this virtual domain is controlled by the firewall policies added to this virtual domain To add firewall addresses to a virtual domain The following procedure applies to NAT/Route and Transparent mode. 1 2 3 4 5 6 Go to System > Virtual domain > Virtual domains. Go to Firewall > IP Pool. To add Virtual IPs to a virtual domain The following procedure applies to NAT/Route mode. See “IP pool” on page 185. FortiGate-60 Administration Guide 01-28003-0002-20040716 135 . VLAN subinterfaces. Go to Firewall > Virtual IP. See “Policy” on page 158. See “Virtual IP” on page 181. Go to Firewall > Address. 1 2 3 4 5 6 Go to System > Virtual domain > Virtual domains. Choose the virtual domain for which to configure firewall IP pools. Choose the virtual domain for which to configure virtual IPs. Add new virtual IPs as required for the current virtual domain. Select Change following the current virtual domain name above the table. and address groups to the current virtual domain. Select OK. The firewall policies that you add are only visible when you are viewing the current virtual domain. You can only add firewall policies for the physical interfaces.System virtual domain Configuring virtual domains 6 Select Create new to add firewall policies to the current virtual domain. Select Change following the current virtual domain name above the table. or zones added to the current virtual domain. Choose the virtual domain for which to configure firewall addresses. See “Address” on page 165. Add new firewall addresses. 1 2 3 4 5 6 Go to System > Virtual domain > Virtual domains.

Configure IPSec VPN. 1 2 3 4 5 6 Go to System > Virtual domain > Virtual domains. . L2TP.Configuring virtual domains System virtual domain Configuring IPSec VPN for a virtual domain To configure VPN for a virtual domain The following procedure applies to NAT/Route and Transparent mode. Select Change following the current virtual domain name above the table. 136 01-28003-0002-20040716 Fortinet Inc. Choose the virtual domain for which to configure VPN. PPTP. and certificates as required. Select OK. Go to VPN. See “IPSec VPN” on page 211 and “PPTP and L2TP VPNs” on page 247.

You can also configure the administrative distance for a route to indicate the order of preferability when more than one route is available to the same network. The FortiGate unit assigns routes using a best match algorithm.FortiGate-60 Administration Guide Version 2. To select a route for a packet. The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route. the FortiGate unit routes the packet using the default route. FortiGate-60 Administration Guide 01-28003-0002-20040716 137 . • • Static route list Static route options Static route list Figure 1: Static routes Create New Add a new static route. # IP The sequence number for this route. The destination IP address for this route.80 Router This chapter describes how to configure FortiGate routing and RIP. The lower the administrative distance the greater the preferability of the route. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses. • • • • • Static route Policy RIP Router objects Monitor Static route You can configure routing to add static routes to control the destination of traffic exiting the FortiGate unit. the FortiGate unit searches through the routing table for a route that best matches the destination address of the packet. If a match is not found.

To add or edit a static route 1 2 3 Go to Router > Static > Static Route.x. Enter 0. Enter the administrative distance for the route. Current Order shows the existing number for this route. • • 4 5 6 7 x. select the FortiGate interface through which to route traffic for this route.0.0.0.0. Select the name of the FortiGate interface through which to route traffic. Select the Move to icon beside the route you want to move. For Device.0/0. You can enter the IP address and netmask using the following formats.x. Using administrative distance you can specify the relative priorities of different routes to the same destination.x/x Add the Gateway IP address.x.0 if you are configuring a default route. Enter 0. To move static routes 1 2 Go to Router > Static > Static Route.0. 138 01-28003-0002-20040716 Fortinet Inc.0. .x. The IP address of the first next hop router to which this route directs traffic.0/0.x.Static route Router Mask Gateway Device Distance The netmask for this route. Select OK.0. Distance can be an integer from 1-255. Edit. A lower administrative distance indicates a more preferred route.x. Enter the IP address of the first next hop router to which this route directs traffic. change the administrative Distance.x/x. The Delete.0 to add a default route. Select Create New to add a new route or select the edit icon beside an existing route to edit that route. Enter the Destination IP address and netmask for the route. Static route options Figure 2: Static route configuration Destination IP/Mask Gateway Device Distance Enter the destination IP address and netmask for this route. The name of the FortiGate interface through which to route traffic. and Move icons.0. If required.x x. The administrative distance for the route.

If no policy route matches the packet.Router Figure 3: Move a static route Policy 3 4 For Move to. The policy route attempts to match packets received on this interface. Destination The policy route matches packets that have this destination IP address and netmask. The policy route supplies the next hop gateway as well as the FortiGate interface to be used by the traffic. or port range Incoming or source interface The FortiGate unit starts at the top of the policy routing list and attempts to match the packet with a policy. service type. The Delete. and Edit icons. • • Policy route list Policy route options Policy route list Figure 4: Policy routes Create New Add a new policy route. Select OK. FortiGate-60 Administration Guide 01-28003-0002-20040716 139 . Policy Using policy routing you can configure the FortiGate unit to route packets based on: • • • Source address Protocol. select either Before or After and type the number that you want to place this route before or after. # Incoming Outgoing Source The sequence number for this policy route. The policy route matches packets that have this source IP address and netmask. The policy route sends packets out this interface. The route is displayed in the new location on the static route list. the FortiGate unit routes the packet using the regular routing table.

x. You can enter the IP address and netmask using the following formats. Match packets that have this destination IP address and netmask. enter the same port number for both From and To. 140 01-28003-0002-20040716 Fortinet Inc.x. Optionally enter a Protocol number. out this interface.x.x x. . Match packets that have this destination port range. Select the Incoming Interface.x.x.x.x/x. Enter the Gateway Address. • • 6 7 8 9 x. Select Create New to add a new policy route or select the edit icon beside an existing policy route to edit that policy route.x/x Optionally enter the Destination Ports. Incoming Interface Match packets that are received on this interface. Select the Outgoing Interface. Outgoing Interface Send packets that match this policy route.Policy Router Policy route options Figure 5: Policy route configuration Protocol Source Address / Mask Destination Address / Mask Destination Ports Match packets that have this protocol number. To match a single port. Select OK. Gateway Address To add a policy route 1 2 3 4 5 Go to Router > Policy Route. Send packets that match this policy route to this next hop router. Match packets that have this source IP address and netmask. Enter the Source Address / Mask and the Destination Address / Mask.

networks. and to support simple authentication and subnet masks. For non-default routes in the static routing table and directly connected networks the default metric is the metric that the FortiGate unit advertises to adjacent routers. This metric is added to the metrics of learned routes. Default Metric Enable Defaultinformationoriginate FortiGate-60 Administration Guide 01-28003-0002-20040716 141 . The default metric can be a number from 1 to 16. • • • • • • • • • General Networks list Networks options Interface list Interface options Distribute list Distribute list options Offset list Offset list options General Figure 6: RIP General settings RIP Version Enable sending and receiving RIP version 1 packets.Router RIP RIP The FortiGate implementation of the Routing Information Protocol (RIP) supports both RIP version 1 as defined by RFC 1058. See “Interface options” on page 144. RIP version 2 packets. or both for all RIP-enabled interfaces. RIP is a distance-vector routing protocol intended for small. and RIP version 2 as defined by RFC 2453. relatively homogeneous. Advertise a default static route into RIP. RIP version 2 enables RIP messages to carry more information. You can override this setting on a per interface basis. Each network is usually counted as one hop. RIP uses hop count as its routing metric. The network diameter is limited to 15 hops.

The value of the timeout timer should be at least three times the value of the update timer. The route is removed from the routing table. Advertise routes learned from static routes. RIP timer defaults are effective in most configurations. To configure RIP route redistribution 1 2 3 4 5 Go to Router > RIP > General. Advertise routes learned from directly connected networks. Enter the metric to be used for the redistributed static routes. Advertise routes learned from static routes. Only change the RIP timers if required. Select a Route-map name. 6 142 01-28003-0002-20040716 Fortinet Inc. Select Apply. Select Connected or Static or both. The time in seconds that must elapse after the timeout interval for a route expires. Enter the name of the route map to use for the redistributed static routes. . then the timeout timer is restarted. “Route-map list” on page 152. Enter the Default Metric to be used for the redistributed routes. If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable. RIP holds the route until the garbage timer expires and then deletes the route. If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable. before RIP deletes the route. For information on how to configure route maps. All routers and access servers in the network should have the same RIP timer settings. Select Enable Default-information-originate if the configuration requires advertising a default static route into RIP. see “Route-map list” on page 152. The time interval in seconds between RIP updates. For information on how to configure route maps. Timeout Redistribute: Connected Metric Route-map Static Metric Route-map To configure RIP general settings 1 2 3 4 5 Go to Router > RIP > General. The time interval in seconds after which a route is declared unreachable. If RIP receives an update for the route before the timeout timer expires. All routers and access servers in the network should have the same RIP timer settings. Change the Default Metric if required. Enter the metric to be used for the redistributed connected routes. or a direct connection to the destination network. Select the default RIP Version. Select Apply.RIP Router RIP Timers: Update Garbage RIP timer defaults are effective in most configurations. Enter the name of the route map to use for the redistributed connected routes.

x x.x. Select Create New to add a new RIP network or select the edit icon beside an existing RIP network to edit that RIP network. RIP version send and receive for the specified interface. and Edit icons. • • 4 x. Figure 7: RIP Networks list Create New Add a new RIP network. IP/Netmask The IP address and netmask for the RIP network. The Delete. Interface list Configure RIP version 2 authentication.x. You can enter the IP address and netmask using the following formats. If a network is not specified.x. Networks options Figure 8: RIP Networks configuration To configure a RIP network 1 2 3 Go to Router > RIP > Networks. interfaces in that network will not be advertised in RIP updates. Enter the IP address and netmask for the network. Set authentication to None if Send Version or Receive Version are set to 1 or 1 2.x/x.x. and configure and enable split horizon.Router RIP Networks list Identify the networks for which to send and receive RIP updates. Authentication is only available for RIP version 2 packets sent and received by an interface. Figure 9: RIP interface list FortiGate-60 Administration Guide 01-28003-0002-20040716 143 .x.x/x Select OK.x.

Select Both to configure RIP to send both RIP version 1 and RIP version 2 messages from an interface. Setting the Send Version here overrides the default RIP version for this interface. Select 1 to configure RIP to listen for RIP version 1 messages on an interface. The authentication type. Select Poisoned reverse to send updates with routes learned on an interface back out the same interface but with the routes marked as unreachable. Select Both to configure RIP to listen for both RIP version 1 and RIP version 2 messages on an interface.RIP Router Interface Send Version Receive Version Split-Horizon Authentication The FortiGate interface name. Interface options Figure 10: RIP interface configuration Interface Send Version The FortiGate interface name. Receive Version Split-Horizon 144 01-28003-0002-20040716 Fortinet Inc. Select 2 to configure RIP to send RIP version 2 messages from an interface. Configure RIP to use either regular or poisoned reverse split horizon on this interface. The Edit icon. Select Regular to prevent RIP from sending updates for a route back out the interface from which it received that route. Select 1 to configure RIP to send RIP version 1 messages from an interface. The RIP send version for this interface. RIP routing messages are UDP packets that use port 520. Setting the Receive Version here overrides the default RIP version for this interface. RIP routing messages are UDP packets that use port 520. . Select 2 to configure RIP to listen for RIP version 2 messages on an interface. The RIP receive version for this interface. The split horizon type.

For information on how to configure key chains. If you select None. no authentication is used. If you select MD5. Password Key-chain To configure a RIP interface 1 2 3 4 5 6 7 8 Go to Router > RIP > Interface. Enter the name of the key chain to use for authentication for RIP version 2 packets sent and received by this interface. Enter a password (key) to use for authentication for RIP version 2 packets sent and received by this interface. Select the Authentication mode. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network.Router RIP Authentication Select the authentication used for RIP version 2 packets sent and received by this interface. Select Key-chain and select the key chain to use if this interface is using RIP version 2 and you want to use key chains for authentication for this interface. The key can be up to 35 characters long. If you do not specify an interface the filter will be applied to all interfaces. Both text mode and MD5 mode only guarantee the authenticity of the update packet. Select OK. the authentication key is sent as plain text. Enter a password here when you only want to configure one key. Select the Split-Horizon check box to enable split horizon. For more information on configuring access lists and prefix lists. Select a Receive Version if you want to override the default receive version for this interface. not the confidentiality of the routing information in the packet. Figure 11: RIP Distribute list FortiGate-60 Administration Guide 01-28003-0002-20040716 145 . You must configure the access list or prefix list that you want the distribute list to use before you configure the distribute list. In text mode the key is sent in clear text over the network. Use key chains when you want to configure multiple keys. Select a Send Version if you want to override the default send version for this interface. see “Key chain list” on page 154. 9 10 Distribute list Use distribute lists to filter incoming or outgoing updates using an access list or a prefix list. the authentication key is used to generate an MD5 hash. Select Password and enter a password (key) if this interface is using RIP version 2 and if you are configuring only one key for this interface and do not want to use a key chain. Select either Regular or Poisoned reverse to set the split horizon type. Select the edit icon beside an Interface to configure that interface. If you select Text. see “Access list” on page 148 and “Prefix list” on page 150.

Select the prefix list or access list to use for this distribute list. Select Out to filter outgoing packets. 146 01-28003-0002-20040716 Fortinet Inc. The Delete and Edit icons. If no interface name is displayed. Set Direction to In or Out. Select prefix-list to use a prefix list for this distribute list. Select Enable to enable the distribute list. If you do not specify an interface. Select Create New to add a new distribute list or select the edit icon beside an existing distribute list to edit that distribute list. The status of this distribute list. this distribute list is used for all interfaces. Select the name of the access list to use for this distribute list. The type of filter and the filter name. . Select access-list to use an access list for this distribute list. Select the name of the prefix list to use for this distribute list. To configure a distribute list 1 2 3 4 5 6 7 8 Go to Router > RIP > Distribute List. Select OK. or select the blank entry to apply this distribute list to all interfaces. The interface to use this filter on. Select the name of the interface to apply this distribute list to.RIP Router Create New Direction Filter Interface Enable Add a new distribute list. Select an interface to apply this distribute list to. this distribute list will be used for all interfaces. Distribute list options Figure 12: RIP Distribute list configuration Direction prefix-list access-list Interface Enable Set the direction for the filter. Select or clear the Enable check box to enable or disable this distribute list. Select In to filter incoming packets. The direction for the filter. Select either prefix-list or access-list.

The access list is used to determine which routes to add the metric to. Select Create New to add a new offset list or select the edit icon beside an existing offset list to edit that offset list. Set Direction to In or Out. The direction for the offset list. Select out to apply the offset to the metrics of outgoing routes. Check or clear the Enable check box to enable or disable this offset list. Enter the offset number. Enter a number from 1 to 16. The Delete and Edit icons. Figure 13: RIP Offset list Create New Direction Access-list Offset Interface Enable Add a new offset list. The interface to match for this offset list. To configure an offset list 1 2 3 4 5 6 7 Go to Router > RIP > Offset List. Select the interface to match for this offset list. The access list to use for this offset list. The status of this offset list. Select the access list to use for this offset list. Enter the offset number to add to the metric. Select OK.Router RIP Offset list Use offset lists to add the specified offset to the metric of a route. Offset list options Figure 14: RIP Offset list configuration Direction Access-list Offset Interface Enable Select In to apply the offset to the metrics of incoming routes. Select Enable to enable this offset list. FortiGate-60 Administration Guide 01-28003-0002-20040716 147 . Select the interface to match for this offset list. The offset number to add to the metric for this offset list.

The action to take for the prefix in an access list entry. Each rule in an access list consists of a prefix (IP address and netmask). If it finds a match for the prefix it takes the action specified for that prefix. The prefix in an access list entry. Figure 15: Access list Create New Name Action Prefix Add a new access list name. The Delete. 148 01-28003-0002-20040716 Fortinet Inc. and whether to match the prefix exactly or to match the prefix and any more specific prefix. • • • • • • • • • • • • Access list New access list New access list entry Prefix list New Prefix list New prefix list entry Route-map list New Route-map Route-map list entry Key chain list New key chain Key chain list entry Access list Access lists are filters used by FortiGate routing features. An access list and a prefix list cannot have the same name. If no match is found the default action is deny. the action to take for this prefix (permit or deny).Router objects Router Router objects Router objects are a set of tools used by routing protocols and features. The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. The access list name. and Edit icons. Add access-list entry. . For an access list to take effect it must be called by another FortiGate routing feature such as RIP or OSPF.

x. access list rules are matched on the prefix or any more specific prefix.x. Select Match a network address and enter the prefix (IP address and netmask) for this access list rule.x/x Select Exact match if required.x. Select Match any to match any prefix. Select either Match any or Match a network address.x. enter the IP address and netmask that define the prefix for this access list entry. If you selected Match a network address. Select OK. By default. • • 6 7 x. Set the action to take for this prefix to Permit or Deny. FortiGate-60 Administration Guide 01-28003-0002-20040716 149 .x/x. Select the Add access-list entry icon to add a new access list entry or select the edit icon beside an existing access list entry to edit that entry. Select Permit or Deny for the Action to take for the prefix in this access list entry.Router Router objects New access list Figure 16: Access list name configuration To add an access list name 1 2 3 4 Go to Router > Router Objects > Access List.x. Select Create New Enter a name for the access list.x. Enable Exact match to match only the configured prefix.x x. Select OK. To configure an access list entry 1 2 3 4 5 Go to Router > Router Objects > Access List. You can enter the IP address and netmask using the following formats. New access list entry Figure 17: Access list entry configuration list Entry Action Prefix Exact match The access list name and the number of this entry.

An access list and a prefix list cannot have the same name. it takes the action specified for that prefix. The action to take for the prefix in a prefix list entry. Add prefix-list entry. If it finds a match for the prefix. and maximum and minimum prefix length settings. Figure 18: Prefix list Create New Name Action Prefix GE LE Add a new prefix list name. The less than or equal to number. New Prefix list Figure 19: Prefix list name configuration To add a prefix list name 1 2 3 4 Go to Router > Router Objects > Prefix List. The Delete. The prefix list name. The greater than or equal to number. Each rule in a prefix list consists of a prefix (IP address and netmask). The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list. Select Create New. Select OK. the action to take for this prefix (permit or deny). For a prefix list to take effect it must be called by another FortiGate routing feature such as RIP or OSPF. and Edit icons. 150 01-28003-0002-20040716 Fortinet Inc. If no match is found the default action is deny. . Enter a name for the prefix list.Router objects Router Prefix list A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask. The prefix in a prefix list entry.

x x. • • 6 7 8 x.x. Greater or equal to Match prefix lengths that are greater than or equal to this number. To configure a prefix list entry 1 2 3 4 5 Go to Router > Router Objects > Prefix List. Select Match any to match any prefix.The number can be from 0 to 32.x. Select the Add prefix-list entry icon to add a new prefix list entry or select the edit icon beside an existing prefix list entry to edit that entry. If you selected Match a network address.x.x/x Select Greater or equal to and enter a number from 0 to 32 to match prefix lengths that are greater than or equal to this number.x. enter the IP address and netmask that define the prefix for this prefix list entry. Select Permit or Deny for the Action to take for the prefix in this prefix list entry. Select OK. Select Match a network address and enter the prefix (IP address and netmask) for this prefix list entry. The setting for Greater or equal to should be greater than the netmask set for Prefix. The setting for Less or equal to should be greater than the setting for Greater or equal to.x. Less or equal to Match prefix lengths that are less than or equal to this number. The number can be from 0 to 32. FortiGate-60 Administration Guide 01-28003-0002-20040716 151 . The setting for Greater or equal to should be less than the setting for Less or equal to. You can enter the IP address and netmask using the following formats.x. Select Less or equal to and enter a number from 0 to 32 to match prefix lengths that are less than or equal to this number. Select either Match any or Match a network address. Set the action to take for this prefix to Permit or Deny. The length of the netmask should be less than the setting for Greater or equal to.Router Router objects New prefix list entry Figure 20: Prefix list entry configuration list Entry Action Prefix The prefix list name and the number of this entry.x/x.

The Delete. and in addition to permit or deny actions can be configured to make changes as defined by set statements. but have enhanced matching criteria. Select OK. . Route maps are similar to access lists. New Route-map Figure 22: Route map name configuration To add a route map name 1 2 3 4 Go to Router > Router Objects > Route-map. all the match statements must match before the set statements can be used. If multiple match statements are defined in a rule. If no match is found in the route map the default action is deny. the default action is to match everything. Add route-map entry. and Edit icons. 152 01-28003-0002-20040716 Fortinet Inc. The route map name. The rules for a route map entry. If it finds a match it makes the changes defined in the set statements and then takes the action specified for the rule. Select Create New Enter a name for the route map. Figure 21: Route map list Create New Name Action Route-map rules Add a new route map name.Router objects Router Route-map list Route maps are a specialized form of filter. If no match statements are defined in a rule. The action to take for this entry in the route map. For a route map to take effect it must be called by another FortiGate routing feature such as RIP. The FortiGate unit attempts to match the rules in a route map starting at the top of the list.

Match a route with the selected destination interface. The metric can be a number from 1 to 16.Router Router objects Route-map list entry Figure 23: Route map entry configuration Route-map entry Action Match: Interface Address Next-hop Metric Route Type Tag Set: Next-hop Metric Metric Type Tag The route map name and the ID number of this route map entry. Match a route that has a next hop router address included in the selected access list or prefix list. Set a metric value of 1 to 16 for a matched route. Select Deny to deny routes that match this entry. Select Permit or Deny for the Action to take for this route map entry. Set a tag value for a matched route. To configure a route map entry 1 2 3 4 Go to Router > Router Objects > Route Map. The set criteria. FortiGate-60 Administration Guide 01-28003-0002-20040716 153 . Match a route that has the specified tag. Set the next hop router address for a matched route. Select the Add route-map entry icon to add a new route map entry or select the edit icon beside an existing route map entry to edit that entry. select the criteria to match. Match a route if the destination address is included in the selected access list or prefix list. Under Match. Match a route with the specified metric. Set a metric value of 1 to 16 for a matched route. The criteria to match. Select Permit to permit routes that match this entry. Match a route that has the external type set to 1 or 2.

See “System time” on page 79 for information on setting the FortiGate system date and time. Select Create New Enter a name for the key chain. Add key-chain entry. and Edit icons. A key chain is a list of one or more keys and the send and receive lifetimes for each key. For authentication to work both the sending and receiving routers must be set to use authentication. The Delete. The FortiGate unit migrates from one key to the next according to the scheduled send and receive lifetimes. Keys are used for authenticating routing packets only during the specified lifetimes. Figure 24: Key chain list Create New Key-chain Accept Lifetime Send Lifetime Start End Add a new key chain. Key chain list RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable. The time period in which to accept a key. The sending and receiving routers should have their system dates and times synchronized. Select OK.Router objects Router 5 6 Under Set. Select OK. New key chain Figure 25: Key chain name configuration To add a key chain name 1 2 3 4 Go to Router > Router Objects > Key-chain. 154 01-28003-0002-20040716 Fortinet Inc. The time period in which to send a key. and must be configured with the same keys. The start and end times for the accept and send lifetimes. . The key chain name. select the criteria to change. but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times.

Duration or End time. second.Router Router objects Key chain list entry Figure 26: Key chain entry configuration Key-chain entry Key Accept Lifetime Send Lifetime Start End The key chain name and the ID number for this key chain entry. For both accept and send lifetimes. select the required hour. month and day to start using this key for sending routing updates. month and day to stop using this key for received routing updates. or infinite for a key that never expires. select the required hour. Under Accept Lifetime. year. Under Send Lifetime. Enter a key. second. • • 6 If you selected Duration. set the end time. If you selected End time. minute. select the required hour. Select the Add key-chain entry icon to add a new key chain entry or select the Edit icon beside an existing key chain entry to edit that entry. To configure a key chain entry 1 2 3 4 5 Go to Router > Router Objects > Key-chain. enter the time in seconds that this key should be active. Set the time period during which the key can be received. The end time can be a specified date and time. Set the time period during which the key can be sent. a duration in seconds (1 to 2147483646). set the start time and date for this entry in the key chain. minute. For both accept and send lifetimes. FortiGate-60 Administration Guide 01-28003-0002-20040716 155 . minute. month and day to start using this key for received routing updates. select Infinite. Under Accept Lifetime. second. The key (password) can be up to 35 characters long. year. year.

FIlter the display to show routes for the specified network. The subtype for the route. second. The type of route. The metric for the route. FIlter the routes according to the criteria you have specified. Type refers to how the FortiGate unit learned the route. and Gateway filters individually or in any combination. year. select Connected to display all the directly connected routes. minute. If you selected End time. Duration or End time. Specify the network for which to display routes. Select Apply Filter. Select a type of route to display or select all to display routes of all types. • • If you selected Duration. The network for the route. The administrative distance of the route. Monitor Display the FortiGate routing table. Routing monitor list Figure 27: Sample Routing Monitor Type: Network: Gateway: Apply Filter Type Subtype Network Distance Metric Gateway Interface Up Time FIlter the display to show routes of the selected type. For example. How long the route has been available. To filter the routing monitor display 1 2 Go to Router > Monitor > Routing Monitor.Monitor Router 7 Under Send Lifetime. Specify a gateway to display the routes using that gateway. enter the time in seconds that this key should be active. 3 4 5 156 01-28003-0002-20040716 Fortinet Inc. Network. month and day to stop using this key for sending routing updates. 8 Select OK. or select RIP to display all the routes learned from RIP. Note: You can configure Type. select the required hour. FIlter the display to show routes using the specified gateway. select Infinite. The gateway used by the route. The interface used by the route. .

Each policy can be individually configured to route connections or apply network address translation (NAT) to translate source and destination IP addresses and ports. POP3. and SMTP policies Enable IPS for all services Enable content logging for all services You can also enable traffic logging for a firewall policy so that the FortiGate unit logs all connections that use this policy. You can add protection profiles to firewall policies to apply different protection settings for traffic that is controlled by firewall policies.FortiGate-60 Administration Guide Version 2. destination address. You can use policies to configure port address translation (PAT) through the FortiGate. and SMTP policies Configure web filtering for HTTP policies Configure web category filtering for HTTP policies Configure spam filtering for IMAP. deny the connection. month. You can add IP pools to use dynamic NAT when the firewall translates source addresses. POP3. FTP. The policy directs the firewall action on the packet. The action can be to allow the connection. IMAP. require authentication before the connection is allowed. You can use protection profiles to: • • • • • • Configure antivirus protection for HTTP. You can also add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week. or year.80 Firewall Firewall policies control all traffic passing through the FortiGate unit. and service of the packet must match a firewall policy. it analyzes the packet to extract its source address. FortiGate-60 Administration Guide 01-28003-0002-20040716 157 . destination address. the source address. or process the packet as an IPSec VPN packet. For the packet to be connected through the FortiGate unit. and service (port number). When the firewall receives a connection request in the form of a packet. Firewall policies are instructions that the FortiGate unit uses to decide what to do with a connection request.

158 01-28003-0002-20040716 Fortinet Inc. No policy below the default policy will ever be matched. and so on. the firewall allows all connections from the internal network through the WAN1 interface to the Internet because all connections match the default policy. The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt. the connection is dropped. You must arrange policies in the policy list from more specific to more general. If the default policy is at the top of the internal->wan1 policy list. The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. From the internal network. and VLAN subinterfaces. . use FTP to download files through the firewall. zones. service port. The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses. For example. use POP3 to get email. they are never matched. When you create exceptions to that policy. If more specific policies are added to the list below the default policy. The first policy that matches is applied to the connection attempt. and time and date at which the connection attempt was received. it selects a policy list to search through for a policy that matches the connection attempt. This section describes: • • • • • How policy matching works Policy list Policy options Advanced policy options Configuring firewall policies How policy matching works When the FortiGate unit receives a connection attempt at an interface. users can browse the web. you must add them to the policy list above the default policy. If no policy matches. the default policy is a very general policy because it matches all connection attempts.Policy Firewall This chapter describes: • • • • • • • Policy Address Service Schedule Virtual IP IP pool Protection profile Policy Go to Firewall > Policy to add firewall policies to control connections and traffic between FortiGate interfaces. The default policy accepts all connection attempts from the internal network to the Internet.

Move the corresponding policy before or after another policy in the list. The Delete and Edit/View icons. “Address” on page 165. The source address or address group to which the policy applies. The response to make when the policy matches a connection attempt. all FTP connection attempts from the internal network would then match the FTP policy and be blocked. See “Schedule” on page 177. The policy identifier. Therefore. The list heading is in the format Source -> Destination (n) where n is the number of policies in the list. Figure 28: Sample policy list The policy list has the following icons and features. otherwise. Create new ID Source Dest Schedule Service Action Enable Select Create New to add a firewall policy. In this example. Policies are numbered in the order they are added to the policy list. The schedule that controls when the policy should be active. delete. must be placed above the default policy in the internal->wan1 policy list. Note: Policies that require authentication must be added to the policy list above matching policies that do not. for example.Firewall Policy A policy that is an exception to the default policy. Enabling the policy makes it available for the firewall to match it to incoming connections. edit. re-order. and disable policies in the policy list. The Insert Policy before icon. Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy. See “Service” on page 169. Add a new policy above the corresponding policy (the New Policy screen appears). enable. a policy to block FTP connections. The Move to icon. the policy that does not require authentication is selected first. The destination address or address group to which the policy applies. FortiGate-60 Administration Guide 01-28003-0002-20040716 159 . Policy list You can add. See “Address” on page 165. the firewall would still accept all other connections from the internal network. The service to which the policy applies. source -> destination (n) Policy list headings indicating the traffic to which the policy applies. Enable or disable the policy.

Before you can use an address in a policy. Source Select a source address or address group to which the policy will apply. Destination Select the destination interface name to which the policy will apply. or zone. Address Name 160 01-28003-0002-20040716 Fortinet Inc. you must add it to the destination interface. Figure 30: Standard policy options Policy has the following standard options: Interface / Zone Source Select the source interface name to which the policy will apply.Policy Figure 29: Move to options Firewall Policy options Policy options are configurable when creating or editing a firewall policy. Interfaces and zones are listed and configured in System > Network. Before you can add this address to a policy. VLAN subinterface. See “Address” on page 165. you must add it to the source interface. For information about adding an address. See “Virtual IP” on page 181. the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. Destination Select a destination address or address group to which the policy will apply. see “Addresses” on page x. See “System network” on page 41. . For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT.

You can select an AutoIKE key or Manual Key tunnel. the connection. See “Protection profile” on page 188. you must also select Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy. When encrypt is selected the VPN Tunnel Options appear. you do not need to choose a protection profile since the user group chosen for authentication are already tied to protection profiles. • Fixed Port: Select Fixed Port to prevent NAT from translating the source port. NAT translates the source address and port of packets accepted by the policy. You cannot select Dynamic IP Pool if the destination interface or VLAN subinterface is configured using DHCP or PPPoE. You can also configure NAT and Authentication for the policy. See “Service” on page 169. Protection Profile FortiGate-60 Administration Guide 01-28003-0002-20040716 161 . Action VPN Tunnel Select a VPN tunnel for an ENCRYPT policy. web content. a policy with Fixed Port selected can only allow one connection at a time for this port or service. If you do not select Dynamic IP Pool. NAT Select NAT to enable Network Address Translation for the policy. Select how you want the firewall to respond when the policy matches a connection attempt. You can select from a wide range of predefined services or add custom services and service groups.Firewall Policy Schedule Service Select a schedule that controls when the policy is available to be matched with connections. web. • DENY: Select deny to reject connections matched by the policy. If you select Fixed Port. An IP pool dropdown list appears when the policy destination interface is the same as the IP pool interface. • Inbound NAT: Select Inbound NAT to translate the source address of incoming packets to the FortiGate internal IP address. • Dynamic IP Pool: Select Dynamic IP Pool to translate the source address to an address randomly selected from the IP pool. • ACCEPT: Select accept to accept connections matched by the policy. • ENCRYPT: Select encrypt to make this policy an IPSec VPN policy. Select a protection profile to configure how antivirus and IPS protection. You can select an AutoIKE Key or Manual Key VPN tunnel for the policy and configure other IPSec settings. you can also select Dynamic IP Pool and Fixed Port. and spam filtering are applied to the policy. Select a service or protocol to which the policy will apply. • Allow outbound: Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway. The only other policy option that you can configure is Log Traffic. to log the connections denied by this policy. • Allow Inbound: Select Allow inbound so that users behind the remote VPN gateway can connect to the source address. See “Schedule” on page 177. If you are configuring authentication in the advanced settings. • Outbound NAT: Select Outbound NAT to translate the source address of outgoing packets to the FortiGate external IP address. You cannot add authentication to an ENCRYPT policy. NAT is not available in Transparent mode. Some applications do not function correctly if the source port is changed. If you select NAT. See “IP pool” on page 185.

162 01-28003-0002-20040716 Fortinet Inc. Advanced Advanced policy options Figure 31: Advanced policy options Authentication Select Authentication and select one or more user groups to require users to enter a user name and password before the firewall accepts the connection. Users can authenticate with the firewall using HTTP. Figure 32: Selecting user groups for authentication For information about adding and configuring user groups. For information about logging see “Log & Report” on page 317. For users to be able to authenticate you must add an HTTP.Policy Firewall Log Traffic Select Log Traffic to record messages to the traffic log whenever the policy processes a connection. local disk if available. Telnet. WebTrends. Telnet. When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password. Select the user group to control the users that can authenticate with this policy. You must also enable traffic log for a logging location (syslog. . Select advanced to show more options. memory. or FortiLog) and set the logging severity level to Notification or lower. You can select Authentication for any service. or FTP. or FTP policy that is configured for authentication. see “User group” on page 205. You must add users and a firewall protection profile to a user group before you can select Authentication.

By configuring DiffServ you configure your network to deliver particular levels of service for different packets based on the QoS specified by each packet. In most cases you should make sure that users can use DNS through the firewall without authentication. or Low. Select High. Differentiated Services Differentiate Services (DiffServ) describes a set of end-to-end Quality of Service (QoS) capabilities. If DNS is not available users cannot connect to a web. Telnet. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to another. Telnet.Firewall Policy If you want users to authenticate to use other services (for example POP3 or IMAP) you can create a service group that includes the services for which you want to require authentication. a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. shape. Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy. and police traffic. The network uses these DSCP values to classify. or Telnet server using a domain name. FortiGate-60 Administration Guide 01-28003-0002-20040716 163 . mark. the policy does not allow any traffic. You can use the FortiGate DiffServ feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. or FTP before using the other service. DiffServ-capable routers sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header. An employee who needs unusually high-speed Internet access could have a special outgoing policy set up with higher bandwidth. Limit bandwidth to keep less important services from using bandwidth needed for more important services. FTP. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for highpriority connections. DSCP features are applied to traffic by configuring the routers on your network are configured to apply different service levels to packets depending on the DSCP value of packets that they are routing. Then users could authenticate with the policy using HTTP. as well as HTTP. Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device. Medium. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service. DiffServ is defined by RFC 2474 and 2475 as enhancements to the IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signalling at every hop. For example. For example. and to perform intelligent queuing. Select Traffic Priority so that the FortiGate unit manages the relative priorities of different types of traffic. the policy for the corporate web server might be given higher priority than the policies for most employees’ computers. If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero). and FTP. Guaranteed Bandwidth Maximum Bandwidth Traffic Priority You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy.

Select OK to add the policy. and enable a firewall policy. edit. Select Create New to add a new policy. see “How policy matching works” on page 158. Select OK. Configure the policy. You can also select the Insert Policy before icon beside a policy in the list to add the new policy above that policy. Comments You can add a description or other information about the policy. . Select the source interface and destination interface of the packet. disable. Select OK. For information about arranging policies in a policy list. Set the DSCP value for reply packets. To add a firewall policy 1 2 3 Go to Firewall > Policy. re-order. Edit the policy as required. These values are optional and may be enabled independently from each other. Original (forward) DSCP value Reverse (reply) DSCP value Set the DSCP value for packets accepted by the policy. for an Internal->External policy the value is applied to incoming reply packets before they exit the internal interface and returned to the originator. no changes to the DS field are made. To edit a policy 1 2 3 4 Go to Firewall > Policy. including spaces. For example.Policy Firewall You can configure policies to apply DS values for both forward and reverse traffic. For example. for an Internal->External policy the value is applied to outgoing packets as they exit the external interface and are forwarded to their destination. delete. Configuring firewall policies Use the following procedures to add. . 4 5 6 164 01-28003-0002-20040716 Fortinet Inc. For information about configuring the policy. Arrange policies in the policy list so that they have the results that you expect. Select the Edit icon beside the policy you want to edit. When both are disabled. To delete a policy 1 2 3 Go to Firewall > Policy. Select the Delete icon beside the policy you want to delete. The comment can be up to 63 characters long. see “Policy options” on page 160.

1 2 Go to Firewall > Policy.x.Firewall Address To change the position of a policy in the list 1 2 3 4 Go to Firewall > Policy. and a netmask.0 x.168.*. This section describes: FortiGate-60 Administration Guide 01-28003-0002-20040716 165 . To disable a policy Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling a policy does not stop active communications sessions that have been allowed by the policy. for example 192.168. Select the position for the policy.x/x. To enable a policy 1 2 Go to Firewall > Policy.45. Select the Move To icon beside the policy you want to move.255.x/x. Address You can add.0/24 x.168. for example 192.110.x.x.45.x.* to represent all addresses on the subnet Address list Address options Configuring addresses Address group list Address group options Configuring address groups You can enter an IP address range using the following formats.120 x. Select OK.x.x.100-192. for example 64. You can also organize related addresses into address groups to simplify policy creation.x. • • • • • • • • • • • x.x.x. for example 192. edit.255.[x-x]. for example 64.x.x.110.x-x.110.x.168. or a name and IP address range.x. Clear the Enable check box beside the policy you want to disable.x. A firewall address can be configured with a name.195. Select Enable. and delete firewall addresses as required. You can enter an IP address and netmask using the following formats.x.0/255.[100-120] x.110.x.198. an IP address.

A single IP address (for example. The Delete and Edit/View icons.0 and Netmask: 255. Each type reveals the corresponding fields to configure. Figure 33: Sample address list The address list has the following icons and features.20.0). IP address: 192.0.0.0. Figure 34: Address options Address has the following options: Address Name Type Enter a name to identify the firewall address.0 and Netmask: 0.255.0.255) All possible IP addresses (represented by IP Address: 0.168. and subnet mask or enter an IP address range separated by a hyphen An IP/Mask address can represent: • • • The address of a subnet (for example. forward slash.255. The FortiGate unit comes configured with the default ‘All’ address which represents any IP address on the network. IP Range/Subnet Enter the firewall IP address. Address options Add an address representing an IP address and subnet mask or an IP address range. Create New Name Address Select Create New to add a firewall address. The name to identify the firewall address. .1 and Netmask: 255.255. IP Address: 192. for a class C subnet. Select the type of address.20.168. The IP address and mask or IP address range of the firewall.Address Firewall Address list You can add addresses to the list and edit existing addresses.255.0) 166 01-28003-0002-20040716 Fortinet Inc.

45.0. Select the Delete icon beside the address you want to delete. FortiGate-60 Administration Guide 01-28003-0002-20040716 167 .0.0. Select OK. Select the Edit icon beside the address you want to edit.1.46.20.255.0.45).0.255.0 and Netmask: 255.0 A range of IP addresses in a subnet (for example.10) The netmask corresponds to the type of address that you are adding. you must first remove the address from the policy.255. 192.168. You cannot delete default addresses. To edit an address Edit an address to change its IP information. Enter the IP address and netmask or the IP address range. The netmask for a class A subnet should be 255. 192. Select Create New.0. 192.255.168. Enter a name to identify the address. Select OK. The netmask for a class C subnet should be 255.0. Note: To change the address name you must delete the address and add it again with a new name.0. To delete an address Deleting an address removes it from the address list. The netmask for a class B subnet should be 255.255.255. Make any required changes.0.0 to represent all possible IP addresses The netmask for the IP address of a single computer should be 255. The IP address of a subnetwork (for example. To delete an address that has been added to a policy.255. Configuring addresses To add an address 1 2 3 4 5 Go to Firewall > Address.0. 4 Select OK. 1 2 3 Go to Firewall > Address > Address. You cannot edit the address name. 1 2 3 Go to Firewall > Address > Address.0.0 for a class C subnet).Firewall Address An IP addresses can be: • • • • • • • • • The IP address of a single computer (for example.20.255.1 to 192. The netmask for all addresses should be 0. 0.255 is not a valid firewall address. For example: An IP Range address represents: Note: IP address: 0.0.168.

The name of the address group. 168 01-28003-0002-20040716 Fortinet Inc.Address Firewall Address group list You can organize related addresses into address groups to make it easier to configure policies. The list of addresses in the group. Address group options Address group options are configurable when creating or editing an address group. Figure 36: Address group options Address group has the following options: Group Name Available Addresses Members Enter a name to identify the address group. Note: If an address group is included in a policy. For example. . Use the arrows to move addresses between the lists. Figure 35: Sample address group list The address group list has the following icons and features. The list of configured and default firewall addresses. it cannot be deleted unless it is first removed from the policy. Create New Group Name Members Select Create New to add an address group. if you add three addresses and then configure them in an address group. The Delete and Edit/View icons. Use the arrows to move addresses between the lists. you can configure a single policy using all three addresses. The addresses in the address group.

Select OK. You can add any of the predefined services to a policy. This section describes: • • • • • • • Predefined service list Custom service list Custom service options Configuring custom services Service group list Service group options Configuring service groups FortiGate-60 Administration Guide 01-28003-0002-20040716 169 . Select an address from the Available Addresses list and use the arrows to move the desired addresses between the lists. Note: To change the address group name you must delete the address group and add it with a new name.Firewall Service Configuring address groups To organize addresses into an address group 1 2 3 4 5 Go to Firewall > Address > Group. You can also create custom services and add services to service groups. Enter a group name to identify the address group. To edit an address group 1 2 3 Go to Firewall > Address > Group. Select the Edit icon beside the address group you want to modify. Select OK. Make any required changes. 4 Select OK. Select the Delete icon beside the address group you want to delete. Select Create New. it cannot be deleted unless it is first removed from the policy. To delete an address group If an address group is included in a policy. 1 2 3 Go to Firewall > Address > Group. Service Use services to determine the types of communication accepted or denied by the firewall.

Generic Routing Encapsulation. by encapsulating the packets of the protocol within GRE packets. Authentication Header. AutoIKE key VPN tunnels use ESP after establishing the tunnel using IKE. The protocol for each predefined service. This protocol is used for authentication by IPSec remote gateways set to aggressive mode. Name Detail The name of the predefined services. tcp tcp GRE 47 AH 51 ESP 50 AOL BGP DHCP 5190-5194 179 67 Dynamic Host Configuration Protocol (DHCP) udp allocates network addresses and delivers configuration parameters from DHCP servers to hosts. Encapsulating Security Payload. Table 1: FortiGate predefined services Service name ANY Description Protocol Port all Match connections on any port. Border Gateway Protocol routing protocol. . A connection all that uses any of the predefined services is allowed through the firewall. BGP is an interior/exterior routing protocol. but not secrecy. AH provides source host authentication and data integrity. 170 01-28003-0002-20040716 Fortinet Inc. A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol. This service is used by manual key and AutoIKE VPN tunnels for communicating encrypted data.Service Firewall Predefined service list Figure 37: Predefined service list The predefined services list has the following icons and features. You can add these services to any policy. Table 1 lists the FortiGate predefined firewall services. AOL instant messenger protocol.

L2TP is a PPP-based tunnel protocol for remote access. Internet Message Access Protocol is a protocol used for retrieving email messages. A network service that provides information about users. NetMeeting allows users to teleconference using the Internet as the transmission medium. 2049 NNTP 119 NTP OSPF tcp 123 89 PC-Anywhere 5632 FortiGate-60 Administration Guide 01-28003-0002-20040716 171 . tcp Lightweight Directory Access Protocol is a set tcp of protocols used to access information directories. PC-Anywhere is a remote control and file transfer protocol. 1503 HTTP HTTPS IKE tcp 80 443 500 HTTP with secure socket layer (SSL) service tcp for secure communication with web servers. User tcp Locator Service. IKE is the protocol to obtain authenticated keying material for use with ISAKMP for IPSEC. H. Protocol tcp udp tcp tcp tcp Port 53 53 79 21 70 Service H323 tcp 1720. Gopher communication service. Network time protocol for synchronizing a computer’s time with a time server. udp tcp 111.323 multimedia protocol. udp IMAP Internet-LocatorService IRC L2TP LDAP tcp 143 389 6660-6669 1701 389 Internet Locator Service includes LDAP. and LDAP over TLS/SSL. OSPF is a common link state routing protocol. H. and retrieve USENET messages. Open Shortest Path First (OSPF) routing protocol. Gopher organizes and displays Internet server contents as a hierarchically structured list of files. tcp NetMeeting 1720 NFS Network File System allows network users to tcp access shared files stored on computers of different types. FTP service for transferring files.323 is a standard approved by the International Telecommunication Union (ITU) that defines how audiovisual conferencing data is transmitted across networks. Network News Transport Protocol is a protocol used to post. distribute.Firewall Table 1: FortiGate predefined services (Continued) Service name DNS FINGER FTP GOPHER Description Domain name service for translating domain names into IP addresses. HTTP is the protocol used by the word wide web for transferring data for web pages. Internet Relay Chat allows people connected tcp to the Internet to join live discussions.

POP3 PPTP Post office protocol is an email protocol for downloading email from a POP3 server. Session Initiation Protocol is used by Microsoft Messenger to initiate an interactive. Routing Information Protocol is a common distance vector routing protocol. For connections used by the popular Quake multi-player computer game. 27960 7070 513 520 RAUDIO RLOGIN RIP SIPMSNmessenger SMTP SNMP For streaming real audio multimedia traffic. Simple Network Management Protocol is a set of protocols for managing complex networks Secure Shell is a service for secure connections to computers for remote management. ICMP echo request/reply for testing connections to other devices. ICMP timestamp request messages. QUAKE udp 26000. 27910. INFO_ADDRESS ICMP address mask request messages. Syslog service for remote logging. tcp tcp udp UDP UUCP VDOLIVE udp 0-65535 540 7000-7010 Unix to Unix copy utility. Point-to-Point Tunneling Protocol is a protocol that allows corporations to extend their own corporate network through private tunnels over the public Internet. 27000. possibly multimedia session. All TCP ports. Telnet service for connecting to a remote computer to run commands. icmp icmp icmp icmp tcp tcp 8 13 15 17 110 1723 Protocol Port Firewall PING TIMESTAMP INFO_REQUEST ICMP information request messages. Trivial File Transfer Protocol is a simple file transfer protocol similar to FTP but with no security features. udp tcp udp Simple Mail Transfer Protocol is used to send tcp mail between email servers on the Internet. All UDP ports. tcp 172 01-28003-0002-20040716 Fortinet Inc. For VDO Live streaming multimedia traffic. Rlogin service for remotely logging into a server. tcp udp tcp udp udp 25 161-162 161-162 22 22 514 517-518 0-65535 23 69 SSH SYSLOG TALK TCP TELNET TFTP A protocol supporting conversations between udp two or more users. a simple file copying udp protocol. .Service Table 1: FortiGate predefined services (Continued) Service name ICMP_ANY Description Internet Control Message Protocol is a message control and error-reporting protocol between a host and gateway (Internet).

The protocol and port numbers for each custom service. Figure 38: Sample custom service list The custom services list has the following icons and features. For WinFrame communications between computers running Windows NT. TCP and UDP custom service options Figure 39: TCP and UDP custom service options FortiGate-60 Administration Guide 01-28003-0002-20040716 173 . or IP. Choose from TCP.Firewall Table 1: FortiGate predefined services (Continued) Service name WAIS WINFRAME X-WINDOWS Description Wide Area Information Server is an Internet search protocol. Create New Protocol Service Name Detail Select a protocol and then Create New to add a custom service. The name of the custom service. ICMP. The Delete and Edit/View icons. Protocol tcp tcp tcp Port 210 1494 Service 6000-6063 Custom service list Add a custom service if you need to create a policy for a service that is not in the predefined service list. or IP to view the list of custom services for that protocol. TCP. Select from All. UDP. ICMP. Custom service options Different options appear depending on the type of custom service you want to define. UDP. For remote communications between an X-Window server and X-Window clients.

Specify the Source Port number range for the service by entering the low and high port numbers. Enter a name for the new custom TCP or UDP service. Destination Port Specify the Destination Port number range for the service by entering the low and high port numbers. enter this number in both the low and high fields. If the service uses one port number. Enter the ICMP type number for the service. Enter the ICMP code number for the service if required. . Configuring custom services To add a custom TCP or UDP service 1 2 3 4 5 Go to Firewall > Service > Custom. enter this number in both the low and high fields. IP custom service options Figure 41: IP custom service options Name The name of the IP custom service. enter this number in both the low and high fields. Specify Source and Destination Port number ranges for the service by entering the low and high port numbers.Service Firewall Name Source Port The name of the TCP or UDP custom service. If the service uses one port number. ICMP custom service options Figure 40: ICMP custom service options Name Type Code The name of the ICMP custom service. Protocol Number The IP protocol number for the service. If the service uses one port number. Select Create New. Select TCP or UDP from the Protocol list. 174 01-28003-0002-20040716 Fortinet Inc.

Enter the ICMP type number and code number for the service. Service group list To make it easier to add policies. To edit a custom service 1 2 3 Go to Firewall > Service > Custom.Firewall Service 6 Select OK. FortiGate-60 Administration Guide 01-28003-0002-20040716 175 . Select Create New. To add a custom IP service 1 2 3 4 5 6 Go to Firewall > Service > Custom. Select Create New. To add a custom ICMP service 1 2 3 4 5 6 Go to Firewall > Service > Custom. You can now add this custom service to a policy. A service group can contain predefined services and custom services in any combination. you can create groups of services and then add one policy to allow or block access for all the services in the group. 4 Select OK. To delete a custom service 1 2 3 Go to Firewall > Service > Custom. Select OK. You can now add this custom service to a policy. Note: To change the custom service name you must delete the service and add it with a new name. Select OK. Select OK. You can now add this custom service to a policy. Enter the IP protocol number for the service. Select IP from the Protocol list. Enter a name for the new custom ICMP service. You cannot add service groups to another service group. Select the Delete icon beside the service you want to delete. Enter a name for the new custom IP service. Select ICMP from the Protocol list. Select the Edit icon beside the service you want to edit. Modify the custom service as required.

. Configuring service groups To organize services into a service group 1 2 3 4 Go to Firewall > Service > Group. The Delete and Edit/View icons. The list of services in the group. Use the arrows to move services between the lists. Create New Group Name Members Select Create New to add a service group. Group Name Available Services Members Enter a name to identify the address group. Figure 43: Service group options Service group has the following options. The services added to the service group. 176 01-28003-0002-20040716 Fortinet Inc. Service group options Service group options are configurable when creating or editing a service group. Select a service from the Available Services list and use the arrows to move the desired services between the lists. The name to identify the service group. Use the arrows to move services between the lists. Enter a group name to identify the service group. The list of configured and predefined services. Select Create New.Service Figure 42: Sample service group list Firewall The service group list has the following icons and features.

Select the Edit icon beside the service group you want to modify.Firewall Schedule 5 Select OK. You can create one-time schedules and recurring schedules. FortiGate-60 Administration Guide 01-28003-0002-20040716 177 . Select the Delete icon beside the service group you want to delete. it cannot be deleted unless it is first removed from the policy. 4 Select OK. your firewall might be configured with the default policy that allows access to all services on the Internet at all times. For example. 1 2 3 Go to Firewall > Service > Group. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule. You can add a one-time schedule to block access to the Internet during a holiday period. This section describes: • • • • • • One-time schedule list One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options Configuring recurring schedules One-time schedule list You can create a one-time schedule that activates or deactivates a policy for a specified period of time. Make any required changes. To edit a service group 1 2 3 Go to Firewall > Service > Group. Schedule Use schedules to control when policies are active or inactive. To delete a service group If a service group is included in a policy. Select OK. Recurring schedules repeat weekly. You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week. Note: To change the service group name you must delete the service group and add it with a new name.

Set the Stop date and time for the schedule. Type a name for the schedule. Enter the start date and time for the schedule. . One-time schedules use a 24-hour clock. The stop date and time for the schedule. Configuring one-time schedules To add a one-time schedule 1 2 3 4 Go to Firewall > Schedule > One-time. One-time schedule options Figure 45: One-time schedule options One-time schedule has the following options. Set start and stop time to 00 for the schedule to be active for the entire day. The start date and time for the schedule. Select Create New. Name Start Stop Enter the name to identify the one-time schedule. Create New Name Start Stop Select Create New to add a one-time schedule. The Delete and Edit/View icons. Enter the stop date and time for the schedule. The name of the one-time schedule. Select OK. 5 6 178 01-28003-0002-20040716 Fortinet Inc. Select the start date and time for the schedule.Schedule Figure 44: Sample one-time schedule list Firewall The one-time schedule list has the following icons and features.

The initials of the days of the week on which the schedule is active. Create New Name Day Start Stop Select Create New to add a recurring schedule. Note: To change the one-time schedule name you must delete the schedule and add it with a new name. Select the Edit icon beside the one-time schedule you want to modify. The start time of the recurring schedule. The Delete and Edit/View icons. You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time. The name of the recurring schedule. Figure 46: Sample recurring schedule list The recurring schedule list has the following icons and features. Modify the schedule as required. Select OK. Select the Delete icon beside the one-time schedule you want to delete. To edit a one-time schedule 1 2 3 Go to Firewall > Schedule > One-time. You can use this technique to create recurring schedules that run from one day to the next.Firewall Schedule To delete a one-time schedule 1 2 3 Go to Firewall > Schedule > One-time. Note: If you create a recurring schedule with a stop time that occurs before the start time. the schedule starts at the start time and finishes at the stop time on the next day. 4 Select OK to save the changes. The stop time of the recurring schedule. FortiGate-60 Administration Guide 01-28003-0002-20040716 179 . Recurring schedule list You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. you might want to prevent game play during working hours by creating a recurring schedule. For example.

Schedule

Firewall

Recurring schedule options
Figure 47: Recurring schedule options

Recurring schedule has the following options.
Name Select Start Stop Enter the name to identify the recurring schedule. Select the days of the week that you want the schedule to be active. Select the start time for the recurring schedule. Select the stop time for the recurring schedule.

Configuring recurring schedules
To add a recurring schedule 1 2 3 4 5 6 Go to Firewall > Schedule > Recurring. Select Create New. Enter a name for the schedule. Select the days of the week that you want the schedule to be active. Set the Start and Stop time for the recurring schedule. Recurring schedules use a 24-hour clock. Select OK. To delete a recurring schedule 1 2 3 Go to Firewall > Schedule > Recurring. Select the Delete icon beside the recurring schedule you want to delete. Select OK. To edit a recurring schedule 1 2 3 Go to Firewall > Schedule > Recurring. Select the Edit icon beside the recurring schedule you want to modify. Modify the schedule as required.
Note: To change the one-time schedule name you must delete the schedule and add it with a new name.

4

Select OK.

180

01-28003-0002-20040716

Fortinet Inc.

Firewall

Virtual IP

Virtual IP
Use virtual IPs to access IP addresses on a destination network that are hidden from the source network by NAT security policies. To allow connections between these networks, you must create a mapping between an address on the source network and the real address on the destination network. This mapping is called a virtual IP. For example, if the computer hosting your web server is located on your DMZ network, it could have a private IP address such as 10.10.10.3. To get packets from the Internet to the web server, you must have an external address for the web server on the Internet. You must then add a virtual IP to the firewall that maps the external IP address of the web server to the actual address of the web server on the DMZ network. To allow connections from the Internet to the web server, you must then add a WAN1->DMZ or WAN2->DMZ firewall policy and set Destination to the virtual IP. You can create three types of virtual IPs:
Static NAT Used to translate an address on a source network to a hidden address on a destination network. Static NAT translates the source address of return packets to the address on the source network. Used to translate an address and a port number on a source network to a hidden address and, optionally, a different port number on a destination network. Using port forwarding you can also route packets with a specific port number and a destination address that matches the IP address of the interface that receives the packets. This technique is called port forwarding or port address translation (PAT). You can also use port forwarding to change the destination port of the forwarded packets. Similar to port forwarding, dynamic port forwarding is used to translate any address and a specific port number on a source network to a hidden address and, optionally a different port number on a destination network.

Port Forwarding

Dynamic port forwarding

Note: The maximum number of virtual IPs is 1024.

This section describes: • • • Virtual IP list Virtual IP options Configuring virtual IPs

Virtual IP list
Figure 48: Sample virtual IP list

The virtual IP list has the following icons and features.
Create New Name Select Create New to add a virtual IP. The name to identify the virtual IP.

FortiGate-60 Administration Guide

01-28003-0002-20040716

181

Virtual IP

Firewall

IP Service Port Map to IP Map to Port

The external IP address mapped to an address on the destination network. The external port number of the service from the IP. The real IP address on the destination network. The port number added to packets when they are forwarded (not required). The Delete and Edit/View icons.

Virtual IP options
Different options appear depending on the type of virtual IP you want to define. Choose from Static NAT or port forwarding.
Figure 49: Virtual IP options; static NAT

Figure 50: Virtual IP options; port forwarding

Virtual IP has the following options.
Name Type External IP Address External Service Port Map to IP Enter the name to identify the virtual IP. Select Static NAT or Port Forwarding. Enter the external IP address that you want to map to an address on the destination network. To configure dynamic port forwarding, set the external IP address to 0.0.0.0. Enter the external service port number that you want to configure port forwarding for. (Port forwarding only.) Enter the real IP address on the destination network.

External Interface Select the virtual IP external interface from the list.

182

01-28003-0002-20040716

Fortinet Inc.

Firewall

Virtual IP

Map to Port Protocol

Enter the port number to be added to packets when they are forwarded. (Port forwarding only.) Select the protocol (TCP or UDP) that you want the forwarded packets to use. (Port forwarding only.)

• • •

To add a static NAT virtual IP To add port forwarding virtual IPs To add a dynamic port forwarding virtual IP

Configuring virtual IPs
To add a static NAT virtual IP 1 2 3 4 Go to Firewall > Virtual IP. Select Create New. Enter a name for the virtual IP. Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any firewall interface or a VLAN subinterface. You can set the virtual IP external interface to any FortiGate interface. Table 2 on page 184 contains example virtual IP external interface settings and describes the policies to which you can add the resulting virtual IP. Select Static NAT. Enter the External IP Address that you want to map to an address on the destination network. For example, if the virtual IP provides access from the Internet to a web server on a destination network, the external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique address that is not used by another host and cannot be the same as the IP address of the external interface selected in step 4. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. Enter the Map to IP address to which to map the external IP address. For example, the IP address of a web server on an internal network.
Note: The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address, instead of the firewall external address.

5 6

7

8

Select OK. You can now add the virtual IP to firewall policies.

FortiGate-60 Administration Guide

01-28003-0002-20040716

183

Virtual IP

Firewall

Table 2: Virtual IP external interface examples External Interface Description internal To map an internal address to a wan1, wan2, DMZ, or modem address. If you select internal, the static NAT virtual IP can be added to Internal->WAN1, Internal->WAN2, Internal->DMZ, and Internal->modem policies. To map an Internet address to an internal or DMZ address. If you select wan1, the static NAT virtual IP can be added to WAN1->Internal, WAN1->DMZ, WAN1-> WAN2, and WAN1-> modem policies.

wan1

To add port forwarding virtual IPs 1 2 3 4 Go to Firewall > Virtual IP. Select Create New. Enter a name for the port forwarding virtual IP. Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any firewall interface or a VLAN subinterface. Select Port Forwarding. Enter the External IP Address that you want to map to an address on the destination interface. You can set the external IP address to the IP address of the external interface selected in step 4 or to any other address. For example, if the virtual IP provides access from the Internet to a server on your internal network, the external IP address must be a static IP address obtained from your ISP for this server. This address must be a unique address that is not used by another host. However, this address must be routed to the external interface selected in step 4. The virtual IP address and the external IP address can be on different subnets. Enter the External Service Port number for which you want to configure port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides access from the Internet to a web server, the external service port number is 80 (the HTTP port). Enter the Map to IP address to which to map the external IP address. For example, the IP address of a web server on an internal network. Enter the Map to Port number to be added to packets when they are forwarded. If you do not want to translate the port, enter the same number as the External Service Port. Select OK. To add a dynamic port forwarding virtual IP 1 2 Go to Firewall > Virtual IP. Select Create New.

5 6

7

8 9

10

184

01-28003-0002-20040716

Fortinet Inc.

Firewall

IP pool

3 4

Enter a name for the dynamic port forwarding virtual IP. Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any firewall interface or a VLAN subinterface. Select Port Forwarding. Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. Enter the External Service Port number for which you want to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port). See “PPTP passthrough” on page 251 for more information. Enter the Map to IP address to which to map the external IP address. For example, the IP address of a PPTP server on an internal network. Enter the Map to Port number to be added to packets when they are forwarded. If you do not want to translate the port, enter the same number as the External Service Port. Select OK. To delete a virtual IP

5 6 7

8 9

10

1 2 3

Go to Firewall > Virtual IP. Select the Delete icon beside the virtual IP you want to delete. Select OK. To edit a virtual IP

1 2 3

Go to Firewall > Virtual IP. Select the Edit icon beside the virtual IP you want to modify. Select OK.

IP pool
An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface. You can enable Dynamic IP Pool in a firewall policy to translate the source address to an address randomly selected from the IP pool. An IP pool dropdown list appears when the policy destination interface is the same as the IP pool interface. You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface.

FortiGate-60 Administration Guide

01-28003-0002-20040716

185

IP pool

Firewall

For example, if you add an IP pool to the internal interface, you can select Dynamic IP pool for WAN1->Internal, WAN2->Internal and DMZ->Internal policies. You can add multiple IP pools to any interface and select the IP pool to use when configuring a firewall policy. You can enter an IP address range using the following formats. • • • • • • • x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120 x.x.x.[x-x], for example 192.168.110.[100-120] IP pool list IP pool options Configuring IP pools IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT

This section describes:

IP pool list
Figure 51: Sample IP pool list

The IP pool list has the following icons and features.
Create New Start IP End IP Select Create New to add an IP pool. The start IP defines the start of an address range. The end IP defines the end of an address range. The Delete and Edit/View icons.

IP pool options
Figure 52: IP pool options

Virtual IP has the following options.
Interface Name Select the interface to which to add an IP pool. Enter a name for the IP pool.

IP Range/Subnet Enter the IP address range for the IP pool.

186

01-28003-0002-20040716

Fortinet Inc.

The start of the range must be lower than the end of the range. To delete an IP pool 1 2 3 Go to Firewall > IP Pool. You can select a firewall interface or a VLAN subinterface. and then select dynamic IP pool in the policy. select Edit beside it. Select OK. Select OK. all connections from your network to the Internet appear to come from this IP address. To edit a IP pool 1 2 3 4 Go to Firewall > IP Pool. The start and end of the range must be on the same subnet as the IP address of the interface to which you are adding the IP pool. You can assign one of your organization’s Internet IP addresses to the external interface of the FortiGate unit. NAT translates source ports to keep track of connections for a particular service. To be able to support multiple connections. IP pools and dynamic NAT You can use IP pools for dynamic NAT. 5 IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. your organization might have purchased a range of Internet addresses but you might have only one Internet connection on the external interface of your FortiGate unit.Firewall IP pool Configuring IP pools To add an IP pool 1 2 3 4 Go to Firewall > IP Pool. Select the Delete icon beside the IP pool you want to delete. You can select fixed port for NAT policies to prevent source port translation. The IP range defines the start and end of an address range. Select OK to save the changes. For the IP pool that you want to edit. you can add an IP pool to the destination interface. If the FortiGate unit is operating in NAT/Route mode. Select Create New. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool. Enter the IP Range for the IP pool. Modify the IP pool as required. selecting fixed port means that only one connection can be supported through the firewall for this service. However. Select the interface to which to add the IP pool. FortiGate-60 Administration Guide 01-28003-0002-20040716 187 . The firewall randomly selects an IP address from the IP pool and assigns it to each connection. For example.

and SMTP policies Enable IPS for all services Using protection profiles. Create New Name Select Create New to add an IP pool. and SMTP policies Configure web filtering for HTTP policies Configure web category filtering for HTTP policies Configure spam filtering for IMAP. Protection profile Use protection profiles to apply different protection settings for traffic that is controlled by firewall policies. POP3. while traffic between internal and external addresses might need strict protection. As a result. you can add this address range to an IP pool for the external interface. You can use protection profiles to: • • • • • Configure antivirus protection for HTTP. 188 01-28003-0002-20040716 Fortinet Inc.Protection profile Firewall If you want connections to originate from all your Internet IP addresses. POP3. the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. This section describes: • • • • Protection profile list Default protection profiles Protection profile options Configuring protection profiles Protection profile list Figure 53: Sample list showing the default protection profiles The IP pool list has the following icons and features. FTP. For each connection. You can configure policies for different traffic services to use the same or different protection profiles. For example. traffic between trusted internal addresses might need moderate protection. Then you can select Dynamic IP Pool for all policies with the external interface as the destination. connections to the Internet appear to be originating from any of the IP addresses in the IP pool. Protection profiles can be added to NAT/Route mode and Transparent mode policies. The Delete and Edit/View icons. you can customize types and levels of protection for different firewall policies. The start IP defines the start of an address range. IMAP. .

IMAP. See “Configuring IPS options” on page 193. Default protection profiles The FortiGate unit comes preconfigured with four protection profiles. You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Profile Name Anti-Virus Web Filtering Web Category Filtering Spam Filtering IPS Content Log Enter a name for the profile. See “Configuring web category filtering options” on page 191. To apply no scanning. POP3. (New profiles only. You may not wish to use the strict protection profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum screening. FortiGate-60 Administration Guide 01-28003-0002-20040716 189 . See “Configuring content log options” on page 193. To apply virus scanning and web content blocking to HTTP traffic. and SMTP traffic.Firewall Protection profile Note: A protection profile cannot be deleted (and the Delete icon is not visible) if it is selected in a firewall policy or included in a user group. Scan Web Unfiltered Protection profile options Figure 54: Adding a protection profile You can configure the following options when creating or editing a protection profile. See “Configuring web filtering options” on page 191.) See “Configuring antivirus options” on page 190. and SMTP traffic. Use the unfiltered content profile if you do not want to apply content protection to content traffic. Strict To apply maximum protection to HTTP. You can add this protection profile to firewall policies that control HTTP traffic. FTP. IMAP. See “Configuring spam filtering options” on page 192. blocking or IPS. FTP. POP3. To apply virus scanning to HTTP.

Quarantine (models with Enable or disable quarantining for each protocol. See “Antivirus” on page 269 for more antivirus configuration options. Create and enable a signature to append to outgoing email (SMTP only). POP3. FTP. or any other pattern. The maximum file size for local disk buffering is 1 GB. giving you the flexibility to block files that may contain harmful content. The maximum threshold for scanning in memory is 40% of the FortiGate unit RAM. Buffering to disk allows files too large for memory to be scanned from the local disk.Protection profile Firewall Configuring antivirus options Figure 55: Protection profile antivirus options The following options are available for antivirus through the protection profile. Fragmented email cannot be scanned for viruses. SMTP). IMAP. Buffer to disk Enable or disable buffer to disk for each protocol. . You can quarantine suspect files to view them or submit files to Fortinet for local disk only) analysis. Enable or disable file pattern blocking for each protocol. by extension. Select blocking or passing files and email that exceed configured thresholds for each protocol. Pass fragmented emails Enable or disable passing fragmented email for mail protocols (IMAP. POP3. SMTP). Virus Scan File Block Enable or disable virus scanning (for viruses and worms) for each protocol (HTTP. Oversized file/email Add signature to outgoing emails 190 01-28003-0002-20040716 Fortinet Inc. You can block files by name.

Web Content Block Web URL Block Web Exempt List Web Script Filter Enable or disable web page blocking for HTTP traffic based on the banned words and patterns in the content block list. Configuring web category filtering options Figure 57: Protection profile web category filtering options (FortiGuard) The following options are available for web category filtering through the protection profile. Enable or disable web page filtering for HTTP traffic based on the URL exempt list. Block any web pages that have not been rated by the web filtering service. FortiGate-60 Administration Guide 01-28003-0002-20040716 191 . See “Category block” on page 297 for more category blocking configuration options. See “Web filter” on page 289 for more web filter configuration options. Enable or disable web page filtering for HTTP traffic based on the URL block list. Enable category block (HTTP only) Block unrated websites (HTTP only) Allow websites when a rating error occurs (HTTP only) Enable FortiGuard category blocking. Allow web pages that return a rating error from the web filtering service. Exempt URLs are not scanned for viruses.Firewall Protection profile Configuring web filtering options Figure 56: Protection profile web filtering options The following options are available for web filtering through the protection profile. Enable or disable blocking scripts from web pages for HTTP traffic.

and pass. 192 01-28003-0002-20040716 Fortinet Inc. Choose to append the tag to the subject or MIME header of the email identified as spam. Enable or disable checking source email against the configured spam filter banned word list. Check your email client features before deciding how to tag spam. You can tag email by appending a custom word or phrase to the subject or inserting a MIME header and value into the email header. Choose an action to take on email identified as spam. or discard for SMTP traffic. E-mail address BWL check Enable or disable checking incoming email addresses against the configured spam filter email address list.) Enable or disable checking traffic against configured Real-time Blackhole List and Open Relay Database List servers. Append to Append with Note: Some popular email clients cannot filter messages based on the MIME header. Enter a word or phrase (tag) to append to email identified as spam. Enable or disable checking incoming IP addresses against the configured spam filter IP address list. The maximum length is 63 characters. Choose from allow. HELO DNS lookup Enable or disable looking up the source domain name (from the SMTP HELO command) in the Domain Name Server. Choose from pass or tagged for IMAP and POP3 traffic. Return e-mail DNS Enable or disable checking that the domain specified in the reply-to or from address has an A or MX record. check MIME headers check Banned word check Spam Action Enable or disable checking source MIME headers against the configured spam filter MIME header list. . block. You can choose to log any spam action in the event log. (SMTP only. or monitor. You can set the action to take on web pages for each category.Protection profile Firewall Category The FortiGuard web filtering service provides many categories by which to filter web traffic. Note: Choosing to tag spam email messages automatically disables splice. Configuring spam filtering options Figure 58: Protection profile spam filtering options The following options are available for spam filtering through the protection profile. tagged. IP address BWL check RBL & ORDBL check Black/white list check. See “ Spam filter” on page 303 for more spam filter configuration options.

Note: If both Virus Scan and File Block are enabled. and scan result.Firewall Protection profile Configuring IPS options Figure 59: Protection profile IPS options The following options are available for IPS through the protection profile. IPS Signature IPS Anomaly Enable or disable signature based intrusion detection and prevention for all protocols. FortiGate-60 Administration Guide 01-28003-0002-20040716 193 . Enable or disable anomaly based intrusion detection and prevention for all protocols. you can create custom protection profiles. See “IPS” on page 259 for more IPS configuration options. request and response size. Configuring protection profiles To add a protection profile If the default protection profiles do not provide the settings you require. Log content meta-information Enable or disable logging content meta-data for each protocol. Select Create New. Select OK. Select OK. To delete a protection profile 1 2 3 Go to Firewall > Protection Profile. source and destination information. Configure the protection profile options. Configuring content log options Figure 60: Protection profile content log options The following options are available for content log through the protection profile. Enter a name for the profile. 1 2 3 4 5 Go to Firewall > Protection Profile. Select the Delete icon beside the protection profile you want to delete. the FortiGate unit blocks files that match enabled file patterns before they are scanned for viruses. Content meta-data can include date and time.

1 2 Go to Firewall > Policy. Note: To change the one-time schedule name you must delete the schedule and add it with a new name. POP3. HTTP. IMAP. 4 Select OK. Select the Edit icon beside the protection profile you want to modify.Protection profile Firewall To edit a protection profile 1 2 3 Go to Firewall > Protection Profile. Configure the remaining policy settings. . edit or delete protection profiles. profile Use this command to add. To add a protection profile to a policy You can enable protection profiles for firewall policies with action set to allow or encrypt and with service set to ANY. Select a policy list to which you want to add a protection profile. to enable network protection for files downloaded from the web by internal network users. Select OK. if required. Repeat this procedure for any policies for which you want to enable network protection. FTP. or variables (in bold) that are not represented in the web-based manager. keywords. Select a protection profile from the list. or a service group that includes these services. select an internal to external policy list. SMTP. For example. Select protection profile. 3 4 5 6 7 8 CLI configuration This guide only covers Command Line Interface (CLI) commands. Modify the profile as required. Command syntax pattern config firewall profile edit <profilename_str> set <keyword> <variable> config firewall profile edit <profilename_str> unset <keyword> 194 01-28003-0002-20040716 Fortinet Inc. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. Use protection profiles to apply different protection settings for traffic controlled by firewall policies. Select Create New to add a policy or select Edit for the policy you want to modify.

FortiGate-60 Administration Guide 01-28003-0002-20040716 195 . Use a space to separate the options you enter. All models. If a virus is detected. When downloading files from an FTP server the FortiGate unit sends 1 byte every 30 seconds to prevent the client from timing out during scanning and download. the FortiGate unit stops the download. use for filtering FTP traffic for a policy. the FortiGate unit buffers the file for scanning before uploading it to the FTP server. the FortiGate unit will allow the upload to continue. If you want to remove an option from the list or add an option to the list.Firewall Protection profile config firewall profile delete <profilename_str> get firewall profile [<profilename_str>] show firewall profile [<profilename_str>] firewall profile command keywords and variables Keywords and variables ftp {block buffer_to_disk content_log oversize quarantine scan splice} Description Default Availability Select the actions that this profile will No default. Enabling splice reduces timeouts when uploading and downloading large files. To delete the file successfully. If the file is clean. If a virus is detected. There should not be enough content in the file to cause any harm. When splice is disabled for ftp. you must retype the list with the option removed or added. The user must then delete the partially downloaded file. the FortiGate unit stops the upload and attempts to delete the partially uploaded file from the FTP server. the server permissions must be set to allow deletes. • Entering splice enables the FortiGate unit to simultaneously buffer a file for scanning and upload the file to an FTP server. Enter all the actions you want this profile to use.

Chunked encoding means the HTTP message body is altered to allow it to be transferred in a series of chunks. use for filtering HTTP traffic for a policy. When splice is disabled. infected attachments are removed and the email is forwarded (without the attachment) to the SMTP server for delivery to the recipient. Use a space to separate the options you enter. it terminates the server connection and returns an error message to the sender. • Enter chunkedbypass to allow web sites that use chunked encoding for HTTP to bypass the firewall. get firewall profile 196 01-28003-0002-20040716 Fortinet Inc. When splice is disabled for SMTP. The receiver does not receive the email or the attachment. If the FortiGate unit detects a virus. Malicious content could enter your network if you allow web content to bypass the firewall. you must retype the list with the option removed or added.Protection profile Firewall firewall profile command keywords and variables (Continued) Keywords and variables http {bannedword block buffer_to_disk catblock chunkedbypass content_log oversize quarantine scan scriptfilter urlblock urlexempt} Description Default Availability Select the actions that this profile will No default. it removes the infected attachment. Throughput is higher when splice is enabled. the SMTP server is not able to deliver the email if it was sent with an infected attachment. Selecting enable for the splice keyword returns an error message to the sender if an attachment is infected. Select the actions that this profile will fragmail All models. In this mode. Enter all the actions you want this profile to use. listing the virus name and infected filename. If you want to remove an option from the list or add an option to the list. • Entering splice enables the FortiGate unit to simultaneously scan an email and send it to the SMTP server. adds a customizable message. Enter all the actions you want this profile to use. you must retype the list with the option removed or added. smtp {bannedword block buffer_to_disk content_log fragmail oversize quarantine scan spamemailbwl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice} This example shows how to display the settings for the firewall profile command. and sends the email to the SMTP server for delivery. use for filtering SMTP traffic for a policy. Use a space to separate the options you enter. . Use this feature at your own risk. the FortiGate unit scans the email first. All models. If you want to remove an option from the list or add an option to the list. If the FortiGate unit detects a virus.

show firewall profile This example shows how to display the configuration for the spammail profile.Firewall Protection profile This example shows how to display the settings for the spammail profile. get firewall profile spammail This example shows how to display the configuration for the firewall profile command. show firewall profile spammail FortiGate-60 Administration Guide 01-28003-0002-20040716 197 .

.Protection profile Firewall 198 01-28003-0002-20040716 Fortinet Inc.

You can also add the names of RADIUS and LDAP servers. the connection is dropped. a RADIUS server. the connection is dropped. the FortiGate unit checks them in the order in which they have been added to the user group. If Disable is selected for that user name. the connection is allowed. You can also add RADIUS servers and LDAP servers to user groups. You can disable a user name so that the user cannot authenticate. the connection is dropped. You can then select a user group when you require authentication. To enable authentication. the connection is allowed. If the user name and password do not match a user name and password on the LDAP server. You can select RADIUS to allow the user to authenticate using the selected RADIUS server or LDAP to allow the user to authenticate using the selected LDAP server. If the password does not match. the FortiGate unit searches the internal user database for a matching user name. and LDAP servers.FortiGate-60 Administration Guide Version 2. You can select user groups to require authentication for: • • • • • any firewall policy with Action set to ACCEPT IPSec dialup user phase 1 configurations XAuth functionality for phase 1 IPSec VPN configurations PPTP L2TP When a user enters a user name and password. the user cannot authenticate and the connection is dropped.80 Users and authentication FortiGate units support user authentication to the FortiGate user database. RADIUS servers. the connection is allowed. If LDAP is selected and LDAP support is configured and the user name and password match a user name and password on the LDAP server. If the user group contains user names. you must add user names to one or more user groups. If the user name and password do not match a user name and password on the RADIUS server. If Password is selected for that user and the password matches. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. and an LDAP server. If RADIUS is selected and RADIUS support is configured and the user name and password match a user name and password on the RADIUS server. FortiGate-60 Administration Guide 01-28003-0002-20040716 199 .

in minutes. 200 01-28003-0002-20040716 Fortinet Inc. The local user name.Setting authentication timeout Users and authentication This chapter describes: • • • • • Setting authentication timeout Local RADIUS LDAP User group Setting authentication timeout Authentication timeout controls how long authenticated firewall connections can remain idle before users must authenticate again to get access through the firewall. The authentication type to use for this user. Local user list Figure 1: Local user list Create New User Name Type Add a new local username. Local Go to User > Local to add local user names and configure authentication. The default authentication timeout is 15 minutes. In Auth Timeout. . The Delete and Edit icons. type a number. To set authentication timeout 1 2 Go to System > Config > Options.

FortiGate-60 Administration Guide 01-28003-0002-20040716 201 . See “LDAP” on page 203. You can only select an LDAP server that has been added to the FortiGate LDAP configuration. Select the authentication type for this user. Select the name of the LDAP server to which the user must authenticate. Enter the password that this user must use to authenticate. 1 2 3 Go to User > Local. Select the Delete icon for the user name that you want to delete. LDAP Radius To add a user name and configure authentication 1 2 3 4 5 Go to User > Local. Select the name of the RADIUS server to which the user must authenticate. Type the User Name. Select Disable to prevent this user from authenticating.Users and authentication Local Local user options Figure 2: Local user options User Name Disable Password Enter the user name. Select OK. To delete a user name from the internal database You cannot delete user names that have been added to user groups. Select Create New to add a new user name or select the Edit icon to edit an existing configuration. See “RADIUS” on page 202. Select Password to require the user to authenticate using a password. Select LDAP to require the user to authenticate to an LDAP server. Note: Deleting the user name deletes the authentication configured for the user. Remove user names from user groups before deleting them. You can only select a RADIUS server that has been added to the FortiGate RADIUS configuration. The password should be at least six characters long. Select Radius to require the user to authenticate to a RADIUS server. Select OK.

The RADIUS server name. Enter the domain name or IP address of the RADIUS server. RADIUS server options Figure 4: RADIUS configuration Name Server Secret Enter a name to identify the RADIUS server. The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port. Enter the Name of the RADIUS server.RADIUS Users and authentication RADIUS If you have configured RADIUS support and a user is required to authenticate using a RADIUS server. the FortiGate unit contacts the RADIUS server for authentication. The Delete and Edit icons. Server Name/IP Enter the domain name or IP address of the RADIUS server. . Select Create New to add a new RADIUS server or select the Edit icon to edit an existing configuration. Enter the RADIUS server secret. RADIUS server list Figure 3: RADIUS server list Create New Name Add a new RADIUS server. Select OK. 202 01-28003-0002-20040716 Fortinet Inc. Enter the RADIUS server secret. Server Name/IP The domain name or IP address of the RADIUS server. For more information see the config system global command entry in the FortiGate CLI Reference Guide. To configure the FortiGate unit for RADIUS authentication 1 2 3 4 5 6 Go to User > RADIUS.

1 2 3 Go to User > RADIUS. the connection is refused by the FortiGate unit. LDAP server list Figure 5: LDAP server list Create New Port Add a new LDAP server. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. The Delete and Edit icons. IPSec VPN. the FortiGate unit contacts the LDAP server for authentication. such as notification of password expiration. LDAP If you have configured LDAP support and a user is required to authenticate using an LDAP server. Server Name/IP The domain name or IP address of the LDAP server. the user is successfully authenticated with the FortiGate unit. Select OK. LDAP user authentication is supported for PPTP. The port used to communicate with the LDAP server. With PPTP. FortiGate-60 Administration Guide 01-28003-0002-20040716 203 . The FortiGate unit sends this user name and password to the LDAP server. and firewall authentication. and IPSec VPN. If the LDAP server cannot authenticate the user. L2TP. L2TP. Identifier Distinguished Name The distinguished name used to look up entries on the LDAP server. FortiGate LDAP support does not extend to proprietary functionality. Select the Delete icon beside the RADIUS server name that you want to delete. FortiGate LDAP support does not supply information to the user about why authentication failed. that is available from some LDAP servers.Users and authentication LDAP To delete a RADIUS server You cannot delete a RADIUS server that has been added to a user group. If the LDAP server can authenticate the user. Common Name The common name identifier for the LDAP server. The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. PAP (Packet Authentication Protocol) is supported and CHAP (Challenge-Handshake Authentication Protocol) is not. To authenticate with the FortiGate unit. the user enters a user name and password.

Distinguished Name Enter the distinguished name used to look up entries on the LDAP server. for example. 204 01-28003-0002-20040716 Fortinet Inc. Common Name Enter the common name identifier for the LDAP server. or select the Edit icon to edit an existing configuration. 1 2 3 Go to User > LDAP. Enter the base distinguished name for the server using the correct X. Select OK. The FortiGate unit passes this distinguished name unchanged to the server. you could use the following base distinguished name: ou=marketing.dc=com where ou is organization unit and dc is domain component.dc=fortinet. . Enter the distinguished name used to look up entries on the LDAP server. Identifier The common name identifier for most LDAP servers is cn. You can also specify multiple instances of the same field in the distinguished name.LDAP Users and authentication LDAP server options Figure 6: LDAP server configuration Name Server Port Enter a name to identify the LDAP server. Enter the domain name or IP address of the LDAP server. However some servers use other common name identifiers such as uid. Select OK. Enter the name of the LDAP server. Enter the port used to communicate with the LDAP server. To delete an LDAP server You cannot delete an LDAP server that has been added to a user group. By default LDAP uses port 389.dc=fortinet. Enter the common name identifier for the LDAP server.ou=marketing. Select Create New to add a new LDAP server.dc=com To configure the FortiGate unit for LDAP authentication: 1 2 3 4 5 6 7 8 Go to User > LDAP. Select Delete beside the LDAP server name that you want to delete. Server Name/IP Enter the domain name or IP address of the LDAP server.500 or LDAP format. to specify multiple organization units: ou=accounts. Enter the port used to communicate with the LDAP server. For example.

If a match is not found. FortiGate-60 Administration Guide 01-28003-0002-20040716 205 . XAuth for IPSec VPN Phase 1 configurations: Only user groups in the selected user group can be authenticated using XAuth. then the FortiGate unit checks for a match with these local users. If a RADIUS or LDAP server is added first. RADIUS servers. The name of the user group. you must add user names. The Delete and Edit icons. You can configure authentication as follows: • Firewall policies that require authentication: You can choose the user groups that are allowed to authenticate with these policies. the order in which they are added determines the order in which the FortiGate unit checks for authentication. and LDAP servers to one or more user groups.Users and authentication User group User group To enable authentication. You can then assign a firewall protection profile to the user group. RADIUS servers. Protection Profile The protection profile associated with this user group. User group list Figure 7: User group list Create New Group Name Members Add a new user group. • • • • IPSec VPN Phase 1 configurations for dialup users: Only users in the selected user group can authenticate to use the VPN tunnel. The FortiGate L2TP configuration: Only users in the selected user group can use L2TP. the FortiGate unit checks the RADIUS or LDAP server. the FortiGate unit checks the server and then the local users. and LDAP servers to a user group. or LDAP servers in a user group. RADIUS servers. The users. If user names are first. When you add user names. The FortiGate PPTP configuration: Only users in the selected user group can use PPTP.

6 7 8 9 206 01-28003-0002-20040716 Fortinet Inc. RADIUS servers. Select OK. The list of users. To add an LDAP server to the user group. select a user. select a user from the Available Users list and select the right arrow to add the name to the Members list.User group Users and authentication User group options Figure 8: User group configuration Group Name Available Users Members Protection Profile Enter the name of the user group. To add a RADIUS server to the user group. To remove users. or LDAP server from the group. or LDAP servers that can be added to a user group. or LDAP server from the Members list and select the left arrow to remove the name. RADIUS server. RADIUS servers. . RADIUS servers. Select Create New to add a new user group. To add users to the user group. select a RADIUS server from the Available Users list and select the right arrow to add the RADIUS server to the Members list. Select a protection profile for this user group. The list of users. or LDAP servers added to a user group. Select a protection profile from the Protection Profiles list. or LDAP servers from the user group. select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list. Enter a Group Name to identify the user group. or select the Edit icon to edit an existing configuration. To configure a user group 1 2 3 4 5 Go to User > User Group. RADIUS server.

Enter the peer certificate name constraints. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. or a PPTP or L2TP configuration. All models. 1 2 3 Go to User > User Group. a dialup user phase 1 configuration. CLI configuration This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. Select OK. string All models. All models. Enter the peer certificate common name.Users and authentication CLI configuration To delete a user group You cannot delete a user group that is included in a firewall policy. Enter the peer certificate common name type. No default. Default Availability No default. No default. Command syntax pattern config user peer edit <name_str> set <keyword> <variable> config user peer edit <name_str> unset <keyword> config user peer delete <name_str> get user peer [<name_str>] show user peer [<name_str>] radius command keywords and variables Keywords and variables ca cn cn-type {FDQN | email | ipv4 | string} subject Description Enter the peer Certificate Authority (CA). Select Delete beside the user group that you want to delete. All models. FortiGate-60 Administration Guide 01-28003-0002-20040716 207 . peer Use this command to add or edit the peer certificate information.

Command syntax pattern config user peergrp edit <name_str> set <keyword> <variable> config user peergrp edit <name_str> unset <keyword> config user peergrp delete <name_str> get user peergrp [<name_str>] show user peergrp [<name_str>] radius command keywords and variables Keywords and variables member <name_str> [<name_str> [<name_str> [<name_str> .. ]]] Description Enter the names of peers to add to the peer group. get user peer branch_office This example shows how to display the configuration for all the peers. 208 01-28003-0002-20040716 Fortinet Inc. get user peer This example shows how to display the settings for the peer branch_office. . Default Availability No default. All models. config user peer edit branch_office set ca set cn set cn-type end This example shows how to display the list of configured peers. Separate names by spaces.CLI configuration Users and authentication Example This example shows how to add the branch_office peer.. To add or remove names from the group you must re-enter the whole list with the additions or deletions required. show user peer This example shows how to display the configuration for the peer branch_office. show user peer branch_office peergrp Use this command to add or edit a peer group.

get user peergrp This example shows how to display the settings for the peergrp EU_branches. show user peergrp This example shows how to display the configuration for the peergrp EU_branches. show user peergrp EU_branches FortiGate-60 Administration Guide 01-28003-0002-20040716 209 .Users and authentication CLI configuration Example This example shows how to add peers to the peergrp EU_branches. get user peergrp EU_branches This example shows how to display the configuration for all the peers groups. config user peergrp edit EU_branches set member Sophia_branch Valencia_branch Cardiff_branch end This example shows how to display the list of configured peer groups.

CLI configuration Users and authentication 210 01-28003-0002-20040716 Fortinet Inc. .

80 IPSec VPN FortiGate units support automated Internet Key Exchange (AutoIKE) and manual key IPSec VPNs in both NAT/Route and Transparent mode. This chapter describes: • • • • • • • • • • • • • • • • • • • • Phase 1 Phase 2 Manual Key Concentrator Monitor IPSec VPN ping generator AutoIKE IPSec VPN with preshared keys AutoIKE IPSec VPN with certificates Peer to peer VPN Dialup VPN Dynamic DNS VPN Manual key IPSec VPN Adding firewall policies for IPSec VPN DHCP over IPSec Internet browsing through a VPN tunnel IPSec VPN in Transparent mode Hub and spoke VPNs Redundant IPSec VPNs Managing digital certificates Troubleshooting FortiGate-60 Administration Guide 01-28003-0002-20040716 211 . dialup users. and dynamic DNS.FortiGate-60 Administration Guide Version 2. AutoIKE IPSec VPN with preshared keys or certificates supports IPSec VPNs with static IPs.

you only need to configure the basic VPN settings. also called a remote gateway. Dialup if this is a dialup Phase 1 configuration. In effect. or delete phase 1 configurations. The names of the Phase 1 configurations (remote gateways) added.Phase 1 IPSec VPN Phase 1 Phase 1 of an AutoIKE tunnel negotiation consists of the exchange of proposals for how to authenticate and secure the channel. The names of the encryption and authentication algorithms used by each phase 1 configuration. Phase 1 list Figure 9: IPSec VPN Phase 1 list Create new Gateway Name Gateway IP Select Create New to add a Phase 1 configuration. the negotiation process is simplified because all Security Association (SA) parameters have been defined at both ends. Select Create New to create a new VPN gateway or select an existing gateway to configure. view. the negotiation is decided before the session starts. . If the parameters match. Edit. Main mode or Aggressive mode. For a manual key tunnel. In most cases. To configure phase 1 settings 1 2 Go to VPN > IPSEC > Phase 1. The IP address of the remote gateway if this is a static IP address phase 1. Mode Encryption Algorithm 212 01-28003-0002-20040716 Fortinet Inc. the tunnel will be created. and the domain name if this is a dynamic DNS phase 1.

The name can contain numbers (0-9). and the special characters . other fields become available. enter the Dynamic DNS (DDNS) name. Aggressive mode is typically used when one VPN peer has a dynamic (dialup) address and uses its ID as part of the authentication process.IPSec VPN Phase 1 Phase 1 basic settings Figure 10: Phase 1 basic settings Gateway Name The remote VPN peer can be either a gateway to another network or an individual client on the Internet. DDNS allows a computer to keep the same domain name even if its IP address changes. Remote Gateway Select a Remote Gateway address type. uppercase and lowercase letters (A-Z. Select Aggressive or Main (ID Protection) mode. See “Dynamic DNS VPN” on page 229. enter the IP address of the gateway or client. or if the remote VPN peer has a static IP address that is not required in the peer identification process. If you select Dynamic DNS for Remote Gateway. When using aggressive mode. If the remote VPN peer uses Dynamic DNS. select Static IP Address. select Dynamic DNS. See “Dialup VPN” on page 229. Main mode is typically used when both VPN peers have static IP addresses. If the remote VPN peer has a static IP address. Therefore. Both modes establish a secure channel. When using aggressive mode. Depending upon the Remote Gateway address type you have selected. select Dialup User. identifying information is hidden. a-z). Diffie-Hellman (DH) groups cannot be negotiated. If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE). When using main mode. The VPN peers must use the same mode. If you select Static IP Address for Remote Gateway. IP Address Dynamic DNS Mode Authentication Either Preshared Key or RSA Signature. the VPN peers exchange identifying information in the clear. Other special characters and spaces are not allowed. See “Peer to peer VPN” on page 228. you should enter matching DH configurations on the VPN peers when you use aggressive mode.and _. Method FortiGate-60 Administration Guide 01-28003-0002-20040716 213 .

Certificate Name Peer option If you select RSA Signature for Authentication Method. See “Peer identification” on page 241. The key must contain at least 6 printable characters and should only be known by network administrators. Enter the Peer ID that can select this Phase 1. Select Accept this peer ID to accept a remote user or group of VPN peers with this Peer ID. For optimum protection against currently known attacks. enter the name of the digital certificate. The Peer ID added to the Phase 1 must match the Local ID or Peer ID of the remote peer for the remote peer to be able to start a VPN session with the FortiGate unit. Phase 1 advanced options Figure 11: Phase 1 advanced settings Encryption The FortiGate unit supports the following encryption methods: DES 3DES AES128 AES192 AES256 Authentication The FortiGate unit supports the following authentication methods: MD5 SHA1 214 01-28003-0002-20040716 Fortinet Inc. For information on how to use digital certificates. Select Accept peer ID in dialup group and select a user group to accept a remote user or group of VPN peers with Peer IDs that match the Peer IDs added to the selected user group.Phase 1 IPSec VPN Pre-shared Key If you select Preshared Key for Authentication Method. you can use the Peer Options to authenticate remote VPN peers with peer IDs during phase 1 negotiations. . See “Peer identification” on page 241. The VPN peers must use the same preshared key. If you select Dialup User or Dynamic DNS for Remote Gateway. see “Managing digital certificates” on page 241. the key should consist of a minimum of 16 randomly chosen alphanumeric characters. enter the preshared key. Select Accept any peer ID to accept any peer ID (and therefore not authenticate remote VPN peers by peer ID).

PAP and CHAP within the IPSec IKE protocol. you can select multiple DH groups. Keylife Local ID XAuth Nat-traversal Keepalive Frequency Dead Peer Detection Configuring XAuth XAuth is an enhancement to the existing IKE protocol. If the FortiGate unit (the local VPN peer) is configured as an XAuth server. Enter the password the local VPN peer uses to authenticate itself to the remote VPN peer. P1 proposal keylife can be from 120 to 172. In standard IKE. enabling NAT traversal has no effect. select a single matching DH group. If NAT Traversal is selected.IPSec VPN Phase 1 DH Group Select one or more Diffie-Hellman groups from DH group 1. You can configure the FortiGate unit as an Extended Authentication (XAuth) client or an XAuth server.800 seconds. you can optionally enter the local ID. select up to three DH groups for the dialup server and select one DH group for the dialup user (client or gateway). When the VPN peers use aggressive mode in a dialup configuration. The keepalive frequency can be from 0 to 900 seconds. see “Configuring XAuth” on page 215. It allows users to be authenticated in a separate exchange held between Phases 1 and 2. 2. When the key expires. When the VPN peers employ main mode. Enable this option to clean up dead VPN connections and establish new VPN connections. If you enable NAT traversal you can set the keepalive frequency. The users contained in the user group can be configured locally on the FortiGate unit or on remotely located LDAP or RADIUS servers. NAT traversal is enabled by default. The keepalive frequency specifies how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until the IKE and IPSec keylife expires. For more information. enter the Keepalive Frequency in seconds. If no NAT device is detected. Enable this option if you expect the IPSec VPN traffic to go through a gateway that performs NAT. a new key is generated without interrupting service. Both ends of the VPN must have the same NAT traversal setting. it will authenticate remote VPN peers by referring to a user group. The keylife is the amount of time in seconds before the IKE encryption key expires. When the VPN peers have static IP addresses and use aggressive mode. not users. and 5. which is the distinguished name (DN) of the local certificate. XAuth uses established authentication mechanisms such as RADIUS. only peers are authenticated. XAuth: Enable as Client Name Password Enter the user name the local VPN peer uses to authenticate itself to the remote VPN peer. If you are using certificates for authentication. If the FortiGate unit is configured as an XAuth client. it will provide a user name and password when it is challenged. FortiGate-60 Administration Guide 01-28003-0002-20040716 215 .

Select a group of users to be authenticated by XAuth. 216 01-28003-0002-20040716 Fortinet Inc. . you only need to configure the basic phase 2 settings. the FortiGate unit and the authentication server. MIXED—Select MIXED to use PAP between the XAuth client and the FortiGate unit.Phase 2 IPSec VPN XAuth: Enable as Server Encryption method Select the encryption method used between the XAuth client. In most cases. To configure phase 2 settings 1 2 Go to VPN > IPSec > Phase 2. The names of the Phase 2 configurations (VPN tunnels) added. Phase 2 list Figure 12: IPSec VPN Phase 1 list Create new Tunnel Name Remote Gateway Lifetime (sec/kb) Select Create New to add a Phase 2 configuration. (Use MIXED with the Fortinet Remote VPN Client. CHAP— Challenge-Handshake Authentication Protocol. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers. The user group must be added to the FortiGate configuration before it can be selected here. The tunnel key lifetime. Usergroup Phase 2 You configure the AutoIKE phase 2 settings to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer (the VPN gateway or client). PAP— Password Authentication Protocol. Use CHAP whenever possible. The the name of the remote gateway (phase 1 configuration) associated with this phase 2 configuration. also called a VPN tunnel. Use MIXED if the authentication server supports CHAP but the XAuth client does not. Select Create New to create a new VPN tunnel or select an existing tunnel to configure. and CHAP between the FortiGate unit and the authentication server. (Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS). Use PAP if the authentication server does not support CHAP.).

Other special characters and spaces are not allowed. Timeout Phase 2 basic settings Figure 13: Phase 2 basic settings Tunnel Name The name can contain numbers (0-9). Up. view or delete phase 2 configurations. Remote gateways are added as part of the phase 1 configuration.IPSec VPN Phase 2 Status The current status of the tunnel. Select a concentrator if you want to add the tunnel to an existing VPN concentrator to become part of a hub and spoke VPN configuration. see “Redundant IPSec VPNs” on page 239. Down. tunnel is not processing traffic. Choose either a single DIALUP remote gateway. Unknown. see “Phase 1” on page 212. For information about IPSec redundancy. the tunnel is currently processing traffic. Up to three remote gateways. Edit. the time before the next key exchange. or up to three STATIC remote gateways. Remote Gateway Concentrator Phase 2 advanced options Figure 14: Phase 2 advanced settings FortiGate-60 Administration Guide 01-28003-0002-20040716 217 . If the tunnel is processing VPN traffic. The remote gateway can be either a gateway to another network or an individual client on the Internet. Use the plus and minus signs to increase or decrease the number of STATIC remote gateways associated with this VPN tunnel. See “Monitor” on page 224 for more information. status of Dialup tunnels. and the special characters .and _. a-z). For details. Multiple STATIC remote gateways are necessary if you are configuring IPSec redundancy. uppercase and lowercase letters (A-Z.

or select both. You must select this option if both VPN peers are FortiGate units. or both. the FortiClient software checks the sequence number of every IPSec packet to see if it has been previously received.Phase 2 IPSec VPN P2Proposal ‘Add or delete encryption and authentication algorithms. For more information. A routingbased VPN uses routing information to select which VPN tunnel to use for the connection. the VPN tunnel is referenced directly from the encrypt policy. after a specified number of kbytes of data have been processed by the VPN tunnel. the tunnel is referenced indirectly by a route that points to a tunnel interface. the FortiClient software discards them. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 2147483648 kbytes. If you select both. Select one Diffie-Hellman group from DH group 1. You must select this option if the remote VPN peer is a non-FortiGate unit that has been configured to operate in tunnel interface mode. 2. internal -> wan1 policies). The internet browsing interface becomes the virtual source interface from which VPN users can connect through the firewall to browse the Internet. see “DHCP over IPSec” on page 233. see “Internet browsing through a VPN tunnel” on page 234 Use selectors from policy. Autokey Keep Enable autokey keep alive to keep the VPN connection open even if no data is being transferred. Enable replay detection Enable perfect Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. forward secrecy (PFS) DH Group Keylife Select one DH Group. You cannot select multiple DH Groups. In most configurations. In this configuration. The keylife causes the IPSec key to expire after a specified amount of time. DH group 5 is most secure. . The remote FortiGate gateway must use the same DH Group settings. A policybased VPN uses an encrypt policy to select which VPN tunnel to use for the connection. If the same packets exceed a specified sequence range. DHCP-IPSec is only available if the Remote Gateway is set to the name of a dialup VPN gateway. The VPN peers must use the same DH Group settings. When the key expires. and 5. The remote FortiGate gateway must use the same proposals. a new key is generated without interrupting service. the key does not expire until both the time has passed and the number of kbytes have been processed. With replay detection. the Internet browsing interface would be the internal interface and VPN users would be able to browse the Internet using the same firewall policies as users on the internal network (for example. DH group 1 is least secure. Select this option for policy-based VPNs. Internet browsing Quick Mode Identities 218 01-28003-0002-20040716 Fortinet Inc. Select the Interface through which remote VPN users can connect to the Internet. Alive DHCP-IPSec Select DHCP over IPSec so that when remote peers connect to the tunnel they can send a DHCP request broadcast and receive an IP address from a DHCP server on the destination network. For more info. Use wildcard selectors. Select this option for routing-based VPNs. Select either Seconds or KBytes for the keylife. In this configuration.

However.IPSec VPN Manual Key Manual Key Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote IPSec VPN client or gateway that is also using manual key. Because the keys are created when you configure the tunnel. The names of the authentication algorithms used by each manual key configuration. Edit. Manual key list Figure 15: IPSec VPN Manual Key list Create new Remote Gateway Encryption Algorithm Authentication Algorithm Select Create New to add a manual key configuration. the VPN gateway or client that connects to this tunnel must use the same encryption and authentication algorithms and must have the same encryption and authentication keys. view. or delete manual key configurations. Manual key options Figure 16: Adding a manual key VPN tunnel FortiGate-60 Administration Guide 01-28003-0002-20040716 219 . no negotiation is required for the VPN tunnel to start. A manual key VPN tunnel consists of a name for the tunnel. The names of the encryption algorithms used by each manual key configuration. and the keys in hexadecimal format. the IP address of the VPN gateway or client at the opposite end of the tunnel. and a firewall policy. To configure a manual key VPN 1 2 Go to VPN > IPSEC > Manual Key and add a VPN tunnel. The IP address of the remote gateway. destination address. Add the source address. selection of the encryption and authentication algorithms.

A-F). enter a 40 character (20 byte) hexadecimal number (0-9. Key Each two character combination entered in hexadecimal format represents one byte. Depending on the encryption algorithm you have selected. Enter a hexadecimal number (digits can be 0 to 9. Separate the number into four segments of 16 characters. a to f) in the range bb8 to FFFFFFF. For SHA1. Use the same authentication key at both ends of the tunnel. enter a 48 character (24 byte) hexadecimal number (0-9. enter a 32 character (16 byte) hexadecimal number (0-9. For MD5. Use the same algorithm at both ends of the tunnel. enter a 64 character (32 byte) hexadecimal number (0-9. A-F).and _. Authentication Enter the Authentication Key. For 3DEs. enter a 16 character (8 byte) hexadecimal number (0-9. Enter a hexadecimal number of up to eight digits in the range bb8 to FFFFFFF.Concentrator IPSec VPN VPN Tunnel Name Local SPI The name can contain numbers (0-9). Authentication Select an Authentication Algorithm from the list. Add the required Phase 2 configurations to the concentrator. To configure a concentrator 1 2 Go to VPN > IPSEC > Concentrator and add a concentrator. For AES128. enter a 32 character (16 byte) hexadecimal number (0-9. A-F). uppercase and lowercase letters (A-Z. enter a 48 character (24 byte) hexadecimal number (0-9. IPSec VPN concentrators are only available in NAT/Route mode. The remote Security Parameter Index identifies the remote manual key VPN peer. A-F). See “Redundant IPSec VPNs” on page 239. Remote SPI Remote Gateway Encryption Algorithm Encryption Key Enter the Encryption Key. Other special characters and spaces are not allowed. For AES192. Select an Encryption Algorithm from the list. Each two character combination entered in hexadecimal format represents one byte. and the special characters . A-F). Separate the number into three segments of 16 characters. Algorithm Use the same algorithm at both ends of the tunnel. Concentrator Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. you may be required to enter the key in multiple segments. For DES. Enter the external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel. Available in NAT/Route mode only. 220 01-28003-0002-20040716 Fortinet Inc. the first of 16 characters and the second of 24 characters. For AES256. A-F). Separate the number into two segments. Separate the number into three segments of 16 characters. a-z). This number must be added to the Local SPI at the opposite end of the tunnel. This number must be added to the Remote SPI at the opposite end of the tunnel. . The local Security Parameter Index (SPI) identifies the local manual key VPN peer. Separate the number into two segments of 16 characters. A-F). Concentrator Configure IPSec VPN concentrators to create hub and spoke configurations. Use the same encryption key at both ends of the tunnel. Separate the number into two segments of 16 characters.

Secondly. FortiGate-60 Administration Guide 01-28003-0002-20040716 221 . the hub requires one extra configuration step. the local SPI values for each spoke must be different. managing the VPN connections between the spokes. To configure the VPN settings for the hub 1 Configure a tunnel for each spoke. Note: If you use manual key tunnels. Concentrator options In a hub-and-spoke network. A hub-and-spoke IPSec VPN configuration differs from a regular IPSec VPN configuration in two important ways. or delete IPSec VPN concentrators. you must configure both the hub and spoke. To configure a hub-and-spoke VPN. Note: You must add the VPN tunnels before adding the concentrator. view. See “To add an address” on page 167. The hub functions as a concentrator on the network. the spokes require one less configuration step. You must also add the concentrator before adding the firewall policy. Configuring the hub You need to do the following on a central FortiGate unit that functions as a hub: • • • add the VPN tunnels. as they do not need tunnels between themselves. The peers that connect to the hub are known as spokes. 2 Add a destination addresses for each spoke. Concentrator name The names of the IPSec VPN concentrators that have been added. only encrypt policies. The names of the Phase 2 configurations and manual key configurations added to the IPSec VPN concentrator. add a VPN concentrator. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway).IPSec VPN Concentrator Concentrator list Figure 17: IPSec VPN concentrator list Create new Members Select Create New to add an IPSec VPN concentrator. Choose between a manual key tunnel or an AutoIKE tunnel. add a firewall policy. Firstly. all VPN tunnels terminate at a single VPN peer known as a hub. Edit. for the concentrator that groups the hub-and-spoke tunnels together.

ENCRYPT The VPN spoke tunnel name. This step groups the tunnels together on the FortiGate unit. See “To add a firewall policy” on page 164. The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration. The encrypt policy for each spoke must include the tunnel name of the spoke. Allow outbound Select allow outbound Outbound NAT Select outbound NAT if required. in a hub-andspoke network.Concentrator IPSec VPN 3 Add the concentrator configuration. 4 Add an encrypt policy for each spoke. Figure 18: VPN concentrator To add a VPN concentrator configuration 1 2 Go to VPN > IPSec > Concentrator. Select inbound NAT if required. . Select allow inbound. 5 Arrange the policies in the following order: • • encrypt policies default non-encrypt policy (Internal_All -> External_All. The FortiGate unit functions as a concentrator. The concentrator allows VPN traffic to pass from one tunnel to the other through the FortiGate unit. Select New to add a VPN concentrator. Encrypt policies control the direction of traffic through the hub and allow inbound and outbound VPN connections between the hub and the spokes. See “To add an address” on page 167. Use the following configuration for the encrypt policies: Source Destination Action VPN Tunnel Allow inbound Inbound NAT Internal_All The VPN spoke address. The tunnels link the hub to the spokes. 222 01-28003-0002-20040716 Fortinet Inc. Adding a VPN concentrator The VPN concentrator collects the hub-and-spoke tunnels into a group. or hub. The source address must be Internal_All.

) Do not enable. The remote VPN spoke address. Add a separate outbound encrypt policy for each remote VPN spoke. To create a VPN spoke configuration: 1 2 3 Configure a tunnel between the spoke and the hub.IPSec VPN Concentrator 3 4 5 6 Enter the name of the new concentrator in the Concentrator Name field. One source address is required for the local VPN spoke. Add a destination addresses for each remote VPN spoke. ENCRYPT The VPN tunnel name added in step 1. These policies control the encrypted connections initiated by the local VPN spoke. The destination address of each remote VPN spoke. Use the following configuration: Source Destination Action VPN Tunnel Allow inbound Inbound NAT The local VPN spoke address. To remove tunnels from the VPN concentrator. A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections. 4 Allow outbound Select allow outbound Outbound NAT Select outbound NAT if required. See “To add an address” on page 167. Select inbound NAT if required. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway). Select OK to add the VPN concentrator. select the tunnel in the Members list and select the left arrow. Configuring the spoke A remote VPN peer that is functioning as a spoke requires the following configuration: • • • • • A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub. This policy allows the local VPN spoke to accept encrypted connections. select a VPN tunnel from the Available Tunnels list and select the right arrow. To add tunnels to the VPN concentrator. (Use the same tunnel for all encrypt policies. See “To add a firewall policy” on page 164. See “To add an address” on page 167. A single inbound encrypt policy. Add the source address. The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1. The source address of the local VPN spoke. FortiGate-60 Administration Guide 01-28003-0002-20040716 223 .

such as the Internet. The display includes: • • All active dialup tunnels (dialup monitor). Use the following configuration: Source Destination Action VPN Tunnel Allow inbound Inbound NAT The local VPN spoke address. The IPSec VPN monitor displays addressing. go to VPN > IPSec > Monitor. The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step 1. To view the IPSec VPN monitor. From the IPSec VPN monitor you can also start and stop tunnels. This policies controls the encrypted connections initiated by the remote VPN spokes.Monitor IPSec VPN 5 Add an inbound encrypt policy. (Use the same tunnel for all encrypt policies. . External_All ENCRYPT The VPN tunnel name added in step 1. Allow outbound Do not enable.) Select allow inbound. 6 Arrange the policies in the following order: • • • outbound encrypt policies inbound encrypt policy default non-encrypt policy (Internal_All -> External_All) Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks. The number of tunnels on the list changes as dialup users connect and disconnect from the FortiGate unit. All configured a static IP address remote gateway and dynamic DNS IPSec remote gateway IPSec VPN tunnels (static IP and dynamic DNS monitor). To view the dialup monitor. Dialup monitor The dialup monitor lists status information for all active dialup VPN tunnels. and status information for each tunnel. go to VPN > IPSec > Monitor. Select inbound NAT if required. Outbound NAT Select outbound NAT if required. Monitor You can use the IPSec VPN monitor to view the status of all IPSec VPN tunnels. See “To add a firewall policy” on page 164. 224 01-28003-0002-20040716 Fortinet Inc. proxy IDs.

Proxy ID Source The IP address range that VPN users of this tunnel can connect to. if there are 4 dialup tunnels running that use a phase 2 configuration named Dial_tunnel. For example. Dialup users may have to re-connect to establish new VPN sessions. the IP address is updated dynamically. You can use this list to view status and IP addressing information for each tunnel configuration. Timeout The time before the next key exchange. You can also start and stop individual tunnels from this list. The time before the next key exchange. Stop the selected VPN tunnel. Proxy ID Destination Bring down tunnel icon Bring up tunnel icon FortiGate-60 Administration Guide 01-28003-0002-20040716 225 . The XAUTH user name if XAUTH is enabled for the VPN tunnel. Name The name of the static IP or dynamic DNS phase 2 or VPN tunnel. and Dial_tunnel_3. The dialup user may have to reconnect to establish a new VPN session. Start the selected VPN tunnel. See “Configuring XAuth” on page 215. The IP address range from which the dialup user can connect. Dial_tunnel_2. Remote gateway The IP address and UDP port of the static IP or dynamic DNS remote gateway. The IP address range from which VPN users of this tunnel can connect. the dialup tunnels would be named Dial_tunnel_1. The VPN user may have to reconnect to establish a new VPN session. Username Timeout Proxy ID Source The IP address range that the dialup user can connect to. Proxy ID Destination Bring down tunnel icon Static IP and dynamic DNS monitor The static IP and dynamic DNS monitor lists the static IP address remote gateway and dynamic DNS IPSec remote gateway IPSec VPN tunnels added to the FortiGate unit. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife.IPSec VPN Figure 19: Dialup Monitor Monitor Flush dialup tunnels icon Name Stop all dialup tunnels and stop the traffic passing through all dialup tunnels. The name of the phase 2 for the dialup tunnel followed by the number of the dialup tunnel. This is usually the current IP address of the dialup user’s computer. Stop the current dialup tunnel. Remote gateway The IP address and UDP port of the dialup remote gateway. go to VPN > IPSec > Monitor. For dynamic DNS tunnels. To view the static IP and dynamic DNS monitor. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife.

The ping generator ensures that the client will always create a tunnel. The ping generator. . Note: The ping generator ping interval is fixed at 40 seconds.168. The ping generator is useful for dialup VPN scenarios where: • • • the client connects from a dynamic address that changes periodically. When the IP of the client changes. the tunnel should always be up.99 behind a dialup client and a destination address of 172. Ping generator options Figure 20: Ping generator Enable Source IP 1 Destination IP 1 Source IP 2 Destination IP 2 Enable or disable the ping generator between the specified source and destination addresses.34. sessions are initiated from the static gateway to the dialup client. An IP address on the subnet of the static gateway of a second VPN tunnel.100. generates traffic in VPN tunnels to keep the tunnel connections open even if the tunnel is not processing traffic.IPSec VPN ping generator IPSec VPN IPSec VPN ping generator Use the ping generator to generate periodic traffic through one or two VPN tunnels.200 behind a dialup client and a destination address of 192.16.21. An IP address on the subnet of the static gateway of one VPN tunnel.168. An IP address on the subnet of the client connected to one VPN tunnel.16. also called tunnel keepalive. A second one between a source address of 172.44 behind a static gateway. the Security Association (SA) is torn down and a new SA is not initiated until there is traffic originating from the client. 226 01-28003-0002-20040716 Fortinet Inc. To configure the ping generator This procedure describes how to enable two ping generators: • • One between a source address of 192.2.43 behind a static gateway. An IP address on the subnet of the client connected to a second VPN tunnel. The static gateway cannot set up a new SA because it doesn't know the new IP address of the client.

43 For Source IP 2 enter: 172.” See “Phase 2” on page 216. AutoIKE IPSec VPN with preshared keys In a pre-shared key VPN.99 For Destination IP 2 enter: 172. the administrator must update all sites. this step is often referred to as “adding a remote gateway. Add the phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel. To configure an AutoIKE VPN with preshared keys 1 Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer. This step is often referred to as “adding a tunnel. • • 4 • • 5 For Source IP 1 enter: 192. Add the firewall configuration required for the VPN.2.16. See “Adding firewall policies for IPSec VPN” on page 230. Select Apply.168.” For a preshared key VPN.44 Configure the second ping generator. both peers in the VPN use the same preshared key to authenticate themselves to each other.200 For Destination IP 1 enter: 192. Select Enable to enable the ping generator. Whenever pre-shared keys change.168.IPSec VPN AutoIKE IPSec VPN with preshared keys To enable these ping generators: 1 2 3 Go to VPN > IPSec > Ping Generator. together with a Diffie-Hellman group. Although the remote VPN peer can be either a client or a gateway. The peers do not actually send the key to each other. is used to automatically generate a session key by IKE during the session. The key.34. 2 3 4 FortiGate-60 Administration Guide 01-28003-0002-20040716 227 .100. See “Phase 1” on page 212. set authentication method to Preshared key.21. Network administrators distribute preshared keys to VPN peer sites.16. Configure the first ping generator. Set other phase 1 options as required.

See “Phase 2” on page 216.AutoIKE IPSec VPN with certificates IPSec VPN AutoIKE IPSec VPN with certificates This method of key management involves the participation of a trusted third party. Although the remote VPN peer can be either a client or a gateway. See “Phase 1” on page 212. Add the phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel. Set other phase 1 options as required.” For a Certification VPN. Set Remote Gateway to static. See “Phase 1” on page 212. The signed digital certificates are validated by the presence of the CA certificate at each end. The CA signs the public key for each peer. To configure an AutoIKE VPN with digital certificates 1 Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer. Set other phase 1 options as required. this step is often referred to as “adding a remote gateway. See “Adding firewall policies for IPSec VPN” on page 230. Peer to peer VPNs can use preshared keys or certificates. known as a public/private key pair. 2 3 4 Peer to peer VPN Using a peer to peer VPN. users on a network behind a VPN gateway can connect to another remote network behind a remote VPN gateway. . With authentication complete. Add the firewall configuration required for the VPN. 228 01-28003-0002-20040716 Fortinet Inc. the certificate authority (CA). Add the phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel. To configure peer to peer VPN 1 2 3 4 Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer. creating a signed digital certificate. plus that of the CA. Each peer in a VPN is required to generate a set of keys. See “Phase 2” on page 216. set authentication method to RSA signature. the IPSec tunnel is then established. IKE manages the exchange of certificates between peers. Certificates are best suited to large network deployments. Both VPN gateways or peers are FortiGate units or other VPN gateways with static IP addresses. Each peer retrieves its own certificate. Certificates can be easier to manage than manual keys or preshared keys but require a certification sharing infrastructure.

but the FortiGate unit can get the IP address by looking up a domain name. See “Adding firewall policies for IPSec VPN” on page 230. Configure remote VPN clients with a matching IPSec VPN configuration. See “Phase 1” on page 212. Enter the dynamic DNS domain name of the remote peer. Add the phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel. Set Remote Gateway to Dynamic DNS. Dialup VPNs use AutoIKE and can be preshared key or certificate VPNs. To configure dynamic DNS VPN 1 2 3 4 Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer. See “Adding firewall policies for IPSec VPN” on page 230.IPSec VPN Dialup VPN 5 6 Add the firewall configuration required for the VPN. Set other phase 1 options as required. See “Phase 1” on page 212. 5 6 Dynamic DNS VPN Dynamic DNS VPN allows remote users or gateways with dynamic IP addresses to use VPN to connect to a private network. See “Phase 2” on page 216. In this case. Set Remote Gateway to Dialup user. The remote client or gateway uses dynamic DNS to re-map this domain name to its IP address whenever the IP address changes. Configure remote VPN clients with a matching IPSec VPN configuration. Set other phase 1 options as required. Add the firewall configuration required for the VPN. To configure dialup VPN 1 2 3 4 Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer. the gateway or client at the remote end of the VPN tunnel has a dynamic IP address. Dialup VPN Dialup VPN allows remote users with dynamic IP addresses to use VPN to connect to a private network. FortiGate-60 Administration Guide 01-28003-0002-20040716 229 . Dynamic DNS VPNs use AutoIKE and can be preshared key or certificate VPNs.

Both configurations must be identical except for the local and remote SPIs. Adding firewall policies for IPSec VPN Firewall policies for IPSec VPN control all VPN traffic passing through the FortiGate unit. You add firewall policies for IPSec VPN in the same way as you add normal firewall policies. and apply NAT features to the traffic allowed by the policy. Add the firewall configuration required for the VPN. Add the firewall configuration required for the VPN. See “Manual Key” on page 219.Manual key IPSec VPN IPSec VPN 5 Add the phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel. Firewall policies are applied to IPSec VPN traffic the VPN traffic is unencrypted. 6 Manual key IPSec VPN To use Manual key IPSec VPNs. This allows the firewall to apply protection profiles to VPN traffic. It also means that the source and destination addresses and services added to encrypt policies are applied to the source and destination addresses and services of unencrypted packets instead of the source and destination of the encrypted IPSec VPN packets. See “Adding firewall policies for IPSec VPN” on page 230. both ends of the VPN tunnel must be configured with matching encryption and authentication algorithms and with matching authentication and encryption keys and complementary security parameter index (SPI) settings. See “Manual Key” on page 219. to log IPSec VPN traffic. You can also use firewall policies for IPSec VPN to apply protection profiles to VPN traffic. See “Policy” on page 158 for information about firewall policies. See “Phase 2” on page 216. . To configure manual key VPN 1 2 3 Add the a manual key configuration to both VPN peers. When you set action to encrypt you can specify the direction of IPSec VPN traffic allowed by the encrypt policy. and to apply advanced features to IPSec VPN traffic such as traffic shaping and differentiated services. require setting the policy action to encrypt. • • • • IPSec VPN firewall policy direction Source addresses for IPSec VPN firewall policies Destination addresses for IPSec VPN firewall policies Adding IPSec firewall policies 230 01-28003-0002-20040716 Fortinet Inc. Adding firewall policies for IPSec VPN. See “Adding firewall policies for IPSec VPN” on page 230. select the VPN tunnel that uses the policy.

In the example. Users behind each VPN gateway can connect to addresses behind the other VPN gateway. the destination address is the IP address of the remote client. Destination addresses for IPSec VPN firewall policies The destination address added to an IPSec VPN policy is the address that encrypted traffic connects to or from. For this policy. For a gateway to remote VPN client VPN. a peer to peer VPN can consist of two FortiGate units acting as VPN gateways. Source addresses for IPSec VPN firewall policies The source address added to an IPSec VPN policy is the address that unencrypted traffic connects to or from. you would add an internal -> external firewall policy to each FortiGate unit and set action to encrypt. the source address is the address of an internal network connected to the FortiGate unit. the source address would be the address on the internal network that is part of the VPN. For example. In most cases. if you want users on the internal network of a FortiGate unit to use a VPN to connect to a remote network across the internet. Selecting allow inbound allows traffic from the remote peer to access the internal network. Only one IPSec VPN firewall policy is required for each FortiGate unit to allow this two way traffic. the destination address is the address of the remote network behind the remote VPN peer. if you want VPN users behind a remote FortiGate unit on the Internet to use a VPN to connect to IP addresses on the internal network. In general: • • For a gateway to gateway VPN.IPSec VPN Adding firewall policies for IPSec VPN IPSec VPN firewall policy direction VPN networks are usually configured to allow traffic to flow in two directions. To add a firewall address. Selecting allow outbound allows traffic from the internal network to access the remote network. Usually this is an internal network connected to the FortiGate unit. see “To add an address” on page 167. FortiGate-60 Administration Guide 01-28003-0002-20040716 231 . you would add an internal -> wan1 encrypt policy. For example. you would add an internal -> wan1 encrypt policy. see “To add an address” on page 167. You can control the direction of VPN traffic by setting allow inbound and allow outbound. To add a firewall address. the source address would include the IP addresses of the users on the internal network. For this policy. The source address also controls the addresses that remote VPN users can connect to: For example.

the destination address would be the address on the remote internal network from which users can connect to the VPN. See “Destination addresses for IPSec VPN firewall policies” on page 231. For a dialup VPN. To add firewall policies for IPSec VPN 1 2 3 4 5 Go to Firewall > Address. When encrypt is selected the VPN Tunnel Options appear. the destination address would include the IP address of the remote internal network. Adding IPSec firewall policies Use the following procedure to add an IPSec firewall policy for a VPN between an internal network connected to the internal interface and a remote network that the FortiGate unit connects to from the wan1 interface. Add a destination address. Select encrypt to make this policy an IPSec VPN policy. For this policy. For this policy. The destination address also controls the addresses that remote VPN users can connect from: For example. Configure the following VPN tunnel options if required. the destination address should correspond to the virtual IP address that the remote client can acquire. If the remote VPN clients can acquire virtual IP addresses. You can select an AutoIKE Key or Manual Key VPN tunnel for the policy and configure other IPSec settings. if you want users on the internal network of a FortiGate unit to use a VPN to connect to a remote network across the internet. then the destination address should correspond to the virtual IP address that the remote clients can acquire. You can select an AutoIKE key or Manual Key tunnel. the destination address is the All firewall address. you would add an internal -> wan1 encrypt policy. See “Source addresses for IPSec VPN firewall policies” on page 231. you would add an internal -> wan1 encrypt policy. • For example. Add an internal -> wan1 firewall policy. Add the source address. You cannot add authentication to an ENCRYPT policy Select a VPN tunnel for an encrypt policy. if you want VPN users behind a remote FortiGate unit on the Internet to use a VPN to connect to IP addresses on the internal network. 232 01-28003-0002-20040716 Fortinet Inc. 6 7 Allow outbound Select Allow outbound so that users on the internal network can connect to the destination address. Set the firewall policy action to encrypt. Allow Inbound Select Allow inbound so that remote VPN users can connect to the source addresses. . See “To add a firewall policy” on page 164.Adding firewall policies for IPSec VPN IPSec VPN • If the remote VPN client is configured to acquire a virtual IP address.

Select outbound NAT if the source IP addresses of the local VPN users are not routable on the remote internal network. the remote VPN client uses the IP configuration assigned by the DHCP server to connect to the destination network behind the FortiGate unit. However. To configure DHCP over IPSec 1 Add a dialup phase 1 configuration to define the parameters used to authenticate the remote VPN peer. the remote client sends a DHCP request over the VPN tunnel. Select inbound NAT if the source IP addresses of the remote VPN users are not routable on the internal network. One of the advantages of this control is that you can configure firewall policies for dialup clients with a specific source address. Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode. routable IP address of the remote client as the tunnel endpoint. As a result. 2 FortiGate-60 Administration Guide 01-28003-0002-20040716 233 . Select OK to save the firewall policy. The DHCP server returns an IP configuration. the remote VPN client must be configured to request an IP configuration using DHCP and the FortiGate unit must be configured for DHCP over IPSec. which the FortiGate unit encrypts and sends back through the VPN tunnel to the remote VPN Client. Add a phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel. When the remote VPN client starts a VPN session with the FortiGate unit. Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to the FortiGate external IP address. See “Dialup VPN” on page 229. Fortigate DHCP over IPSec supports RFC 3456. To configure DHCP over IPSec. the source address of the unencrypted packets received from the client is changed to the IP address assigned to the client by the DHCP server. DHCP over IPSec Use DHCP over IPSec with dialup VPN to assign IP addresses to remote VPN clients. 8 9 Select other firewall policy options to apply a protection profile to VPN traffic and to apply other firewall policy features. The remote VPN clients can appear to be on the VPN destination network or on another network. rather than a general firewall address such as All. Using DHCP over IPSec you can control the source IP address of the packets received from dialup clients. Using a specific source address is in general more secure and provides more options for using firewall policies to apply FortiGate features to VPN users. The FortiGate unit forwards the DHCP request to a DHCP server. The FortiGate unit continues to recognize the original. See “Phase 2” on page 216.IPSec VPN DHCP over IPSec Inbound NAT Select Inbound NAT to translate the source address of incoming packets to the FortiGate internal IP address.

and the remote VPN client connects to the FortiGate unit from the Internet. to use the FortiGate unit as the DHCP server. if your network includes a DHCP server on your internal network. if all remote VPN Internet traffic is sent over the VPN. • Example 1. See “Adding firewall policies for IPSec VPN” on page 230. configure the WAN1 interface to be a DHCP Relay Agent. Example 2. 234 01-28003-0002-20040716 Fortinet Inc. Also. Applying virus scanning and other FortiGate features to remote VPN user Internet connections enhances the security of remote VPN user traffic and protects remote VPN users from viruses and other threats on the Internet. Configure the interface that receives packets from the remote VPN client for DHCP. In most configurations. dynamic DNS VPNS. web filtering. Internet browsing through a VPN tunnel is available for static IP VPNs. You can add a VLAN subinterface just for this purpose. For Internet browsing.Internet browsing through a VPN tunnel IPSec VPN 3 4 5 While configuring phase 2. configure the WAN1 interface to be a DHCP Server. The virtual source interface could be a physical interface or a VLAN subinterface. set Type to IPSec. internal -> wan1 policies). and other FortiGate features to remote VPN traffic that connects to the Internet. Note: To support Internet browsing through a VPN. if the remote VPN client connects to the FortiGate unit from the Internet. select the Interface through which remote VPN users can connect through the firewall to the Internet. One way to do this is to designate a virtual source interface just for VPN users. Configuring Internet browsing through a VPN tunnel Configure Internet browsing through a VPN tunnel be selecting advanced settings in a IPSec Phase 2 configuration. remote VPN users can connect to a network behind a FortiGate unit or browse the Internet using the same VPN tunnel. Internet browsing through a VPN tunnel Using Internet browsing through a VPN tunnel. and dialup VPNs. the remote client does not send any unencrypted traffic to the Internet. See “To configure an interface to be a DHCP server” on page 73. and include the IP address of the DHCP server on the internal network. Firewall policies can apply virus scanning. the Internet browsing interface would be the internal interface and VPN users would be able to browse the Internet using the same firewall policies as users on the internal network (for example. Add the firewall configuration required for the VPN. Internet browsing through a VPN tunnel is supported between VPN peers or for a remote VPN client. select Advanced and enable DHCP-IPSec. See “To configure an interface as a regular DHCP relay agent” on page 72. . The internet browsing interface becomes the virtual source interface from which VPN users can browse the Internet. • 6 Configure IPSec VPN clients to receive their IP addresses using DHCP. You can also create dedicated firewall policies just for VPN users. the remote VPN client must be configured to deny split tunnelling.

Go to Firewall > Policy. 11 Configure remote VPN clients to deny split tunnelling. See “Phase 1” on page 212. In both cases. The client PC must know the MAC address of the next hop in the gateway. FortiGate-60 Administration Guide 01-28003-0002-20040716 235 .IPSec VPN IPSec VPN in Transparent mode In the IPSec VPN Phase 2 configuration. the routing is determined by the firewall policy. Cleartext packets are intercepted. The firewall acts as a layer 2 bridge and not a router. Phase 2. marked as needing encryption. and then forwards them normally. you would require create VLAN_21 -> external firewall policies. Then create Internet access policies for VPN users. and policy configurations are the same. set Internet browsing to the virtual source interface. See “DHCP over IPSec” on page 233 7 8 9 Set Internet browsing to the interface through which you want users to connect to the Internet (usually the internal interface). For example. and the wan 1 interface is connected to the Internet. The FortiGate unit is not included because it is transparent at layer 2. To configure Internet browsing through a VPN tunnel 1 2 Go to VPN > IPSec > Phase 1. a FortiGate unit can be deployed quickly without having to reconfigure the network. if the virtual source interface is VLAN_21. See “Adding firewall policies for IPSec VPN” on page 230. 3 4 Go to VPN > IPSec > Phase 2. Optionally select DHCP-IPsec to support DHCP over IPSec. See “Phase 2” on page 216. add firewall policies to support internet browsing. For example. 10 If required. In transparent mode. The FortiGate unit encrypts the packet. decrypts them. Add the required encrypt firewall policies. IPSec VPN in Transparent mode In NAT mode. therefore. Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer. and then encrypted post-routing. add internal -> wan1 policies to allow connections from the Internal network to the Internet. Phase 1. Add the phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel. IPsec intercepts encrypted packets. 5 6 Select Advanced. the FortiGate unit does not do IP-based routing. and routes the packet.

The peers that connect to the hub are known as spokes. all VPN tunnels terminate at a single VPN peer known as a hub. Secondly. See “Phase 1” on page 212. they must be in the same virtual domain. See “Adding firewall policies for IPSec VPN” on page 230. 4 Special rules The management IP address of the Fortigate unit is used as the IPSec gateway. the hub requires one extra configuration step. A hub-and-spoke IPSec VPN configuration differs from a regular IPSec VPN configuration in two important ways. as they do not need tunnels between themselves. you must configure both the hub and spokes. Firstly. Set other phase 1 options as required. Hub and spoke VPNs In a hub-and-spoke network. This should be used as the static gateway IP when configuring the peer. Add the phase 2 configuration to define the parameters used to create and maintain the AutoKey VPN tunnel. only encrypt policies. The FortiGate unit management IP address may or may not be within the same subnet as the address range that is used in the encrypt policy.Hub and spoke VPNs IPSec VPN To configure IPSec VPN in Transparent mode 1 2 3 Add a phase 1 configuration to define the parameters used to authenticate the remote VPN peer. Add the firewall configuration required for the VPN. Whenever these items refer to each other. 236 01-28003-0002-20040716 Fortinet Inc. and there must be at least one router separating the two Transparent mode FortiGate units (they can be directly connected if the default router does ICMP redirect). If there are additional routers behind the firewall. the FortiGate unit must have routes for any subnets that are not directly connected (if they will be used in an encrypt policy). The subnets being linked by an IPSec tunnel must be disjoint. The hub functions as a concentrator on the network. the spokes require one less configuration step. and encrypt policies. The Fortigate unit must have a default route for packets that are generated locally by the FortiGate unit to have somewhere to go. managing the VPN connections between the spokes. tunnels. IPSec involves linkages between gateways. See “Phase 2” on page 216. To configure a hub-and-spoke VPN. for the concentrator that groups the hub-and-spoke tunnels together. .

the local SPI values for each spoke must be different. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway). add a VPN concentrator. See “To add an address” on page 167. Encrypt policies control the direction of traffic through the hub and allow inbound and outbound VPN connections between the hub and the spokes. The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration. add a firewall policy. ENCRYPT The VPN spoke tunnel name. The tunnels link the hub to the spokes. Allow outbound Select allow outbound Outbound NAT Select outbound NAT if required. Select inbound NAT if required. This step groups the tunnels together on the FortiGate unit. The encrypt policy for each spoke must include the tunnel name of the spoke. 3 Add the concentrator configuration. 5 Arrange the policies in the following order: • • encrypt policies default non-encrypt policy (Internal_All -> External_All. FortiGate-60 Administration Guide 01-28003-0002-20040716 237 . The source address must be Internal_All. Use the following configuration for the encrypt policies: Source Destination Action VPN Tunnel Allow inbound Inbound NAT Internal_All The VPN spoke address. See “To add a firewall policy” on page 164. To configure the VPN settings for the hub 1 Configure a tunnel for each spoke. You must also add the concentrator before adding the firewall policy.IPSec VPN Hub and spoke VPNs Configuring the hub Use the following steps to configure the central FortiGate unit that functions as the hub: • • • add the VPN tunnels. Choose between a manual key tunnel or an AutoIKE tunnel. See “To add an address” on page 167. Note: If you use manual key tunnels. Note: You must add the VPN tunnels before adding the concentrator. 2 Add a destination addresses for each spoke. 4 Add an encrypt policy for each spoke. Select allow inbound.

A single inbound encrypt policy. Select OK to add the VPN concentrator. To add a VPN concentrator configuration 1 2 3 4 5 6 Go to VPN > IPSec > Concentrator. Enter the name of the new concentrator in the Concentrator Name field. within a hub-andspoke network. . See “To add an address” on page 167. This policy allows the local VPN spoke to accept encrypted connections. These policies control the encrypted connections initiated by the local VPN spoke. select a VPN tunnel from the Available Tunnels list and select the right arrow. With this configuration. The destination address of each remote VPN spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway). See “To add an address” on page 167. To remove tunnels from the VPN concentrator. Select New to add a VPN concentrator. These policies allow the local VPN spoke to initiate encrypted connections. The source address of the local VPN spoke. 3 Add a destination addresses for each remote VPN spoke. To add tunnels to the VPN concentrator. To create a VPN spoke configuration: 1 2 Configure a tunnel between the spoke and the hub. 4 Add a separate outbound encrypt policy for each remote VPN spoke. This allows VPN traffic to pass from one tunnel to the other through the FortiGate unit. One source address is required for the local VPN spoke. The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1. or hub.Hub and spoke VPNs IPSec VPN Adding a VPN concentrator The VPN concentrator collects the hub-and-spoke tunnels into a group. Add the source address. select the tunnel in the Members list and select the left arrow. Use the following configuration: 238 01-28003-0002-20040716 Fortinet Inc. A separate outbound encrypt policy for each remote VPN spoke. the FortiGate unit functions as a concentrator. Configuring spokes A remote VPN peer that is functioning as a spoke requires the following configuration: • • • • • A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub.

if one connection fails. then it can provide one redundant connection to the remote VPN peer. the FortiGate unit establishes a tunnel using the other connection. Use the following configuration: Source Destination Action VPN Tunnel Allow inbound Inbound NAT The local VPN spoke address. Outbound NAT Select outbound NAT if required. Select inbound NAT if required. ENCRYPT The VPN tunnel name added in step 1. The configuration depends on the number of connections that each VPN peer has to the Internet. (Use the same tunnel for all encrypt policies. 5 Add an inbound encrypt policy. See “To add a firewall policy” on page 164. Redundant IPSec VPNs To ensure the continuous availability of an IPSec VPN tunnel.) Select allow inbound. (Use the same tunnel for all encrypt policies. Allow outbound Do not enable. Select inbound NAT if required.IPSec VPN Redundant IPSec VPNs Source Destination Action VPN Tunnel Allow inbound Inbound NAT The local VPN spoke address. Allow outbound Select allow outbound Outbound NAT Select outbound NAT if required. such as the Internet. For example. The remote VPN spoke address. if the local VPN peer has two connections to the Internet. External_All ENCRYPT The VPN tunnel name added in step 1. See “To add a firewall policy” on page 164. This policies controls the encrypted connections initiated by the remote VPN spokes. With a redundant configuration. 6 Arrange the policies in the following order: • • • outbound encrypt policies inbound encrypt policy default non-encrypt policy (Internal_All -> External_All) Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks. FortiGate-60 Administration Guide 01-28003-0002-20040716 239 .) Do not enable. The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step 1. you can configure multiple connections between the local FortiGate unit and the remote VPN peer (remote gateway).

After you define the Internet connections for both FortiGate units. add a route to the Internet through each interface. • • If the Internet connections are in the same zone. with the exception of the Gateway Name and IP Address.Redundant IPSec VPNs IPSec VPN A single VPN peer can be configured with up to three redundant connections. you can configure the VPN tunnel. See “Phase 1” on page 212. this might not always be possible because of security considerations or other reasons. If the Internet connections are in separate zones or assigned to unique interfaces. between two VPN peers. add one VPN tunnel and add the remote gateways to it. Nor is it available to VPN peers that use manual keys. Enter identical values for each VPN connection. However. then the local FortiGate unit should have two external interfaces in separate zones. It is not available to VPN peers that have dynamically assigned IP addresses (dialup users). . add a VPN tunnel for each remote gateway entered. Configuring redundant IPSec VPNs For each FortiGate unit. Finally. first add multiple (two or more) external interfaces. Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that authenticate themselves to each other with preshared keys or digital certificates. The configuration is simpler if all external interfaces are grouped in one zone. See “Phase 2” on page 216. then the local FortiGate unit should have two external interfaces grouped in one zone. For example. In the case of an asymmetrical configuration. one peer can have multiple Internet connections while the other has only one Internet connection. Then assign each interface to an external zone. 2 240 01-28003-0002-20040716 Fortinet Inc. For example. rather than multiple zones. Add the phase 2 parameters (VPN tunnel) for up to three VPN connections. The VPN peers are not required to have a matching number of Internet connections. Similarly. Configure the two FortiGate units with symmetrical settings for their connections to the Internet. Make sure that the remote VPN peer (Remote Gateway) has a static IP address. 3 Add the source and destination addresses. You can add up to three remote gateways. if the remote FortiGate has two external interfaces in separate zones. See “To add an address” on page 167. To configure a redundant IPSec VPN 1 Add the phase 1 parameters for up to three VPN connections. the level of redundancy varies from one end of the VPN to the other. if the remote FortiGate unit has two external interfaces grouped in one zone.

the connection is accepted. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation. the Common Name (CN). then this value must be entered as the peer ID on the local VPN peer. or the domain name or IP address of a device. you would use this feature to restrict access to your network. But you can restrict access by designating which DNs from these certificates you will accept. So although a remote VPN peer sends a valid digital certificate to the local VPN peer. it will send the Distinguished Name (DN) from the certificate to the remote VPN peer. If they do not match. a public CA may issue a large number of valid certificates. • • If the VPN connections are in the same zone. which can be the name or email address of a person. If the two values match and the certificate is valid. it sends the certificate DN as its Local ID. as a minimum. When the remote peer initiates a VPN connection with the local VPN peer. FortiGate-60 Administration Guide 01-28003-0002-20040716 241 . Digital certificates are an advanced feature provided for the convenience of system administrators. The DN serves to identify the owner of the certificate and contains. Managing digital certificates Use digital certificates to make sure that both VPN peers in an IPSec communication session are trustworthy before setting up an encrypted VPN tunnel between the peers.com. Add the AutoIKE key tunnel to this policy. add a separate outgoing encrypt policy for each connection. Note: Digital certificates are not required for configuring FortiGate VPNs. and from the certificate authority to your local computer. the local VPN peer may deny the connection because the certificate contains an unrecognized DN. This involves copying and pasting text files from your local computer to the certificate authority.IPSec VPN Managing digital certificates 4 Add encrypt policies for up to three VPN connections. This feature is available in both main and aggressive mode.fortinet. Add a different AutoIKE key tunnel to each policy. Typically. For example. If the VPN connections are in different zones. the DN can be used to restrict VPN access. The source and destination of both policies must be the same. Peer identification When a FortiGate unit is configured to use digital certificates. Fortinet uses a manual procedure to obtain certificates. if the DN for the remote VPN peer is /CN=www. The local VPN peer compares the DN against the peer ID. the connection is denied. For example. See “To add a firewall policy” on page 164. add one outgoing encrypt policy. Because it associates an identity with the certificate. The DN displays in the Local ID field on the Phase 1 configuration.

Select Generate. Select to import a signed local certificate. PENDING designates a local certificate request that should be downloaded and signed. Local certificate list Figure 21: Local certificate list Generate Import Name Subject Status Select to use the FortiGate unit to generate a local certificate request. Note: The VPN peers must use digital certificates that adhere to the X. Delete and download icons. .509 standard. Generating the certificate request With this procedure. The subject of the local signed certificate The status of the local certificate. The public key is the base component of the certificate request. The name of the local certificate or certificate request.Managing digital certificates IPSec VPN Local certificates The signed local certificate provides the FortiGate unit with a means to authenticate itself to other devices. 242 01-28003-0002-20040716 Fortinet Inc. To generate a certificate request 1 2 Go to VPN > Certificates > Local Certificates. Use the download icon to download a local certificate request to be signed. you generate a private and public key pair.

Optionally enter the information to further identify the FortiGate unit being certified. enter the email address of the owner of the FortiGate unit being certified. E-Mail. Not all IPSec VPN products support all three key sizes. After downloading the certificate request.IPSec VPN Managing digital certificates Figure 22: Generating a certificate request Certificate Name Type a certificate name. If you selected email address. 1 2 Go to VPN > Certificates > Local Certificates. Subject Information Enter an ID for the FortiGate unit being certified. FortiGate-60 Administration Guide 01-28003-0002-20040716 243 . Enter the fully qualified domain name of the FortiGate unit being certified. Optional Information Key Type Key Size To download the certificate request Use the following procedure to download a certificate request from the FortiGate unit to the management computer. Domain Name. You can use one of the following three ID types: Host IP. 1536 Bit or 2048 Bit. Enter the IP address of the FortiGate unit being certified. Larger keys are slower to generate but more secure. Only RSA is supported. Select 1024 Bit. Select the Download icon to download the certificate request to the management computer. you can submit it tor your CA so that your CA can sign the certificate.

Follow the CA web server instructions to: • • • add a base64 encoded PKCS#10 certificate request to the CA web server. Before restoring the configuration. Select OK. you import the signed local certificate from the management computer to the FortiGate unit. With this procedure. . Importing the signed local certificate After you receive notification from the CA that it has signed the certificate request. Select Import. 1 2 3 On the management computer. you must import the PKCS12 file and set the local certificate name to the same that was in the original configuration. Uploading a local certificate To import the signed local certificate 1 2 3 4 Go to VPN > Certificates > Local Certificates. Enter the path or browse to locate the signed local certificate on the management computer. Connect to the CA web server. Note: Use the execute vpn certificates key CLI command to back up and restore the local certificate and private key. submit the certificate request to the CA web server. 244 01-28003-0002-20040716 Fortinet Inc. Public Key Cryptography Standard 12 (PKCS12) describes the syntax for securely exchanging personal information. connect to the CA web server and download the signed local certificate to the management computer. The signed local certificate is displayed on the Local Certificates list with a status of OK. Backing up and restoring the local certificate and private key When you back up a FortiGate configuration that includes IPSec VPN tunnels using certificates. paste the certificate request to the CA web server. For more information. you must also back up the local certificate and private key in a passwordprotected PKCS12 file.Managing digital certificates IPSec VPN To request the signed local certificate Use the following procedure to copy and paste the certificate request from the management computer to the CA web server. open the local certificate request using a text editor. see the FortiGate CLI Reference Guide.

509 standard. To retrieve the CA certificate 1 2 Connect to the CA web server. Note: The CA certificate must adhere to the X. CA_Cert_3. The CA is displayed on the CA Certificates list. Select OK. The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiGate unit. and so on). Follow the CA web server instructions to download the CA certificate. Note: The system assigns a unique name to each CA certificate. The FortiGate unit obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer. CA_Cert_2. The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices. FortiGate-60 Administration Guide 01-28003-0002-20040716 245 . they must both obtain a CA certificate from the same certificate authority. To import the CA certificate 1 2 3 4 Go to VPN > Certificates > CA Certificates.IPSec VPN Managing digital certificates CA certificates For the VPN peers to authenticate themselves to each other. The names are numbered consecutively (CA_Cert_1. Enter the path or browse to locate the CA certificate on the management computer. Select Import.

No Perfect Forward Secrecy (PFS) when Enable PFS. Change the policy to internal-to-external. Wrong firewall policy source and destination addresses. Configuration Error Wrong remote network information. Wrong Aggressive Mode peer ID. . Check the FortiClient software configuration.Troubleshooting IPSec VPN Troubleshooting Most connection failures are due to a configuration mismatch between the local and remote FortiGate units. For example. Wrong order of the encryption policy in the firewall policy table. Correction Check the IP addresses of the remote gateway and network. external-to-internal instead of internal-to-external. 246 01-28003-0002-20040716 Fortinet Inc. it is required. The following are some tips to troubleshoot a VPN connection failure: • • • PING the remote FortiGate firewall to verify you have a working route. Wrong direction of the encryption policy. Mismatched IKE or IPSec proposal combination in the proposal lists. Make sure both the FortiClient software and the remote FortiGate gateway use the same proposals. Wrong or mismatched IKE or IPSec Diffie-Hellman group. Re-enter the source and destination address. The encryption policy must be placed above other non-encryption policies. Check the FortiGate firewall configuration. Reenter the preshared key. Wrong preshared key. Make sure you select the correct DH group on both ends. Reset to the correct Peer ID.

PPTP does not require third-party software on the client computer. add a user name for each PPTP client. or to both. See “Users and authentication” on page 199. To enable authentication. The PPTP clients must be authenticated before being allowed to start a VPN tunnel. Within the user group. PPTP uses the Point-to-Point protocol. to authentication servers (RADIUS or LDAP). To create a PPTP VPN configuration: 1 Add a user group to the FortiGate unit. General configuration steps To set up a PPTP VPN. Note: Make sure that your ISP supports PPTP connections. You can add users to the FortiGate user database. Note: PPTP VPNs are only supported in NAT/Route mode. If your Internet Service Provider (ISP) supports PPTP connections through its network. • • • PPTP PPTP passthrough L2TP PPTP Using PPTP. PPTP packages data within PPP packets and then encapsulates the PPP packets within IP packets for transmission through a VPN tunnel.80 PPTP and L2TP VPNs This section describes how to set up VPN connections between the FortiGate units and remote Windows clients. you can create a virtual private network (VPN) between a remote client PC running Windows and your internal network behind a FortiGate unit. FortiGate-60 Administration Guide 01-28003-0002-20040716 247 .FortiGate-60 Administration Guide Version 2. Because it is a Windows standard. using Point-to-Point Tunnelling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). you must configure both the FortiGate unit and the remote Windows client. you can create a secure connection by making simple configuration changes to the client computer and the FortiGate unit. you must add a user group to the FortiGate unit.

Add a destination address. Select this option to disable the PPTP support. For example. The firewall policy specifies the source and destination addresses and sets the service for the policy to the traffic type inside the PPTP VPN tunnel. 248 01-28003-0002-20040716 Fortinet Inc. For example. you would create an external-to-internal policy to control the access that PPTP users have through the FortiGate unit. See “To add an address” on page 167. 192. The end of the IP range. For example. Add a source address. The destination addresses are the addresses to which the PPTP clients can connect. 192. See “To add a firewall policy” on page 164. set service to HTTP. The source address is the PPTP address range.PPTP PPTP and L2TP VPNs 2 3 Enable PPTP and specify a PPTP address range. Configuring a Windows 2000 client for PPTP.168.1. When a remote PPTP client connects to the internal network using PPTP.20.1. See: • • • Configuring a Windows 98 client for PPTP. The PPTP address range can be on any subnet. Add an external-to-internal firewall policy. Configuring a Windows XP client for PPTP. if the destination address is on the internal network. Typically you would add only one destination address for the entire internal subnetwork. go to VPN > PPTP > PPTP Range.10. Figure 23: PPTP range Enable PPTP Starting IP Ending IP User Group Disable PPTP You must add a user group before you can enable this option. . the client computer is assigned an IP address from this range. See “To add an address” on page 167. For example. 4 5 6 Specifying a PPTP range The PPTP address range is the range of addresses reserved for remote PPTP clients. To enable PPTP on the FortiGate unit. if you want PPTP clients to be able to access a web server. Select the user group that contains the remote PPTP VPN clients. See “Specifying a PPTP range” on page 248. Configure the Windows client. The start of the IP range.168.

To configure the Windows 98 client. Select Connect. Select TCP/IP Settings. Select Microsoft as the manufacturer. To install the VPN adapter 1 2 3 4 5 6 7 8 9 Go to Start > Settings > Control Panel > Network. An icon for the new connection appears in the Dial-Up Networking folder. Select Adapter. Select OK twice. Select Add. Select Microsoft Virtual Private Networking Adapter. Insert diskettes or CDs as required. 6 7 8 9 10 11 12 Right-click the new icon and select Properties. To configure a PPTP dialup connection 1 2 3 4 5 Go to My Computer > Dial-Up Networking > Configuration. Restart the computer. Go to Server Types. Double-click Make New Connection. Name the connection and select Next. Enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Add. FortiGate-60 Administration Guide 01-28003-0002-20040716 249 . you must install and configure Windows dialup networking and virtual private networking support. To connect to the PPTP VPN 1 2 3 Start the dialup connection that you configured in the previous procedure. Select Finish. Clear Use default gateway on remote network. Enter your PPTP VPN User Name and Password. Clear IPX/SPX Compatible. Select OK twice.PPTP and L2TP VPNs PPTP Configuring a Windows 98 client for PPTP Use the following procedure to configure a client computer running Windows 98 to connect to a FortiGate PPTP VPN. Clear Use IP header compression.

If the Public Network dialog box appears. Select Create a Connection to the network of your workplace and select Next. Name the connection and select Next. Configuring a Windows XP client for PPTP To configure a PPTP dialup connection 1 2 3 4 5 6 7 8 Go to Start > Control Panel. Select Network and Internet Connections. enter the IP address or host name of the FortiGate unit to connect to and select Next. To connect to the PPTP VPN 1 2 3 4 Start the dialup connection that you configured in the previous procedure.PPTP PPTP and L2TP VPNs Configuring a Windows 2000 client for PPTP To configure a PPTP dialup connection 1 2 3 4 5 6 7 8 9 Go to Start > Settings > Network and Dial-up Connections. Enter your PPTP VPN User Name and Password. For Destination Address. Select Virtual Private Network Connection and select Next. Select OK. Select Finish. choose the appropriate initial connection and select Next. Select Properties > Security. In the Connect window. Select Connect. Select the Security tab. In the VPN Server Selection dialog. To configure the VPN connection 1 2 Right-click the Connection icon that you created in the previous procedure. This user name and password is not the same as your VPN user name and password. . 250 01-28003-0002-20040716 Fortinet Inc. In the connect window. select Connect to a private network through the Internet and select Next. select Properties. Double-click Make New Connection to start the Network Connection Wizard and select Next. enter the User Name and Password that you use to connect to your dialup network connection. For Network Connection Type. enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Finish. Set Connection Availability to Only for myself and select Next.

enter the User Name and Password that you use to connect to your dialup network connection. Configuring PPTP passthrough Configure PPTP passthrough by configuring a dynamic port forwarding virtual IP that uses port 1723. The following procedures describe how to configure PPTP passthrough to allow PPTP packets from the internet to connect to a PPTP server on the internal network. Select Challenge Handshake Authentication Protocol (CHAP). the FortiGate unit automatically enables the GRE protocol for PPTP passthrough configurations. To configure a dynamic port forwarding virtual IP for port 1723 1 Go to Firewall > Virtual IP. In this example. This user name and password is not the same as your VPN user name and password. Select Connect. When you configure PPTP passthrough using the following procedure. To connect to the PPTP VPN 1 2 3 4 5 Connect to your ISP. Select Advanced to configure advanced settings. Make sure that the following options are selected: • • TCP/IP QoS Packet Scheduler File and Printer Sharing for Microsoft Networks Client for Microsoft Networks 10 Make sure that the following options are not selected: • • 11 Select OK. Then add the virtual IP to a firewall policy. the PPTP server IP address is 192. Start the VPN connection that you configured in the previous procedure.168. Make sure that none of the other settings are selected.PPTP and L2TP VPNs PPTP passthrough 3 4 5 6 7 8 9 Select Typical to configure typical settings.1. FortiGate-60 Administration Guide 01-28003-0002-20040716 251 . Enter your PPTP VPN User Name and Password. PPTP passthrough requires the generic routing encapsulation (GRE) protocol on IP port 47. PPTP passthrough The FortiGate unit supports PPTP passthrough by configuring a port forwarding virtual IP to use port 1723. In the connect window. Select the Networking tab.23. You do not have to configure a separate GRE virtual IP. Select Settings. Normally.

Set the External Interface to external. For Interface/Zone: • • Set Source to external Set Destination to internal Set Source to All Set Destination to PPTP_pass 4 For Address name: • • 5 6 7 8 9 Set Schedule as required. To configure the firewall policy 7 8 9 10 11 1 2 3 Go to Firewall > Policy. Set Map to Port to 1723.0 External IP Address matches any IP address. Set the External Service Port to 1723. Select NAT. Select OK.0.0. L2TP is supported by most recent versions of Windows. . Set Service to ANY. you can create a secure connection between a client computer running Microsoft Windows and your internal network behind a FortiGate unit. These elements must be disabled when L2TP is used with FortiGate units. for example PPTP_pass. Enter a name for the virtual IP. L2TP combines the features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems.L2TP PPTP and L2TP VPNs 2 3 4 5 6 Select Create New. if PPTP users always connect to the same IP address. Set Protocol to TCP. Alternatively. Set action to ACCEPT. 252 01-28003-0002-20040716 Fortinet Inc. Set the Map to IP address to 192. Select OK.0.1. Some implementations of L2TP support elements of IPSec. you can specify that IP address. The 0. Note: L2TP VPNs are only supported in NAT/Route mode. Select Create New.23.0. Set the External IP Address to 0.0.168. Select Port Forwarding. L2TP Using L2TP VPN.

To create a L2TP VPN configuration: 1 Add a user group to the FortiGate unit. The L2TP address range can be on any subnet. if the destination address is on the internal network. Add a source address. 2 3 Note: Make sure that your ISP supports L2TP connections. Within the user group. Enable L2TP and specify a L2TP address range. the client computer is assigned an IP address from this range. 6 Configure the Windows client. Specifying an L2TP range The L2TP address range is the range of addresses reserved for remote L2TP clients. The L2TP address range is the range of addresses reserved for remote L2TP clients. See “To add an address” on page 167. you would create an external-to-internal policy to control the access that L2TP users have through the FortiGate unit. 4 Add a destination address. For example. The destination address is the address to which the L2TP clients can connect. For example. The L2TP clients must be authenticated before being allowed to start a VPN tunnel. When a remote L2TP client connects to the internal network using L2TP. to authentication servers (RADIUS or LDAP). for the entire internal subnetwork. The source address is the L2TP range. Configuring a Windows XP client for L2TP. you must configure both the FortiGate unit and the remote Windows client. Typically you would add only one destination address.PPTP and L2TP VPNs L2TP General configuration steps To set up a L2TP VPN. The L2TP address range can be on any subnet. the client computer is assigned an IP address from this range. See “Specifying an L2TP range” on page 253. See “To add an address” on page 167. See: • • Configuring a Windows 2000 client for L2TP. 5 Add an external-to-internal firewall policy. you must add a user group to the FortiGate unit. add a user for each L2TP client. The firewall policy specifies the source and destination addresses and sets the service for the policy to the traffic type inside the L2TP VPN tunnel. To enable authentication. See “To add a firewall policy” on page 164. You can add users to the FortiGate user database. See “Users and authentication” on page 199. When a remote Windows client connects to the internal network using L2TP. FortiGate-60 Administration Guide 01-28003-0002-20040716 253 . set service to HTTP. if you want L2TP clients to be able to access a web server. or to both.

192. Save your changes and continue with the following procedure.L2TP PPTP and L2TP VPNs To enable L2TP on the FortiGate unit. Set Connection Availability to Only for myself and select Next.1. go to VPN > L2TP > L2TP Range. For Destination Address. Figure 24: L2TP range Enable L2TP Starting IP Ending IP User Group Disable L2TP You must add a user group before you can enable this option. Make sure that Require data encryption is selected. Go to the Options tab and select IP security properties. In the Connect window. . The start of the IP range. Set VPN server type to Layer-2 Tunneling Protocol (L2TP). Select this option to disable the L2TP support.10. The end of the IP range. To disable IPSec 1 2 3 4 5 Select the Networking tab. 192. Double-click the Advanced tab. For Network Connection Type. Configuring a Windows 2000 client for L2TP To configure an L2TP dialup connection 1 2 3 4 5 6 7 8 9 10 11 12 Go to Start > Settings > Network and Dial-up Connections. enter the address of the FortiGate unit to connect to and select Next. Select the Security tab. select Connect to a private network through the Internet and select Next.168. Make sure that Do not use IPSec is selected. Select the Networking tab. For example. 254 01-28003-0002-20040716 Fortinet Inc. select Properties. For example.20.1. Select Finish. Select Internet Protocol (TCP/IP) properties. Select the user group that contains the remote L2TP VPN clients. Double-click Make New Connection to start the Network Connection Wizard and select Next.168.

Instead. You can disable default behavior by editing the Windows 2000 Registry as described in the following steps. Select Virtual Private Network Connection and select Next. If the Public Network dialog box appears. When the ProhibitIPSec registry value is set to 1. Enter your L2TP VPN User Name and Password. In the connect window. Configuring a Windows XP client for L2TP To configure an L2TP VPN dialup connection 1 2 3 4 5 6 7 8 Go to Start > Settings. it checks for a local or active directory IPSec policy. FortiGate-60 Administration Guide 01-28003-0002-20040716 255 . 7 Use the registry editor (regedit) to locate the following key in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\ Parameters Add the following registry value to this key: Value Name: ProhibitIPSec Data Type: REG_DWORD Value: 1 Save your changes and restart the computer for the changes to take effect. Name the connection and select Next. Select Finish. enter the IP address or host name of the FortiGate unit to connect to and select Next. Select Connect. To connect to the L2TP VPN 8 9 1 2 3 4 Start the dialup connection that you configured in the previous procedure. You must add the ProhibitIPSec registry value to each Windows 2000-based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created. your Windows 2000-based computer does not create the automatic filter that uses CA authentication. enter the User Name and Password that you use to connect to your dialup network connection. In the VPN Server Selection dialog. Select Network and Internet Connections. choose the appropriate initial connection and select Next.PPTP and L2TP VPNs L2TP 6 Select OK and close the connection properties window. See the Microsoft documentation for editing the Windows Registry. Note: The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without IPSec encryption. This user name and password is not the same as your VPN user name and password. Select Create a connection to the network of your workplace and select Next.

See the Microsoft documentation for editing the Windows Registry. Make sure that none of the other settings are selected.L2TP PPTP and L2TP VPNs To configure the VPN connection 1 2 3 4 5 6 7 8 9 10 Right-click the icon that you have created. You can disable default behavior by editing the Windows XP Registry as described in the following steps. Select Advanced to configure advanced settings. Make sure that the following options are selected: • • 11 • • TCP/IP QoS Packet Scheduler File and Printer Sharing for Microsoft Networks Client for Microsoft Networks Make sure that the following options are not selected: To disable IPSec 1 2 3 4 5 6 Select the Networking tab. 7 Use the registry editor (regedit) to locate the following key in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\ Parameters Add the following registry value to this key: Value Name: ProhibitIPSec Data Type: REG_DWORD Value: 1 Save your changes and restart the computer for the changes to take effect. Make sure that Do not use IPSec is selected. Select Properties > Security. Select Require data encryption. Select Typical to configure typical settings. Select Internet Protocol (TCP/IP) properties. Instead. Select the Networking tab. Select OK and close the connection properties window. Go to the Options tab and select IP security properties. . your Windows XP-based computer does not create the automatic filter that uses CA authentication. Select Challenge Handshake Authentication Protocol (CHAP). Select Settings. it checks for a local or active directory IPSec policy. When the ProhibitIPSec registry value is set to 1. You must add the ProhibitIPSec registry value to each Windows XP-based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created. 8 9 256 01-28003-0002-20040716 Fortinet Inc. Note: The default Windows XP L2TP traffic policy does not allow L2TP traffic without IPSec encryption. Double-click the Advanced tab.

Select Connect. FortiGate-60 Administration Guide 01-28003-0002-20040716 257 . In the connect window. enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password.PPTP and L2TP VPNs L2TP To connect to the L2TP VPN 1 2 3 4 5 Connect to your ISP. Start the VPN connection that you configured in the previous procedure. Enter your L2TP VPN User Name and Password.

L2TP PPTP and L2TP VPNs 258 01-28003-0002-20040716 Fortinet Inc. .

Attack signatures reliably protect your network from known attacks. You can adjust some IPS anomaly thresholds to work best with the normal traffic on the protected networks. can send alert email to system administrators. see the Attack Encyclopedia in the FortiProtect Center available on the Fortinet website at https:// www. and can log.80 IPS The FortiGate Intrusion Prevention System (IPS) combines signature and anomaly based intrusion detection and prevention. If the default configuration has changed. it checks to see if the default configuration for any existing signatures has changed. FortiGate-60 Administration Guide 01-28003-0002-20040716 259 . When the FortiGate unit installs an updated attack definition file. you must enable the IPS in the protection profile of a firewall policy.com/. or clear suspicious packets or sessions. Once you have configured the IPS. The FortiGate unit can record suspicious traffic in logs. You can also create custom signatures to customize the FortiGate IPS for diverse network environments. This chapter describes: • • • Signature Anomaly Configuring IPS logging and alert email Signature The FortiGate IPS matches network traffic against patterns contained in attack signatures. For information on configuring IPS in a protection profile. the changes are preserved. or you can manually download the updated attack definition file. You can upgrade both the IPS predefined signatures and the IPS engine through the FortiResponse Distribution Network (FDN). Fortinet’s FortiProtect infrastructure ensures the rapid identification of new threats and the development of new attack signatures. drop. pass. For details. see “Protection profile” on page 188. For information on protection profiles. see “Update center” on page 113. reset.fortinet. see “Configuring IPS options” on page 193. For detailed information on individual signatures and anomalies. You can configure the FortiGate unit to automatically check for and download an updated attack definition file containing the latest signatures. You can also configure the FortiGate unit to allow push updates of updated attack definition files as soon as they are available from the FortiProtect Distribution Network.FortiGate-60 Administration Guide Version 2.

Signature

IPS

In addition to an extensive list of predefined attack signatures, you can also create your own custom attack signatures for the FortiGate unit.

Predefined
Predefined signatures are arranged into groups based on the type of attack. By default, all signature groups are enabled. You can enable or disable signature groups or individual signatures. Disabling unneeded signatures can improve system performance and reduce the number of log messages and alert emails that the IPS generates. For example, the IPS detects a large number of web server attacks. If you do not provide access to a web server behind your FortiGate unit, you might want to disable all web server attack signatures. Some signature groups include configurable parameters. The parameters that are available depend on the type of signatures in the signature group. When you configure these parameters for a signature group, the parameters apply to all of the signatures in the group. For each signature, you can configure the action the FortiGate IPS takes when it detects an attack. The FortiGate IPS can pass, drop, reset or clear packets or sessions. You can also enable or disable logging of the attack.

Predefined signature list
You can enable or disable groups of predefined signatures and configure the settings for individual predefined signatures from the predefined signature list.
Figure 25: The predefined signature list

Group Name Enable

The signature group names. The status of the signature group. A white check mark in a green circle indicates the signature group is enabled. A white X in a grey circle indicates the signature group is disabled. The logging status for individual signatures. Click on the blue triangle to show the signature group members. A white check mark in a green circle indicates logging is enabled for the signature. A white X in a grey circle indicates logging is disabled for the signature. The action set for individual signatures. Click on the blue triangle to show the signature group members. See Action can be Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Clear Session, or Pass Session. The revision number for individual signatures. Click on the blue triangle to show the signature group members. The Configure and Reset icons.

Logging

Action

Revision Modify

Table 1 describes each possible action you can select for predefined signatures.

260

01-28003-0002-20040716

Fortinet Inc.

IPS

Signature

Table 1: Actions to select for each predefined signature Action Pass Description The FortiGate unit lets the packet that triggered the signature pass through the firewall. If logging is disabled and action is set to Pass, the signature is effectively disabled. The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than Drop for TCP connection based attacks. The FortiGate unit drops the packet that triggered the signature, sends a reset to both the client and the server, and removes the session from the FortiGate session table. Used for TCP connections only. If you set this action for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset action is triggered before the TCP connection is fully established it acts as Clear Session. The FortiGate unit drops the packet that triggered the signature, sends a reset to the client, and removes the session from the FortiGate session table. Used for TCP connections only. If you set this action for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset Client action is triggered before the TCP connection is fully established it acts as Clear Session. The FortiGate unit drops the packet that triggered the signature, sends a reset to the server, and removes the session from the FortiGate session table. Used for TCP connections only. If you set this action for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset Server action is triggered before the TCP connection is fully established it acts as Clear Session. The FortiGate unit drops the packet that triggered the signature and drops any other packets in the same session. The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset. The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall.

Drop

Reset

Reset Client

Reset Server

Drop Session Clear Session Pass Session

Configuring predefined signatures
To enable or disable predefined signature groups 1 2 Go to IPS > Signature > Predefined. Select the Configure icon next to the predefined signature group that you want to enable or disable.
Figure 26: Enabling or disabling a predefined signature group

3 4

Select the enable box to enable the predefined signature group or clear the enable box to disable the predefined signature group. Select OK.

FortiGate-60 Administration Guide

01-28003-0002-20040716

261

Signature

IPS

To configure predefined signature settings 1 2 3 Go to IPS > Signature > Predefined. Select the blue triangle next to a signature group name to display the members of that group. Select the Configure icon for the signature you want to configure.
Figure 27: Configuring predefined IPS signatures

4 5 6 7

Select the Enable box to enable the signature or clear the Enable box to disable the signature. Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. Select the Action for the FortiGate unit to take when traffic matches this signature. (See Table 1.) Select OK. To restore the recommended settings of a signature

1 2 3

Go to IPS > Signature > Predefined. Select the blue triangle next to a signature group name to display the members of that group. Select the Reset icon for the signature you want to restore to recommended settings. The Reset icon is displayed only if the settings for the signature have been changed from recommended settings.

4

Select OK.

Configuring parameters for dissector signatures
The following predefined dissector signatures have configurable parameters. • • • • • http_decoder im p2p rpc_decoder tcp_reassembler

262

01-28003-0002-20040716

Fortinet Inc.

IPS Figure 28: Example of dissector signature parameters: tcp_reassembler

Signature

Figure 29: Example of dissector signature parameters: p2p

idle_timeout min_ttl port_list bad_flag_list reassembly_ direction codepoint

If a session is idle for longer than this number of seconds, the session will not be maintained by tcp_reassembler. A packet with a higher ttl number in its IP header than the number specified here is not processed by tcp_reassembler. A comma separated list of ports. The dissector can decode these TCP ports. A comma separated list of bad TCP flags. Valid settings are from-server, from-client, or both. A number from 0 to 63. Used for differentiated services tagging. When the action for p2p and im signatures is set to Pass, the FortiGate unit checks the codepoint. If the codepoint is set to a number from 1 to 63, the codepoint for the session is changed to the specified value. If the codepoint is set to -1 (the default) no change is made to the codepoint in the IP header.

Custom
You can create custom IPS signatures. The custom signatures you create are added to a single Custom signature group. Custom signatures provide the power and flexibility to customize the FortiGate IPS for diverse network environments. The FortiGate predefined signatures cover common attacks. If you are using an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors. You can also use custom signatures to block or allow specific traffic. For example to block traffic containing pornography, you can add custom signatures similar to the following: F-SBID (--protocol tcp; --flow established; --content "nude cheerleader"; --no_case) When you add the signature set action to Drop Session.

FortiGate-60 Administration Guide

01-28003-0002-20040716

263

Signature

IPS

For more information on custom signature syntax see the FortiGate IPS Custom Signatures Technical Bulletin.
Note: Custom signatures are an advanced feature. This document assumes the user has previous experience creating intrusion detection signatures.

Custom signature list
Figure 30: The custom signature group

Enable custom Select the Enable custom signature box to enable the custom signature group or clear the Enable custom signature box to disable the custom signature signature group. Create New Select Create New to create a new custom signature. Clear all custom Remove all the custom signatures from the custom signature group. signatures Reset to recommended settings? Name Revision Enable Reset all the custom signatures to the recommended settings.

The custom signature names. The revision number for each custom signature. The revision number is a number you assign to the signature when you create or revise it. The status of each custom signature. A white check mark in a green circle indicates the signature is enabled. A white X in a grey circle indicates the signature is disabled. Selecting the box at the top of the Enable column enables all the custom signatures. Clearing the box at the top of the Enable column disables all the custom signatures. The logging status of each custom signature. A white check mark in a green circle indicates logging is enabled for the custom signature. A white X in a grey circle indicates logging is disabled for the custom signature. The action set for each custom signature. Action can be Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Clear Session, or Pass Session. The Delete and Edit/View icons.

Logging

Action Modify

Adding custom signatures
To add a custom signature 1 2 Go to IPS > Signature > Custom. Select Create New to add a new custom signature or select the Edit icon to edit an existing custom signature.

264

01-28003-0002-20040716

Fortinet Inc.

IPS Figure 31: Edit custom signature

Anomaly

3 4 5 6

Enter a name for the custom signature. You cannot edit the name of an existing custom signature. Enter the custom signature. Select the action to be taken when a packet triggers this signature. (See Table 1 for action descriptions.) Select the Logging box to enable logging for the custom signature or clear the Logging box to disable logging for the custom signature.

Backing up and restoring custom signature files
For information on backing up and restoring the custom signature list, see “Backing up and Restoring” on page 112.

!
Anomaly

Caution: Restoring the custom signature list overwrites the existing file.

The FortiGate IPS uses anomaly detection to identify network traffic that does not fit known or preset traffic patterns. The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols.
Flooding Scan Source session limit Destination session limit If the number of sessions targeting a single destination in one second is over a threshold, the destination is experiencing flooding. If the number of sessions from a single source in one second is over a threshold, the source is scanning. If the number of concurrent sessions from a single source is over a threshold, the source session limit is reached. If the number of concurrent sessions to a single destination is over a threshold, the destination session limit is reached.

You can enable or disable logging for each anomaly, and you can control the IPS action in response to detecting an anomaly. In many cases you can also configure the thresholds that the anomaly uses to detect traffic patterns that could represent an attack.
Note: It is important to know the normal and expected traffic on your network before changing the default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high could miss some attacks.

FortiGate-60 Administration Guide

01-28003-0002-20040716

265

Anomaly

IPS

You can also configure session control based on source and destination network address. This is a CLI only command available for tcp_src_session, tcp_dst_session, icmp_src_session, icmp_dst_session, udp_src_session, udp_dst_session. For more information, see the FortiGate CLI Reference Guide. The anomaly detection list can be updated only when the FortiGate firmware image is upgraded.

Anomaly list
Figure 32: The Anomaly list

Name Enable

The anomaly names. The status of the anomaly. A white check mark in a green circle indicates the anomaly is enabled. A white X in a grey circle indicates the anomaly is disabled. The logging status for each anomaly. A white check mark in a green circle indicates logging is enabled for the anomaly. A white X in a grey circle indicates logging is disabled for the anomaly. The action set for each anomaly. Action can be Pass, Drop, Reset, Reset Client, Reset Server, Drop Session, Clear Session, or Pass Session. The Edit and Reset icons. If you have changed the settings for an anomaly, you can use the Reset icon to change the settings back to the recommended settings.

Logging

Action Modify

Configuring an anomaly
Each anomaly is preset with a recommended configuration. By default all anomaly signatures are enabled. You can use the recommended configurations or you can modify the recommended configurations to meet the needs of your network. For more information on minimum, maximum, and recommended thresholds for the anomalies with configurable thresholds, see the FortiGate IPS Anomaly Thresholds and Dissector Values Technical Bulletin.
Figure 33: Editing the portscan IPS anomaly

266

01-28003-0002-20040716

Fortinet Inc.

Select the Edit icon for the signature you want to configure. Drop Reset Reset Client Reset Server Drop The FortiGate unit drops the packet that triggered the anomaly and Session drops any other packets in the same session. If you set this action for non-TCP connection based attacks. Session removes the session from the FortiGate session table. Used for TCP connections only. The FortiGate unit drops the packet that triggered the anomaly. sends a reset to both the client and the server. Select an action for the FortiGate unit to take when traffic triggers this anomaly. If the Reset Client action is triggered before the TCP connection is fully established it acts as Clear Session. If you set this action for non-TCP connection based attacks. sends a reset to the server. Pass The FortiGate unit lets the packet that triggered the anomaly and all Session other packets in the session pass through the firewall. To configure the settings of an anomaly 1 2 Go to IPS > Anomaly. FortiGate-60 Administration Guide 01-28003-0002-20040716 267 . and removes the session from the FortiGate session table. and does not send a reset. the action will behave as Clear Session. If the Reset action is triggered before the TCP connection is fully established it acts as Clear Session. Used for TCP connections only. and removes the session from the FortiGate session table. Select the Enable box to enable the anomaly or clear the Enable box to disable the anomaly.IPS Figure 34: Editing the syn_fin IPS anomaly Anomaly Name Enable Logging Action Pass The anomaly name. Used for TCP connections only. If the Reset Server action is triggered before the TCP connection is fully established it acts as Clear Session. If you set this action for non-TCP connection based attacks. the action will behave as Clear Session. and removes the session from the FortiGate session table. the action will behave as Clear Session. The FortiGate unit drops the packet that triggered the anomaly. the anomaly is effectively disabled. sends a reset to the client. The FortiGate unit lets the packet that triggered the anomaly pass through the firewall. The FortiGate unit drops the packet that triggered the anomaly. threshold Traffic over the specified threshold triggers the anomaly. If logging is disabled and action is set to Pass. Select the Logging box to enable logging for the anomaly or clear the Logging box to disable logging for the anomaly. The FortiGate unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than Drop for TCP connection based attacks. Clear The FortiGate unit drops the packet that triggered the anomaly.

To restore the default settings of an anomaly 1 2 Go to IPS > Anomaly. 3 Configuring IPS logging and alert email Whenever the IPS detects or prevents an attack. see “Log & Report” on page 317. Select the Reset icon for the anomaly you want to restore to defaults. You can configure how often the FortiGate unit sends alert email. Select the Logging box to enable logging for this anomaly or clear the Logging box to disable logging for this anomaly. You can also reduce the number of log messages and alerts by disabling signatures for attacks that your system is not vulnerable to (for example. 268 01-28003-0002-20040716 Fortinet Inc. it generates an attack message. The Reset icon is displayed only if the settings for the anomaly have been changed from defaults. Select OK. .Configuring IPS logging and alert email IPS 3 4 5 6 7 Select the Enable box to enable the anomaly or clear the Enable box to disable the anomaly. For more information on FortiGate logging and alert email. Enter a new threshold value if required. Select an action for the FortiGate unit to take when traffic triggers this anomaly. web attacks when you are not running a web server). Select OK. You can configure the FortiGate unit to add the message to the attack log and to send an alert email to administrators.

FTP. select edit or Create New. POP3. See “Protection profile options” on page 189. Table 2: Antivirus and Protection Profile antivirus configuration Protection Profile antivirus options Virus Scan Enable or disable virus scanning for each protocol (HTTP. SMTP) in the Protection Profile. File Block Enable or disable file blocking for each protocol. and select Anti-Virus. Quarantine Enable or disable quarantining for each protocol.80 Antivirus Antivirus provides configuration access to most of the antivirus options you enable when you create a firewall protection profile. Oversized file/email Configure the FortiGate unit to block or pass oversized files and emails for each protocol. Antivirus > File Block Configure file patterns to block. configure file patterns to upload automatically to Fortinet for analysis. Antivirus > Quarantine View and sort the list of quarantined files.FortiGate-60 Administration Guide Version 2. IMAP. enable or disable blocking for each protocol. Buffering to disk allows files too large for memory to be virus scanned from the local disk. Fragmented emails cannot be scanned for viruses. Antivirus setting Antivirus > Config > Virus List View a read-only list of current viruses. FortiGate-60 Administration Guide 01-28003-0002-20040716 269 . and configure quarantining options in AntiVirus. Add signature to outgoing emails Create and enable a signature to append to outgoing emails (SMTP only). While antivirus settings are configured for system-wide use. Buffer to disk Enable or disable buffer to disk for each protocol in the Protection Profile. SMTP). POP3. you can implement specific settings on a per profile basis. Pass fragmented emails Enable or disable passing fragmented emails for some protocols (IMAP. Table 2 describes the antivirus settings and where to configure and access them. To access protection profile antivirus options go to Firewall > Protection Profile. Antivirus > Config > Config Set the size thresholds for files and emails for each protocol in Antivirus.

the FortiProtect Bulletin. you can choose to disable file blocking in the Protection Profile. For example. This section describes: • • File block list Configuring the file block list 270 01-28003-0002-20040716 Fortinet Inc. For standard operation. giving you the flexibility to block potentially harmful content. . If both file block and virus scan are enabled.EXE.File block Antivirus FortiGate antivirus processing includes various modules and engines that perform separate tasks. the FortiGate unit blocks files that match enabled file patterns and does not scan these files for viruses. Note: When you enable virus scanning for a protocol. This chapter describes: • • • • File block Quarantine Config CLI configuration File block Configure file blocking to remove all files that are a potential threat and to prevent active computer virus attacks. FortiProtect services are an excellent resource and include automatic updates of virus and attack definitions. and the FortiProtect virus encyclopedia. The FortiGate unit blocks files that match a configured file pattern and displays a replacement message instead. Note: File block entries are not case sensitive. The FortiGate unit also writes a message to the virus log and sends an alert email if configured to do so.exe to the file block list also blocks any files ending in . adding *. and enable it only to temporarily block specific threats as they occur. or any other pattern. You can block files by name. You can also enable or disable file blocking by protocol for each file pattern you configure. by extension. IPS signatures will not be triggered for that protocol.

HTTP FTP IMAP POP3 FortiGate-60 Administration Guide 01-28003-0002-20040716 271 . You can create a pattern by using ? or * wildcard characters. The current list of blocked file patterns.exe) compressed or archive files (*. *. Displays a check mark if file blocking is enabled to block the file pattern in POP3 traffic. FTP.rar. *. IMAP. POP3. *.vb?) screen saver files (*.bat. and SMTP) to enable blocking all file patterns for that service. *.Antivirus File block File block list The file block list is preconfigured with a default list of file patterns: • • • • • • • • • executable files (*. *.doc.scr) program information files (*.gz. Displays a check mark if file blocking is enabled to block the file pattern in HTTP traffic.wps) Visual Basic files (*.ppt.xl?) Microsoft Works files (*.tar. Select Apply to apply any changes to the file block configuration.tgz. and *. Select a check box beside a service (HTTP. Displays a check mark if file blocking is enabled to block the file pattern in FTP traffic.zip) dynamic link libraries (*. Displays a check mark if file blocking is enabled to block the file pattern in IMAP traffic.dll) HTML application (*.com. Select a check box beside a file pattern to enable blocking that pattern for all types of traffic.hta) Microsoft Office files (*. *. and *.pif) Figure 35: Default file block list File block list has the following icons and features: Create New Apply Pattern Check All Select Create New to add a new file pattern to the file block list.

Figure 36: Sample quarantined files list 272 01-28003-0002-20040716 Fortinet Inc. You can also submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to FortiNet for analysis. status. You can also filter the list to view only quarantined files with a specific status or from a specific service. Select Apply. Quarantine FortiGate units with a local disk can quarantine blocked and infected files. Configuring the file block list To add a file name or file pattern to the file block list 1 2 3 4 5 Go to Anti-Virus > File Block. or select Check All. . This section describes: • • • • • • Quarantined files list Quarantined files list options AutoSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantined files list The quarantined files list displays information about each file that is quarantined because of virus infection or file blocking. service. duplicate count (DC). The Delete and Edit/View icons. Select Create New. Enter the file name or file pattern you want to add. You can view the file names and status information about the file in the quarantined file list. date.Quarantine Antivirus SMTP Displays a check mark if file blocking is enabled to block the file pattern in SMTP traffic. or time to live (TTL). Select the protocols for which you want to block the file. You can sort the files by any one of file name.

Antivirus Quarantine Quarantined files list options The quarantined files list has the following features and displays the following information about each quarantined file: Apply Sort by: Filter: Select Apply to apply the sorting and filtering selections to the quarantined files list. The service from which the file was quarantined (HTTP. Time to live in the format hh:mm. “File is infected with “W32/Klez. Heuristics mode is configurable through the CLI only. File Name Date Service Status Status Description DC TTL Upload status AutoSubmit list You can configure the FortiGate unit to automatically upload suspicious files to Fortinet for analysis. all spaces are removed from the file name. N indicates the file has not been uploaded. date. See “CLI configuration” on page 279. A rapidly increasing number can indicate a virus outbreak. Click apply to complete the sort. for example. Sort the list. or blocked.” Duplicate count. and a 32-bit checksum is performed on the file. Filter the list. In the case of duplicate files. service. or duplicate count. When a file is quarantined. The TTL value and the duplicate count are updated each time a duplicate of a file is found. The Download icon. POP3. Click apply to complete the filtering. each duplicate found refreshes the TTL.oversize.<processed filename> For example.h”” or “File was stopped by file block pattern. Choose from: status. a file named Over Size.exe is stored as 3fc155d2. The processed file name of the quarantined file. POP3. Choose from status (infected. in the format dd/mm/yyyy hh:mm. File patterns are applied for AutoSubmit regardless of file blocking settings. Y indicates the file has been uploaded to Fortinet for analysis. A count of how many duplicates of the same file were quarantined. When the TTL elapses. SMTP. only counted. Upload a suspicious file to Fortinet for analysis. or HTTP). IMAP. FTP. You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. SMTP). FTP. You can add file patterns to the AutoSubmit list using wildcard characters (* or ?). blocked. Download the corresponding file in its original format. The reason the file was quarantined: infected. The date and time that the file was quarantined. TTL. or heuristics) or service (IMAP. The Submit icon. Note: Duplicates of files (based on the checksum) are not stored. The Delete icon. This value indicates the time that the first file was quarantined if the duplicate count increases.exe. heuristics. FortiGate-60 Administration Guide 01-28003-0002-20040716 273 . file name. The file is stored on the FortiGate hard disk with the following naming convention: <32bit CRC>. the FortiGate unit labels the file as EXP under the TTL heading. Specific information related to the status.

274 01-28003-0002-20040716 Fortinet Inc. Enable the check box to enable all file patterns in the list. .Quarantine Figure 37: Sample AutoSubmit list Antivirus AutoSubmit list options AutoSubmit list has the following icons and features: Create New File Pattern Select Create New to add a new file pattern to the AutoSubmit list. and select Use File Pattern. Figure 38: Adding a file pattern 3 4 5 Enter the file pattern or file name you want to automatically upload to Fortinet for analysis. This column displays the current list of file patterns that will be automatically uploaded. select Enable AutoSubmit. Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list 1 2 Go to Anti-Virus > Quarantine > AutoSubmit. Select Enable. The Delete and Edit/View icons. Note: To enable automatic uploading of the configured file patterns you must go to Anti-Virus > Quarantine > Config. Select Create New. You can create a pattern by using ? or * wildcard characters. Select OK.

Use file pattern: Enables the automatic upload of files matching the file patterns in the AutoSubmit list. You can also configure the time to live and file size values. Select the protocols from which to quarantine blocked files identified by antivirus file blocking. Quarantine Blocked Files. Quarantine Suspicious Files: Select the protocols from which to quarantine suspicious files identified by heuristics. The maximum size of quarantined files in MB. and enable AutoSubmit settings. Setting the maximum file size too large may affect performance. Heuristics is configurable through the CLI only. The Quarantine Blocked Files option is not available for HTTP or FTP because a file name is blocked before downloading and cannot be quarantined. See “CLI configuration” on page 279. Use file status: Enables the automatic upload of quarantined files based on their status. The time limit in hours for which to keep files in quarantine. Age limit Max filesize to quarantine Low disk space Select the action to take when the local disk is full: overwrite the oldest file or drop the newest file. Figure 39: Quarantine configuration Quarantine configuration has the following options: Options Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning. and the file is deleted (although a record is maintained in the quarantined files list).Antivirus Quarantine Config Go to Config to set quarantine configuration options including whether to quarantine blocked or infected files and from which service. Select one or both of the options below. Entering an age limit of 0 (zero) means files are stored on disk indefinitely depending on low disk space action. Select Apply to save the configuration. When the limit is reached the TTL column displays EXP. Apply FortiGate-60 Administration Guide 01-28003-0002-20040716 275 . The age limit is used to formulate the value in the TTL column of the quarantined files list. Select either heuristics or block pattern. Enable AutoSubmit Enable AutoSubmit: enables the AutoSubmit feature.

Figure 41: Example threshold configuration for FortiGate unit with a local disk 276 01-28003-0002-20040716 Fortinet Inc. Setting file size limits can improve or maintain network performance. . You can also configure file and email size limits. To manually upload a virus list update see “Changing unit information” on page 27. You can update this list manually or set up the FortiGate unit to receive automatic updates daily or whenever required. This section describes: • • • • Virus list Config Grayware Grayware options Virus list The virus list displays the current viruses blocked in alphabetical order. Figure 40: Virus list (partial) Config Oversize threshold configuration refers to the size limits you can apply to scan files and emails in memory and on the local disk (if available). and grayware blocking. To find out how to use the Fortinet Update Center. You can view the entire list or parts of the list by selecting the desired number or alphabet ranges.Config Antivirus Config Config displays a list of the current viruses blocked by the FortiGate unit. see “Update center” on page 113. If the FortiGate unit has a local disk you can enable buffering files larger than the memory threshold limit to the disk.

You can enable oversized file blocking and buffer to disk (for units with a local disk) in a firewall protection profile. Select Anti-Virus > Buffer to Disk to enable virus scanning – for files smaller than the Disk Oversize Threshold – on the local disk. The FortiGate unit scans for known grayware executable programs in each category you enable. The maximum file size allowed on disk is 1 GB. Grayware programs are generally considered an annoyance. The category list and contents are added or updated whenever your FortiGate unit receives a virus update package. • • Select Anti-Virus > Oversized File/Email and choose to pass or block oversized email and files for each protocol. FortiGate-60 Administration Guide 01-28003-0002-20040716 277 . Grayware options Grayware categories are populated with known executable files. but these programs can cause system performance problems or be used for malicious means.Antivirus Figure 42: Example threshold configuration for FortiGate unit without a local disk Config The maximum file size allowed in memory is 40% of the FortiGate RAM size. Grayware Grayware programs are unsolicited commercial software programs that get installed on computers. Each time the FortiGate unit receives a virus and attack definitions update. For example. often without the user’s consent or knowledge. all new categories are disabled. To access protection profiles go to Firewall > Protection Profile. a FortiGate unit with 256 MB of RAM could have a memory oversize threshold range of 1 MB to 102 MB. By default. the grayware categories and contents are updated. New categories may be added at any time and will be loaded with the virus updates.

Dial Game Joke P2P Spy Keylog Hijacker Plugin NMT RAT 278 01-28003-0002-20040716 Fortinet Inc. Select enable to block keylogger programs. Select enable to block remote administration tools. Some toolbars and plugins can attempt to control or record and send browsing preferences. Dialers allow others to use the PC modem to call premium numbers or make long distance calls. Select enable to block browser plugins. P2P. Spyware is a tracking and analysis program that can report your activities. is often included with freeware. Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the browser window.Config Figure 43: Sample grayware options Antivirus The categories may change or expand when the FortiGate unit receives updates. and menu options. Select enable to block peer to peer communications programs. is synonymous with file sharing programs that are used to swap music. and other files. like adware. Remote administration tools allow outside users to remotely change and monitor a computer on a network. Select enable to block joke programs. . Select enable to block games. Network management tools can be installed and used maliciously to change settings and disrupt network security. Adware Select enable to block adware programs. Adware is usually embedded in freeware programs and causes ads to pop up whenever the program is opened or used. Select enable to block dialer programs. including favorites or bookmarks. Select enable to block spyware programs. such as web browsing habits. Keylogger programs can record every keystroke made on a keyboard including passwords. chat. Select enable to block network management tools. and instant messages. Enabling a grayware category blocks all files listed in the category. movies. Joke programs can include custom cursors and programs that appear to affect the system. Select enable to block browser hijacking programs. In the example above you can choose to enable the following grayware categories. Browser hijacking occurs when a ‘spyware’ type program changes web browser settings. often illegally. start pages. Spyware. while a legitimate protocol. to the advertiser’s web site where it may be recorded and analyzed. Games are usually joke or nuisance games that you may want to block from network users.

Enter block to enable heuristics and block detected files.x and higher. Download components are usually run at Windows startup and are designed to install or download other software. BHOs are DLL files that are often installed as part of a software package so the software can control the behavior of Internet Explorer 4. Use the heuristic command to change the heuristic scanning mode. In this way. spyware developers can use these toolbars to monitor web habits and send information back to the developer. but the potential exists to track surfing habits and gather other information.Antivirus CLI configuration Misc BHO Select enable to block any programs included in the miscellaneous grayware category. especially advertising and dial software. Toolbar Download CLI configuration This guide only covers Command Line Interface (CLI) commands that are not represented in the web-based manager. after file blocking and virus scanning have found no matches. The heuristic engine is enabled by default to pass suspected files to the recipient and send a copy to quarantine. For complete descriptions and examples of how to use CLI commands see the FortiGate CLI Reference Guide. heuristic scanning may detect new viruses. {pass | block | Suspicious files are quarantined if disable} quarantine is enabled. A replacement message is forwarded to the recipient. Command syntax pattern config antivirus heuristic set <keyword> <variable> config antivirus heuristic unset <keyword> get antivirus heuristic show antivirus heuristic Table 3: antivirus heuristic command keywords and variables Keywords and variables Description Default Availability mode Enter pass to enable heuristics but pass All models. Select enable to block download programs. heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. While some toolbars are harmless. Blocked files are quarantined if quarantine is enabled. Select enable block custom toolbars. pass detected files to the recipient. Select enable to block browser helper objects. Heuristic scanning is performed last. Enter disable to disable heuristics. FortiGate-60 Administration Guide 01-28003-0002-20040716 279 . Not all BHOs are malicious. but may also produce some false positive results.

config antivirus heuristic set mode disable end This example shows how to display the settings for the antivirus heuristic command. show antivirus heuristic quarantine The quarantine command also allows configuration of heuristic related settings. . Command syntax pattern config antivirus quarantine set <keyword> <variable> config antivirus quarantine unset <keyword> get antivirus quarantine show antivirus quarantine antivirus quarantine command keywords and variables Keywords and variables Description drop_heuristic Do not quarantine files found by {ftp http imap pop3 smtp} heuristic scanning in traffic for the specified protocols. FortiGate models numbered 200 and higher. get antivirus heuristic This example shows how to display the configuration for the antivirus heuristic command. service http Use this command to configure how the FortiGate unit handles antivirus scanning of large files in HTTP traffic and what ports the FortiGate unit scans for HTTP. See the FortiGate CLI Reference Guide. Command syntax pattern config antivirus service http set <keyword> <variable> 280 01-28003-0002-20040716 Fortinet Inc. Default imap smtp pop3 http ftp No default. store_heuristic Quarantine files found by heuristic {ftp http imap pop3 smtp} scanning in traffic for the specified protocols. Please note that there are more options for this command.CLI configuration Antivirus Example This example shows how to disable heuristic scanning. Availability FortiGate models numbered 200 and higher.

the maximum file size buffered to memory at 100 MB. You can use ports from the range 1-65535. For example. port <port_integer> Configure antivirus scanning on a nonstandard port number or multiple port numbers for HTTP. a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 102 MB. and configure antivirus scanning on ports 70. You can add up to 20 ports. get antivirus service http This example shows how to display the configuration for antivirus HTTP traffic. then the diskfilesizelimit can be between 11 MB and 1 GB. 80. For example. show antivirus service http FortiGate-60 Administration Guide 01-28003-0002-20040716 281 . config antivirus service http set diskfilesizelimit 500 set memfilesizelimit 100 set port 70 set port 80 set port 443 end This example shows how to display the antivirus HTTP traffic settings. Example This example shows how to set the maximum file size that can be buffered to disk at 500 MB. Note: Frequent buffering to disk is not recommended as it may slow down performance. Default Availability 50MB Model numbers 200 and higher that have a local disk. 80 All models. and 443 for HTTP traffic.Antivirus CLI configuration config antivirus service http unset <keyword> get antivirus service [http] show antivirus service [http] Table 4: antivirus service http command keywords and variables Keywords and variables Description diskfilesizelimit Set the maximum file size that can be buffered to the local disk for <MB_integer> virus scanning. 10MB All models. The maximum file size allowed is 40% of the FortiGate RAM size. if memfilesizelimit is 10 MB. memfilesizelimit Set the maximum file size that can be buffered to memory for virus <MB_integer> scanning. The diskfilesizelimit must be set larger than the memfilesizelimit.

CLI configuration Antivirus service ftp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in FTP traffic and how the FortiGate unit handles the buffering and uploading of files to an FTP server. Note: Frequent buffering to disk is not recommended as it may slow down performance. All models. . 282 01-28003-0002-20040716 Fortinet Inc. For example. memfilesizelimit Set the maximum file size that can 10MB be buffered to memory for virus <MB_integer> scanning. if memfilesizelimit is 10 MB. then the diskfilesizelimit can be between 11 MB and 1 GB. Command syntax pattern config antivirus service ftp set <keyword> <variable> config antivirus service ftp unset <keyword> get antivirus service [ftp] show antivirus service [ftp] Table 5: antivirus service ftp command keywords and variables Keywords and variables Description Default diskfilesizelimit Set the maximum file size that can 50MB be buffered to the local disk for <MB_integer> virus scanning. For example. a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 102 MB. The maximum file size allowed is 40% of the FortiGate RAM size. The diskfilesizelimit must be set larger than the memfilesizelimit. Availability Model numbers 200 and higher that have a local disk.

the FortiGate unit will allow the upload to continue. the FortiGate unit stops the download. and enable file splice for FTP traffic. show antivirus service ftp FortiGate-60 Administration Guide 01-28003-0002-20040716 283 . The user must then delete the partially downloaded file. config antivirus service ftp set diskfilesizelimit 100 set memfilesizelimit 5 set set splice enable end This example shows how to display the antivirus FTP traffic settings. the FortiGate unit simultaneously buffers the file for scanning and uploads the file to an FTP server. the FortiGate unit stops the upload and attempts to delete the partially uploaded file from the FTP server. To delete the file successfully.Antivirus CLI configuration Table 5: antivirus service ftp command keywords and variables (Continued) Keywords and variables Description Default Availability splice {disable | enable} Configure how the FortiGate unit enable All models. When splice is disabled for ftp. Example This example shows how to set the maximum file size that can be buffered to disk at 100 MB. handles buffering and uploading or downloading files using an FTP server. If the file is clean. Enabling splice reduces timeouts when uploading and downloading large files. the maximum file size buffered to memory at 5 MB. When splice is enabled for ftp. There should not be enough content in the file to cause any harm. When downloading files from an FTP server the FortiGate unit sends 1 byte every 30 seconds to prevent the client from timing out during scanning and download. If a virus is detected. the server permissions must be set to allow deletes. get antivirus service ftp This example shows how to display the configuration for antivirus FTP traffic. the FortiGate unit buffers the file for scanning before uploading it to the FTP server. If a virus is detected.

. 111 and 992 for POP3 traffic. config antivirus service pop3 set diskfilesizelimit 60 set memfilesizelimit 12 set port 110 set port 111 set port 992 end 284 01-28003-0002-20040716 Fortinet Inc. 10MB All models.CLI configuration Antivirus service pop3 Use this command to configure how the FortiGate unit handles antivirus scanning of large files in POP3 traffic and what ports the FortiGate unit scans for POP3. You can use ports from the range 1-65535. memfilesizelimit Set the maximum file size that can be buffered to memory for virus <MB_integer> scanning. Default Availability 50MB Model numbers 200 and higher that have a hard disk. Note: Frequent buffering to disk is not recommended as it may slow down performance. the maximum file size buffered to memory at 12 MB. For example. Command syntax pattern config antivirus service pop3 set <keyword> <variable> config antivirus service pop3 unset <keyword> get antivirus service [pop3] show antivirus service [pop3] Table 6: antivirus service pop3 command keywords and variables Keywords and variables Description diskfilesizelimit Set the maximum file size that can be buffered to the local disk for <MB_integer> virus scanning. a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 102 MB. Example This example shows how to set the maximum file size that can be buffered to disk at 60 MB. You can add up to 20 ports. The maximum file size allowed is 40% of the FortiGate RAM size. and configure antivirus scanning on ports 110. For example. if memfilesizelimit is 10 MB. port <port_integer> Configure antivirus scanning on a nonstandard port number or multiple port numbers for POP3. 110 All models. The diskfilesizelimit must be set larger than the memfilesizelimit. then the diskfilesizelimit can be between 11 MB and 1 GB.

Example This example shows how to set the maximum file size that can be buffered to disk at 60 MB. The diskfilesizelimit must be set larger than the memfilesizelimit. For example. FortiGate-60 Administration Guide 01-28003-0002-20040716 285 . You can add up to 20 ports. Default Availability 50MB Model numbers 200 and higher that have a hard disk. You can use ports from the range 1-65535. a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 102 MB. 143 All models. port <port_integer> Configure antivirus scanning on a nonstandard port number or multiple port numbers for IMAP. if memfilesizelimit is 10 MB. and configure antivirus scanning on ports 143 and 993 for IMAP traffic.Antivirus CLI configuration This example shows how to display the antivirus POP3 traffic settings. Note: Frequent buffering to disk is not recommended as it may slow down performance. For example. the maximum file size buffered to memory at 20 MB. memfilesizelimit Set the maximum file size that can be buffered to memory for virus <MB_integer> scanning. then the diskfilesizelimit can be between 11 MB and 1 GB. 10MB All models. The maximum file size allowed is 40% of the FortiGate RAM size. Command syntax pattern config antivirus service imap set <keyword> <variable> config antivirus service imap unset <keyword> get antivirus service [imap] show antivirus service [imap] Table 7: antivirus service imap command keywords and variables Keywords and variables Description diskfilesizelimit Set the maximum file size that can be buffered to the local disk for <MB_integer> virus scanning. show antivirus service pop3 service imap Use this command to configure how the FortiGate unit handles antivirus scanning of large files in IMAP traffic and what ports the FortiGate unit scans for IMAP. get antivirus service pop3 This example shows how to display the configuration for antivirus POP3 traffic.

286 01-28003-0002-20040716 Fortinet Inc. . get antivirus service imap This example shows how to display the configuration for antivirus IMAP traffic.CLI configuration Antivirus config antivirus service imap set diskfilesizelimit 60 set memfilesizelimit 20 set port 143 set port 993 end This example shows how to display the antivirus IMAP traffic settings. Availability Model numbers 200 and higher that have a hard disk. You can use ports from the range 1-65535. You can add up to 20 ports. Command syntax pattern config antivirus service smtp set <keyword> <variable> config antivirus service smtp unset <keyword> get antivirus service [smtp] show antivirus service [smtp] Table 8: antivirus service smtp command keywords and variables Keywords and variables Description Default diskfilesizelimit Set the maximum file size that can be 50MB buffered to the local disk for virus <MB_integer> scanning. what ports the FortiGate unit scans for SMTP. if memfilesizelimit is 10 MB. The maximum file size allowed is 40% of the FortiGate RAM size. Note: Frequent buffering to disk is not recommended as it may slow down performance. then the diskfilesizelimit can be between 11 MB and 1 GB. memfilesizelimit Set the maximum file size that can be 10MB buffered to memory for virus <MB_integer> scanning. port <port_integer> Configure antivirus scanning on a 143 nonstandard port number or multiple port numbers for SMTP. All models. The diskfilesizelimit must be set larger than the memfilesizelimit. For example. For example. show antivirus service imap service smtp Use this command to configure how the FortiGate unit handles antivirus scanning of large files in SMTP traffic. a FortiGate unit with 256 MB of RAM could have a threshold range of 1 MB to 102 MB. and how the FortiGate unit handles interaction with an SMTP server for delivery of email with infected email file attachments. All models.

When splice is enabled. When splice is disabled. The receiver does not receive the email or the attachment. adds a customizable message. listing the virus name and infected filename. show antivirus service smtp FortiGate-60 Administration Guide 01-28003-0002-20040716 287 . the FortiGate unit simultaneously scans an email and sends it to the SMTP server. In this mode. If the FortiGate unit detects a virus. When splice is disabled for SMTP infected attachment are removed and the email is forwarded (without the attachment) to the SMTP server for delivery to the recipient. get antivirus service smtp This example shows how to display the configuration for antivirus SMTP traffic. handles interaction with an SMTP enable} server for delivery of email with infected file attachments. it removes the infected attachment. the FortiGate unit scans the email first. the SMTP server is not able to deliver the email if it was sent with an infected attachment. configure antivirus scanning on ports 25 and 465. Selecting enable for the splice keyword returns an error message to the sender if an attachment is infected. it terminates the server connection and returns an error message to the sender. and enable file splice for SMTP traffic. If the FortiGate unit detects a virus. Example This example shows how to set the maximum file size that can be buffered to disk at 1 GB (1000 MB).Antivirus CLI configuration Table 8: antivirus service smtp command keywords and variables (Continued) Keywords and variables Description Default Availability splice {disable | Configure how the FortiGate unit enable All models. Throughput is higher when splice is enabled. the maximum file size buffered to memory at 100 MB. config antivirus service smtp set diskfilesizelimit 1000 set memfilesizelimit 100 set port 25 set port 465 set splice enable end This example shows how to display the antivirus SMTP traffic settings. and sends the email to the SMTP server for delivery.

CLI configuration Antivirus 288 01-28003-0002-20040716 Fortinet Inc. .

select edit or Create New. Web Exempt List Web Filter > URL Exempt Enable or disable web page filtering for HTTP Add URLs to exempt them from web and virus traffic based on the URL exempt list. and select Web Filtering or Web Category Filtering. See “Protection profile options” on page 189. Exempt filtering. FortiGate-60 Administration Guide 01-28003-0002-20040716 289 . Web Script Filter Enable or disable blocking scripts from web pages for HTTP traffic. Web Filter > Script Filter Select the scripts to block. To access protection profile web filter options go to Firewall > Protection Profile. Web URL Block Web Filter setting Web Filter > Content Block Add words and patterns to block web pages containing those words or patterns. Table 9: Web filter and Protection Profile web filtering configuration Protection Profile web filtering options Web Content Block Enable or disable web page blocking based on the banned words and patterns in the content block list for HTTP traffic. Web Filter > URL Block Enable or disable web page filtering for HTTP Add URLs and URL patterns to block web traffic based on the URL block list. URLs are not scanned for viruses. pages from specific sources.FortiGate-60 Administration Guide Version 2.80 Web filter Web filter provides configuration access to the Web filtering and Web category filtering options you enable when you create a firewall Protection Profile.

or reject. . For information about configuring Protection Profiles. This section describes: • • • Web content block list Web content block options Configuring the web content block list 290 01-28003-0002-20040716 Fortinet Inc. monitor. Note: Perl regular expression patterns are case sensitive for Web Filter content block. /bad language/i will block all instances of bad language regardless of case. The FortiGate unit blocks web pages containing banned words and displays a replacement message instead. Web Filter setting Web filter Web Filter > Category Block > Configuration Enable or disable FortiGuard and enable and set the size limit for the cache. For information about adding protection profiles to firewall policies. Block unrated websites (HTTP only) Block any web pages that have not been rated by the web filtering service. You can use Perl regular expressions or wildcards to add banned word patterns to the list. See “Using Perl regular expressions” on page 314.Content block Table 10: Web filter and Protection Profile web category filtering configuration Protection Profile web category filtering Enable category block (HTTP only) Enable FortiGuard web filtering. see “To add a protection profile to a policy” on page 194. see “Protection profile” on page 188. Wildcard patterns are not case sensitive. For example. This chapter describes the settings and steps to configure the following options: • • • • • Content block URL block URL exempt Category block Script filter Content block Control web content by blocking specific words or word patterns. Allow websites when a rating error occurs (HTTP only) Allow web pages that return a rating error from the web filtering service. Choose from allow. Category / Action FortiGuard web filtering service provides many categories by which to filter web traffic. use the regular expression /i. To make a word or phrase case insensitive. You can set the action to take on web pages for each category.

Select the check box to enable all the banned words in the list. Web content block options Web content block has the following icons and features: Create new total Banned word Pattern type Language Select Create New to add a banned word to the web content block list. The current list of banned words and patterns.Web filter Content block Web content block list You can add one or more banned words or patterns to block web pages containing those words. Traditional Chinese. See “Using Perl regular expressions” on page 314. Banned word Pattern type Enter the word or pattern you want to include in the banned word list Select the pattern type for the banned word. Thai. The maximum number of banned words in the list is 32. The character set to which the banned word belongs: Simplified Chinese. Configuring the web content block list Figure 45: Adding a banned word to the content block list When you select Create New or Edit you can configure the following settings for the banned word. Choose from wildcard or regular expression. Page up. Page down. Figure 44: Sample Web Content Block List. and Clear banned word list icons. Korean. The pattern type used in the banned word list entry. Choose from wildcard or regular expression. Banned words can be one word or a text string up to 80 characters long. FortiGate-60 Administration Guide 01-28003-0002-20040716 291 . See “Using Perl regular expressions” on page 314. The Delete and Edit/View icons. Japanese. or Western. banned words Note: Enable Web filtering > Web Content Block in your firewall Protection Profile to activate the content block settings. French. The number of banned words in the web content block list.

4 5 6 7 URL block You can block access to specific URLs by adding them to the URL block list. you can use firewall policies to deny FTP connections. Enter the word or phrase.badsite. French. the FortiGate unit blocks all web pages containing any word in the phrase. The FortiGate unit blocks web pages matching any specified URLs or patterns and displays a replacement message instead.com. This section describes: • • • • • • Web URL block list Web URL block options Configuring the web URL block list Web pattern block list Web pattern block options Configuring web pattern block 292 01-28003-0002-20040716 Fortinet Inc. the FortiGate unit blocks all web pages containing the exact phrase. You can also add patterns using text and regular expressions (or wildcard characters) to block URLs. If you contain the phrase in quotation marks. Thai. Instead. Select Enable. Select OK. Select Enable to activate the banned word in the list. If you enter a single word. Japanese. Korean. Set the pattern type if required. If you enter a phrase. For example. Select the language (character set). the FortiGate unit blocks all web pages that contain that word. . URL blocking does not block access to ftp://ftp.URL block Web filter Language Select the character set for the banned word. Chinese Traditional. Enable To add or edit a banned word 1 2 3 Go to Web Filter > Content Block. or Western. Choose from: Chinese Simplified. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the URL block settings. Note: URL blocking does not block access to other services that users can access with a web browser. Select Create New to add a banned word or select Edit for the banned word you want to modify.

To add a URL to the web URL block list 1 2 3 Go to Web Filter > URL Block. The Page up. You can add the following items to the URL block list: • • • complete URLs IP addresses partial URLs to block all sub-domains If you want to use more than one URL block list. simply combine the lists in a text file and upload them to the FortiGate unit by selecting the Upload URL block list icon. and Clear URL block list icons. Note: You can type a top-level domain suffix (for example. “com” without the leading period) to block access to all URLs with this suffix. Select Create New. Page down. Configuring the web URL block list Note: Do not use regular expressions in the web URL block list. Figure 46: Sample Web URL block list Web URL block options Web URL block has the following icons and features: Create New total URL Select Create New to add a URL to the URL block list. Select the check box to enable all the URLs in the list. Select Web URL Block. The number of URLs in the URL block list. FortiGate-60 Administration Guide 01-28003-0002-20040716 293 .Web filter URL block Web URL block list You can add your own specific URLs to block or you can obtain one of several publicly available lists of objectionable URLs. You can use regular expressions in the web pattern block list to create URL patterns to block. See “Web pattern block list” on page 294. URLs in a text file must be separated by hard returns to upload correctly. This column displays the current list of blocked URLs. The Delete and Edit/View icons.

adding badsite.badsite. www. Select OK. For example. (Do not include http://. badsite.com.) Type a top-level URL or IP address to block access to all pages on a web site. badsite. Figure 48: Sample web pattern block list 294 01-28003-0002-20040716 Fortinet Inc.155 blocks access to all pages at this web site.badsite.com or 122. Select Enable. and so on. add badsite.badsite. For example. For example.html or 122.com blocks access to www.URL block Figure 47: Adding a new URL Web filter 4 Enter a URL or partial URL to add to the URL block list.finance. you can block all URLs that match patterns you create using text and regular expressions (or wildcard characters).com. Note: Enable Web filtering > Web URL Block in your firewall Protection Profile to activate the web pattern block settings. For example.com to the block list. mail.* matches badsite. FortiGate web pattern blocking supports standard regular expressions.badsite. www. 5 6 Web pattern block list In addition to blocking specific or partial URLs. www. To block all pages with a URL that ends with badsite.com.155/news.org.badsite. badsite.net and so on. Enter a top-level URL followed by the path and filename to block access to a single page on a web site. You can add up to 20 patterns to the web pattern block list. .144.144.html blocks the news page on this web site.com.133.com/news.133.com.

Configuring web pattern block To add a pattern to the web pattern block list 1 2 3 Go to Web Filter > URL Block. you can add the URL of this website to the exempt list so that the FortiGate unit does not virus scan files downloaded from this URL. Select Enable. FortiGate-60 Administration Guide 01-28003-0002-20040716 295 . This column displays the current list of blocked patterns. Figure 49: Adding a new pattern 4 5 6 Enter a pattern to add to the web pattern block list. Select the check box to enable all the web patterns in the list. Select Create New. Select OK. If users on your network download files through the FortiGate unit from trusted website. The Delete and Edit/View icons. URL exempt This section describes: • • • URL exempt list URL exempt list options Configuring URL exempt URL exempt list You can configure specific URLs as exempt from web filtering.Web filter URL exempt Web pattern block options Web pattern block has the following icons and features: Create New Pattern Select Create New to add a new pattern to the web pattern block list. URLs in the URL exempt list are not scanned for viruses. Select Web Pattern Block.

URL exempt Web filter Figure 50: Sample URL exempt list Note: Enable Web filtering > Web Exempt List in your firewall Protection Profile to activate the URL exempt settings. Figure 51: Adding a new exempt URL 3 4 5 Enter the URL to add to the URL exempt list. Select the check box to enable all the URLs in the list. The number of URLs in the URL exempt list. Select OK. . list icon URL Exempt List This column displays the current list of exempt URLs. Clear URL exempt Select this icon to delete the entire URL exempt list. The Delete and Edit/View icons. Select Create New. 296 01-28003-0002-20040716 Fortinet Inc. Select this icon to scroll the URL exempt list up. Select Enable. Select this icon to scroll the URL exempt list down. URL exempt list options URL exempt list has the following icons and features: Create New total Page up icon Page down icon Select Create New to add a URL to the URL exempt list. Configuring URL exempt To add a URL to the URL exempt list 1 2 Go to Web Filter > URL Exempt.

FortiGuard ratings are performed by a combination of proprietary methods including text analysis. By default. The FortiGate unit accesses the nearest FortiGuard Service Point to determine the category of a requested web page and then follows the firewall policy configured for that user or interface. See “FortiGuard categories” on page 335 for a complete list and description of the FortiGuard web filter categories. so there is no need to enter a license number. or monitor.Web filter Category block Category block You can filter http content by specific categories using the FortiGuard managed web filtering service. and human raters. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy. If the Service Point becomes unreachable for any reason. Pages are rated into 56 categories that users can allow. FortiGuard Service Points are highly scalable and new Service Points are added as required. FortiGuard license management is done by Fortinet servers. block. and new sites are quickly rated as required. the FortiGate unit will contact another Service Point and rating information will be available within seconds. FortiGuard Service Points FortiGuard Service Points provide worldwide coverage. This section describes: • • • • • FortiGuard managed web filtering service Category block configuration options Category block reports Category block reports options Generating a category block report FortiGuard managed web filtering service FortiGuard is a managed web filtering solution provided by Fortinet. FortiGuard sorts hundreds of millions of web pages into a wide range of categories that users can allow. block. the FortiGate unit will communicate with the closest Service Point. or monitor entire groups of categories to make configuration simpler. Users can notify the FortiGuard Service Points if they feel a web page is not categorized correctly. or monitor. exploitation of the Web structure. Categories may be added to or updated as the Internet evolves. FortiGuard licensing Every FortiGate unit comes with a free 30-day FortiGuard trial license. FortiGate-60 Administration Guide 01-28003-0002-20040716 297 . block. The FortiGate unit will then automatically contact a FortiGuard Service Point when you enable FortiGuard category blocking. Users can also choose to allow. FortiGuard categories and ratings FortiGuard includes over 60 million individual ratings of web sites applying to hundreds of millions of pages.

FortiGuard category blocking is enabled globally. Time to live. You must provide a complete valid URL. To have a URL's category rating re-evaluated. TTL To have a URL’s. you only need to enable the service to start configuring and using FortiGuard.. After enabling FortiGuard you can configure different categories for each firewall protection profile you create. Apply 298 01-28003-0002-20040716 Fortinet Inc. The number of seconds to store URL ratings in the cache before contacting the server again. Expiration: The date the FortiGuard license expires. This means that the FortiGate unit does not have to contact the server each time a commonly requested URL is accessed. . Select Apply to implement a new or changed configuration. Use the procedure “Configuring web category filtering options” on page 191 to configure FortiGuard category blocking in a protection profile. When the cache is full. contact Fortinet Technical Support.. The cache is configured to use 6% of the of the FortiGate RAM. Figure 52: Category block configuration You can configure the following options to enable and help maintain FortiGuard web filtering: Enable Service Select to enable FortiGuard web filtering. License Type: The FortiGuard license type. Enable Cache Select to enable caching of category ratings for accessed URLs. the least recently accessed URL is deleted. FortiGuard configuration Once selected.Category block Web filter When you want to renew your FortiGuard license after the free trial. please click here. Category block configuration options If you have ordered FortiGuard through Fortinet technical support or are using the free 30-day trial. Status should change from Unknown to Available when the server is contacted successfully. FortiGuard Status: Select Check Status to test the connection to the FortiGuard server. Select the link to have a web site re-evaluated if you think the category rating is incorrect.

See “Configuring web category filtering options” on page 191 and “FortiGuard categories” on page 335. the FortiGuard status should change from Unknown to Available. blocked and monitored web pages for each category. After a moment.Web filter Category block Configuring web category block To enable FortiGuard web filtering 1 2 3 Go to Web Filter > Category Block. The FortiGate unit maintains statistics for allowed. You can generate a text and pie chart format report on web filtering for any profile. You can now enable web category blocking and configure categories for any firewall protection profile you create. wait and try again. or you can view a complete report of all activity. Select Apply. Select Check status to make sure the FortiGate unit can access the FortiGuard server. Figure 53: Sample report FortiGate-60 Administration Guide 01-28003-0002-20040716 299 . You can view reports for a range of hours or days. Enable and set a TTL (time to live) for the cache if desired. 4 5 Category block reports Note: Category block reports are only available on FortiGate units with a local disk. the FortiGuard license type and expiration date appears on the configuration screen (Web Filter > Category Block). Select Enable Service. If the FortiGuard status is unavailable. Once you select Apply.

Select a profile for which to generate the report. Get Report The following table describes the features of a generated report: Category Allowed Blocked Monitored The category for which the statistic was generated. catblock Use this command to configure web filtering for either FortiGuard or Cerberian URL filtering. Select Get Report to generate the report. The number of monitored web addresses accessed in the selected time frame. CLI Configuration Cerberian web filtering service can only be enabled via the CLI. day. Select the time frame for which you want to generate the report. Enter a report range. 300 01-28003-0002-20040716 Fortinet Inc. Note: For description of the other catblock keywords and variables please see the FortiGate CLI Reference Guide. including a pie chart and a list of web pages blocked by category. Choose from hour. if you select report type hour and enter the range 13 – 16 you will get a category block report for 1 pm to 4 pm today. The number of blocked web addresses accessed in the selected time frame. or all historical statistics. If you select report type day and enter range 0 – 3 you will get a category block report for 3 days ago to today.Category block Web filter Category block reports options The following table describes the options for generating reports: Profile Report Type Report Range Select the profile for which you want to generate a report. For example. Select a report type. Select the time range (24 hour clock) or day range (from six days ago to today) for which you want the report. The number of allowed web addresses accessed in the selected time frame. Select Reports. The report is generated. Select Get Report. Generating a category block report To generate a category block report 1 2 3 4 5 6 Go to Web filter > Category block. .

service fortiguar d only. servers.fortin All models. All models.com service preconfigured with the host name. Use this command only if you need to change the host name. cerb_license <license_str> cerb_port <port_integer> ftgd_hostname <url_str> ftgd_port <port_integer> All models. The hostname of the Cerberian servers. the least recently accessed URL is deleted Enter the cache time to live (TTL) in seconds. The hostname of the FortiGuard guard. The FortiGate comes et. Cerberian communications. When the cache is full. fortiguar Use this command only if you need d only. The port on the server used for 80 All models. Choose from Cerberian or FortiGuard. to change the host name. Enable or disable the web category disable blocking service.Web filter Category block Command syntax pattern config webfilter catblock set <keyword> <variable> config webfilter catblock unset <keyword> get webfilter catblock show webfilter catblock catblock command keywords and variables Keywords and variables status {disable | enable} service {cerberian | fortiguard } cache {disable | enable} Description Default Availability All models. Enable or disable caching of category ratings for accessed URLs. cache_ttl <ttl_integer> 3600 All models.net service cerberian only. e. cerb_hostname <url_str> sp. service cerberian only. The FortiGate comes preconfigured with the host name. The cache is configured to use 6% of the of the FortiGate RAM. FortiGate-60 Administration Guide 01-28003-0002-20040716 301 . The port on the server used for 80 All models. fortiguard disable All models. Represents the number of seconds to store URL ratings in the cache before contacting the server again. FortiGuard rating communications. No default.cwfservic All models. This means that the FortiGate unit does not have to contact the server each time a commonly requested URL is accessed. The license number for the Cerberian web filtering service. Set the web category blocking service. service cerberian only.

config webfilter catblock set status enable set service cerberian set cerb_license AAAA1-BBB22-CC333-D4444 set cache enable set cache_ttl 1800 end This example shows how to display the catblock settings. Figure 54: Script filtering options Note: Blocking any of these items may prevent some web pages from functioning and displaying correctly. the settings are at default.Script filter Web filter Example This example shows how to enable Cerberian category blocking with cache enabled and a TTL of 30 minutes (1800 seconds). and ActiveX controls from web pages. show webfilter catblock If the show command returns you to the prompt. get webfilter catblock This example shows how to display the configuration for the catblock settings. Script filter You can configure the FortiGate unit to filter certain web scripts. Web script filter options You can configure the following options for script filtering: Javascript Cookies ActiveX Select Javascript to block all Javascript-based pages or applications. Select ActiveX to block all ActiveX applications. . You can filter Java applets. Note: Enable Web filtering > Web Script Filter in your firewall Protection Profile to activate the script filter settings. 302 01-28003-0002-20040716 Fortinet Inc. cookies. Select Cookies to block web sites from placing cookies on individual computers.

Table 11: Spam filter and Protection Profile spam filtering configuration Protection Profile spam filtering options IP address BWL check Black/white list check. (SMTP only. with the option of using wildcards and regular expressions. You can configure the action to take as spam. While spam filters are configured for system-wide use. You can configure the action to take as spam or reject for each email address. Table 11 describes the spam filter settings and where to configure and access them.) RBL & ORDBL check Enable or disable checking SMTP traffic against configured Real-time Blackhole List and Open Relay Database List servers. The filter checks each IP address in sequence. or reject for each IP address. Spam Filter > E-mail Address Add to and edit email addresses to the list. To access protection profile spam filter options go to Firewall > Protection Profile. See “Protection profile options” on page 189. (SMTP only. HELO DNS lookup Enable or disable checking the source domain name against the registered IP address in the Domain Name Server. E-mail address BWL check Enable or disable checking incoming email addresses against the configured spam filter email address list.80 Spam filter Spam filter provides configuration access to the spam filtering options you enable when you create a firewall protection profile. You can place an IP address anywhere in the list.) Spam Filter > RBL & ORDBL Add to and edit RBL and ORDBL servers to the list.FortiGate-60 Administration Guide Version 2. You can configure the action to take as spam or reject for email identified as spam from each server. FortiGate-60 Administration Guide 01-28003-0002-20040716 303 . Return e-mail DNS check Enable or disable checking incoming email return address domain against the registered IP address in the Domain Name Server. Spam filter can be configured to reduce unsolicited commercial email by detecting spam email messages and identifying spam transmissions from known or suspected spam servers. you can enable the filters on a per profile basis. edit or Create New. (SMTP only. The filter checks each email address in sequence. You can place an email address anywhere in the list. Spam Filtering.) Spam filter setting Spam Filter > IP Address Add to and edit IP addresses to the list. Enable or disable checking incoming IP addresses against the configured spam filter IP address list. clear.

You can configure the language and whether to search the email body. The maximum length is 63 characters. Append to: Choose to append the tag to the subject or MIME header of the email identified as spam. and pass. Spam Action Choose an action to take on email identified as spam. You can configure the action to take as spam or clear for each MIME header. Append with: Enter a word or phrase (tag) to append to email identified as spam. . with the option of using wildcards and regular expressions. You can configure the action to take as spam or clear for each word. For information about adding protection profiles to firewall policies. with the option of using wildcards and regular expressions. You can choose to log any spam action in the event log. see “To add a protection profile to a policy” on page 194. or discard for SMTP traffic. subject. see “Protection profile” on page 188. Choose from pass or tagged for IMAP and POP3 traffic.Spam filter Table 11: Spam filter and Protection Profile spam filtering configuration Protection Profile spam filtering options MIME headers check Enable or disable checking source MIME headers against the configured spam filter MIME header list. This chapter describes: • • • • • • IP address RBL & ORDBL Email address MIME headers Banned word Using Perl regular expressions 304 01-28003-0002-20040716 Fortinet Inc. Spam Filter > Banned Word Add to and edit banned words to the list. with each filter passing the email to the next if no matches or problems are found. Banned word check Enable or disable checking source email against the configured spam filter banned word list. pass. Spam filter setting Spam Filter > MIME Headers Add to and edit MIME headers to the list. Add event into the system log Enable or disable logging of spam actions to the event log. Incoming email is passed through the spam filters in sequence. or discard (SMTP only) the email according to the settings in the protection profile. You can append a custom word or phrase to the subject or MIME header of tagged email. When a match or problem is found the FortiGate unit will tag. or both. tagged. For information about configuring protection profiles.

and Remove all entries icons.x.x. Figure 55: Sample IP address list IP address options IP address list has the following icons and features: Create New IP address/Mask Action Select Create New to add an IP address to the IP address list. spam. the corresponding action is taken.100/255. the email is passed on to the next spam filter.128. The Page up. for example 62. This column displays the current list of IP addresses.100/24 IP address list IP address options Configuring the IP address list This section describes: IP address list You can configure the FortiGate unit to filter email from specific IP addresses. The Delete and Edit/View icons.128.255.x.255.x. You can designate an action for each IP address as clear. You can enter an IP address and mask in two formats: • • • • • x. for example 62. If no match is found.x/x. This column displays the action to take on email from the configured IP address. or a range of addresses at the network level by configuring an address and mask. You can filter single IP addresses. FortiGate-60 Administration Guide 01-28003-0002-20040716 305 . If a match is found.x.Spam filter IP address IP address The FortiGate unit uses the IP address list to filter incoming email.0 x.x. or reject. mark as clear to let the email pass to the next filter.x/x. or mark as reject (SMTP only) to delete the email.69.x. The FortiGate unit compares the IP address of the sender to the list in sequence. Actions are: mark as spam to apply the spam action configured in the protection profile.69. Page down.

select before or after another IP address in the list to place the new IP address in the correct position. known as open relays. the corresponding action is taken. The FortiGate unit compares the IP address or domain name of the sender to any database lists you configure in sequence. RBLs keep track of reported spam source addresses and ORDBLs keep track of unsecured third party SMTP servers. If required. If a match is found.RBL & ORDBL Spam filter Configuring the IP address list To add an IP address to the IP address list 1 2 Go to Spam Filter > IP Address. which some spammers use to send unsolicited bulk email. This section describes: • • • RBL & ORDBL list RBL and ORDBL options Configuring the RBL & ORDBL list 306 01-28003-0002-20040716 Fortinet Inc. Select OK. If no match is found. Select the action to take on email from the IP address. There are several free and subscription servers available that provide reliable access to continually updated RBLs and ORDBLs. . Figure 56: Adding an IP address 3 4 5 6 Enter the IP address/mask you want to add. RBL & ORDBL Using RBLs (Real-time Blackhole Lists) and ORDBLs (Open Relay Database Lists) is an effective way to tag or reject spam as it enters your system. Check with the service you are using to confirm the correct domain name for connecting to the server. Select Create New. the email is passed on to the next spam filter. These lists act as domain name servers that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass through.

Figure 57: Sample RBL & ORDBL list RBL and ORDBL options RBL & ORDBL list has the following icons and features: Create New RBL Server Action Select Create New to add a server to the RBL & ORDBL list. The Delete and Edit/View icons. Select Enable. Figure 58: Adding an RBL or ORDBL server 3 4 5 6 Enter the domain name of the RBL or ORDBL server you want to add. Select Create New. Select OK. You can designate an action for a match by each server as spam or reject. Page down. and Remove all entries icons.Spam filter RBL & ORDBL RBL & ORDBL list You can configure the FortiGate unit to filter email by accessing RBL or ORDBL servers. Select the check box to enable all the RBL and ORDBL servers in the list The action to take on email matched by the RBLs and ORDBLs. Select the action to take on email matched by the server. FortiGate-60 Administration Guide 01-28003-0002-20040716 307 . Actions are: Mark as Spam to apply the spam action configured in the protection profile. Configuring the RBL & ORDBL list To add a server to the RBL & ORDBL list 1 2 Go to Spam Filter > RBL & ORDBL. The Page up. or Mark as Reject to delete the email. The current list of servers.

Page down. This section describes: • • • Email address list Email address options Configuring the email address list Email address list The FortiGate unit can filter email from specific senders or all email from a domain (such as sample. If a match is found.net). the email is passed on to the next spam filter. the corresponding action is taken. Choose from wildcard or regular expression. and Remove all entries icons. This column displays the action to take on email from the configured address. This column displays the current list of email addresses. The Page up. See “Using Perl regular expressions” on page 314. The FortiGate unit compares the email address or domain of the sender to the list in sequence. The Delete and Edit/View icons. This column displays the pattern type used in the email address entry. You can use Perl regular expressions or wildcards to add email address patterns to the list. If no match is found. Action 308 01-28003-0002-20040716 Fortinet Inc. Figure 59: Sample email address list Email address options Email address list has the following icons and features: Create New Email address Pattern Type Select Create New to add an email address to the email address list. You can designate the action to take for each email address as clear or spam. Actions are: mark as spam to apply the spam action configured in the protection profile. or mark as clear to let the email pass to the next filter.Email address Spam filter Email address The FortiGate unit uses the email address list to filter incoming email. See “Using Perl regular expressions” on page 314. .

Select OK. MIME headers MIME (Multipurpose Internet Mail Extensions) headers are added to email to describe content type and content encoding. Figure 60: Adding an email address 3 4 5 6 7 Enter the email address or pattern you want to add. If required. These malformed headers can fool some spam and virus filters. The second part is called the value. Spammers will often insert comments into header values or leave them blank. Select a pattern type for the list entry. select before or after another email address in the list to place the new email address in the correct position. FortiGate-60 Administration Guide 01-28003-0002-20040716 309 . If no match is found. the corresponding action is taken. such as the type of text in the email body or the program that generated the email. or just header. Some examples of MIME headers include: • • • • X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg The first part of the MIME header is called the header key.Spam filter MIME headers Configuring the email address list To add an email address or domain to the list 1 2 Go to Spam Filter > E-mail Address. You can use Perl regular expressions or wildcards to add MIME header patterns to the list. See “Using Perl regular expressions” on page 314. You can choose to mark the email as spam or clear for each header you configure. Select the action to take on email from the configured address or domain. If a match is found. The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. the email is passed on to the next spam filter. You can use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. Select Create New.

or mark as reject (SMTP only) to delete the email. . See “Using Perl regular expressions” on page 314. and Remove all entries icons. The Delete and Edit/View icons. The Page up. This column displays the action to take on email with the configured MIME header. You can designate an action for each MIME header as clear or spam. Page down.MIME headers Spam filter Note: MIME header entries are case sensitive. This column displays the current list of MIME headers (keys). mark as clear to let the email pass to the next filter. The pattern type used in the MIME header list entry. Actions are: mark as spam to apply the spam action configured in the protection profile. Choose from wildcard or regular expression. 310 01-28003-0002-20040716 Fortinet Inc. This section describes: • • • MIME headers list MIME headers options Configuring the MIME headers list MIME headers list You can configure the FortiGate unit to filter email with specific MIME header key-value pairs. This column displays the current list of MIME header values for each key. Figure 61: Sample MIME headers list MIME headers options MIME headers list has the following icons and features: Create New Header Value Pattern Type Action Select Create New to add a MIME header to the MIME headers list.

If a match is found.Spam filter Banned word Configuring the MIME headers list To add a MIME header to the list 1 2 Go to Spam Filter > MIME headers. You can use Perl regular expressions or wildcards to add banned word patterns to the list. the email is passed to the recipient. Select a pattern type for the list entry. For example. If no match is found. use the regular expression /i. Select the action to take on email with that MIME header key-value. the corresponding action is taken. Figure 62: Adding a MIME header 3 4 5 6 7 Enter the MIME header key. Select Create New. The FortiGate unit searches for banned words in email messages. /bad language/i will block all instances of bad language regardless of case. Enter the MIME header value. See “Using Perl regular expressions” on page 314. This section describes: • • • Banned word list Banned word options Configuring the banned word list FortiGate-60 Administration Guide 01-28003-0002-20040716 311 . To make a word or phrase case insensitive. Wildcard patterns are not case sensitive. Note: Perl regular expression patterns are case sensitive for Spam Filter banned words. Banned word Control spam by blocking email containing specific words or patterns. Select OK.

Banned word Spam filter Banned word list You can add one or more banned words to sort email containing those words in the email subject. . French. or all. If you enter a single word. If you enter a phrase. body. or both. Actions are: mark as spam to apply the spam action configured in the protection profile. Choose from wildcard or regular expression. body. See “Using Perl regular expressions” on page 314. Where Action When you select Create New or Edit you can configure the following settings for the banned word. This column displays the character set to which the banned word belongs: Simplified Chinese. Figure 63: Sample banned word List Banned word options Banned word has the following icons and features: Create new Pattern Pattern Type Language Select Create New to add a word or phrase to the banned word list. To block any word in a phrase. Japanese. This column displays the current list of banned words. Page down. This column displays the location which the FortiGate unit searches for the banned word: subject. Words can be designated as spam or clear. the FortiGate unit blocks all email containing the exact phrase. Banned words can be one word or a phrase up to 127 characters long. This column displays the action to take on email with a banned word. the FortiGate unit blocks all email that contain that word. See “Using Perl regular expressions” on page 314. or Western. The pattern type used in the banned word list entry. The Delete and Edit/View icons. Select the check box to enable all the banned words in the list. or mark as clear to let the email pass to the next filter. use Perl regular expressions. Thai. and Remove all entries icons. The Page up. Korean. 312 01-28003-0002-20040716 Fortinet Inc. Traditional Chinese.

or Western. Select the location to search for the banned word. Select OK. Select the action to perform on email containing the banned word. Korean. Choose from: mark as spam or mark as clear.Spam filter Figure 64: Adding a banned word Banned word Pattern Pattern Type Language Enter the word or phrase you want to include in the banned word list. Choose from: subject. If you enter a single word. See “Using Perl regular expressions” on page 314. French. or all. Where Action Enable Configuring the banned word list To add or edit a banned word 1 2 3 Go to Spam Filter > Banned Word. Thai. Select the location. Choose from: Chinese Simplified. the FortiGate unit blocks all email containing any word in the phrase. the FortiGate unit blocks all email containing the exact phrase. body. Select Create New to add a banned word or select Edit for the banned word you want to modify. Select the action to take on email containing the banned word. the FortiGate unit blocks all email containing that word. Select the language (character set). If you contain the phrase in quotation marks. Chinese Traditional. Japanese. See “Using Perl regular expressions” on page 314. Select the character set for the banned word. Select to enable screening for the banned word. Select Enable. Select the pattern type for the banned word. Choose from wildcard or regular expression. If you enter a phrase. 4 5 6 7 8 FortiGate-60 Administration Guide 01-28003-0002-20040716 313 . Enter the word or phrase. Banned word entries can be Perl compatible regular expressions.

For example. It is similar to the ‘?’ character in wildcard match pattern. use ‘. the pattern does not have an implicit word boundary. For example. fortinetbcom. Word boundary In Perl regular expressions. wildcard match pattern In Perl regular expressions.8. To match exactly the word “test”.' and ‘*’ use the escape character ‘\’. As a result: • fortinet.com. “mytest”. “testimony”. not 0 or more times of any character.com not only matches fortinet. and banned word list entries can include wildcards or Perl regular expressions.com matches fortiiii.perldoc. ‘. the regular expression “test” not only matches the word “test” but also matches any word that contains the “test” such as “atest”. For example: • forti*\. “atestb”. MIME headers list. Regular expression vs. three or four b's followed by a c an a followed by at least two b's followed by a c 314 01-28003-0002-20040716 Fortinet Inc. fortinetccom and so on.com should therefore be fort.com but does not match fortinet.html for detailed information about using Perl regular expressions. To match a special character such as '. To make a word or phrase case insensitive.com but also matches fortinetacom.com In Perl regular expressions.Using Perl regular expressions Spam filter Using Perl regular expressions Email address list. ‘*’ means match 0 or more times of the character before it.0/pod/perlre. See http://www.com/perl5. /bad language/i will block all instances of “bad language” regardless of case. Table 12: Perl regular expression formats Expression abc ^abc abc$ a|b ^abc|abc$ ab{2. the expression should be \btest\b. .’ character refers to any single character. but anywhere in the string) abc at the beginning of the string abc at the end of the string either of a and b the string abc at the beginning or at the end of the string an a followed by two.}c Matches abc (that exact character sequence. use the regular expression /i For example. the regular expression should be: fortinet\. the wildcard match pattern forti*.*\. For example: • To mach fortinet. The notation “\b” specifies the word boundary. Case sensitivity Regular expression pattern matching is case sensitive in the Web and Spam filters.com To match any character 0 or more times.*’ where ‘.com.’ means any character and the ‘*’ means 0 or more times.4}c ab{2.

such as 42. b and c (such as defg) any two decimal digits.Spam filter Table 12: Perl regular expression formats ab*c ab+c ab?c a. used to add regexps within other text.!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i FortiGate-60 Administration Guide 01-28003-0002-20040716 315 . tabs.!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i To block common spam phrases The following phrases are some examples of common phrases found in spam messages.*r. b and c either of Abc and abc any (nonempty) string of a's.g. etc). same as \d{2} makes the pattern case insensitive. /^. For example.*$/i /cr[eéèêë][\+\-\*=<>\.. in perlert but not in perl stuff) tells the regular expression parser to ignore white space that is neither backslashed nor within a character class.c exactly any one of a.\. An error occurs If the second '/' is missing. newlines) abc when followed by a word boundary (e. and anything after the second ‘/’ will be parsed as a list of regexp options ('i'.c a\.*i. such as foo and 12bar8 and foo_1 the strings 100 and mk optionally separated by any amount of white space (spaces. in abc! but not in abcd) perl when not followed by a word boundary (e. If the first character in a pattern is forward slash '/'. the leading and trailing space is treated as part of the regular expression. In regular expressions.. the '/' is treated as the delimiter. 'x'.*g.*a. that is. abba.\. /bad language/i blocks any instance of bad language regardless of case. b's and c's (such as a. The pattern must contain a second '/'.g.*a. either abc or ac an a followed by any single character (not newline) followed by a c a. The pattern between ‘/’ will be taken as a regexp.*v. You can use this to break up your regular expression into (slightly) more readable parts. a “word”: a nonempty sequence of alphanumeric characters and low lines (underscores). /x Examples To block any word in a phrase /block|any|word/ To block purposely misspelled words Spammers often insert other characters between the letters of a word to fool spam blocking software. /try it for free/i /student loans/i /you’re already approved/i /special[\+\-\*=<>\.c [abc] [Aa]bc [abc]+ [^abc]+ \d\d /i \w+ 100\s*mk abc\b perl\B \x Using Perl regular expressions an a followed by any number (zero or more) of b's followed by a c an a followed by one or more b's followed by a c an a followed by an optional b followed by a c. acbabcacaa) any (nonempty) string which does not contain any of a.

Using Perl regular expressions Spam filter 316 01-28003-0002-20040716 Fortinet Inc. .

then all Alert and Emergency log messages collected are sent in a single email every three minutes. The FortiGate unit will collect and send log messages in alert emails according to the level and time intervals you configure in the alert email options. It is not necessary for an event to be logged to trigger an alert email.FortiGate-60 Administration Guide Version 2. if you set the level as Alert and the time interval for Emergency and Alert to 3 minutes. You can set the severity level of the messages that are logged. For each log location you can configure log setting options including addressing information. Log filters define the types of log messages sent as alert emails. FortiGate units support external logging to a FortiLog unit.80 Log & Report FortiGate units provide extensive logging capabilities for traffic. The two Alert level messages collected since the last Alert interval are sent in a single email. WebTrends and other Syslog servers. You can configure the FortiGate unit to send alert email to up to three recipients when selected events occur. logging severity level and log format. and you can choose the types of events that are logged. Log filters define the types of log messages saved to each location. For example. All collected messages are assembled in one alert email which is sent as soon the time interval is reached for a message at or above the configured level. system and network protection functions. FortiGate-60 Administration Guide 01-28003-0002-20040716 317 . All types of log messages except traffic and content can be saved in internal memory. the alert email level is set to Alert. In the following example alert email.

com Subject: Message meets Alert condition Log & Report Message meets Alert condition 2004-04-27 13:28:52 device_id=APS3012803033139 log_id=0101023002 type=event subtype=ipsec pri=notice loc_ip=172.81.com Sent: Tuesday.1 rem_port=500 out_if=dmz vpn_tunnel=ToDmz action=negotiate init=local mode=quick stage=2 dir=outbound status=success msg="Initiator: sent 172.81.Log config Figure 65: Example alert email From: admin@example. transform=ESP_3DES.16. This chapter describes: • • • Log config Log access CLI configuration Log config Use Log Config to configure log storage.16.81.1 rem_port=500 out_if=dmz vpn_tunnel=ToDmz action=negotiate init=local mode= stage=-112 dir=inbound status=success msg="Initiator: tunnel 172. HMAC_SHA1" Message meets Alert condition 2004-04-27 13:28:54 device_id=APS3012803033139 log_id=0101023004 type=event subtype=ipsec pri=notice loc_ip=172. 318 01-28003-0002-20040716 Fortinet Inc.1.2 loc_port=500 rem_ip=172.81. Syslog WebTrends A remote computer running a syslog server.1 quick mode message #2 (DONE)" For descriptions of log formats and specific log messages see the FortiGate Log Message Reference Guide. alert emails and log filters. April 27. 2004 5:30 PM To: example@test.81. A remote computer running a NetIQ WebTrends firewall reporting server.16.16.0 and Firewall Suite 4.2 loc_port=500 rem_ip=172.1.16.81. FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with NetIQ WebTrends Security Reporting Center 2. This section describes: • • • • • Log Setting options Alert E-mail options Log filter options Configuring log filters Enabling traffic logging Log Setting options You can enable and configure the storing of log messages to one or more of the following locations: .16. .

See Table 13. FortiLog Figure 66: Log setting options for all log locations To configure Log Setting 1 2 3 4 5 6 Go to Log&Report > Log Config > Log Setting. the unit logs Error. Select the check box to enable logging to a location. When the memory is full. The FortiGate system memory has a limited capacity and only displays the most recent log entries. Enable CSV Format If you enable CSV format. The FortiGate unit logs all messages at and above the logging severity level you select. Syslog settings Name/IP Port Level The domain name or IP address of the syslog server that stores the logs. if you select Error. Select Apply. The FortiGate system memory. All log entries are deleted when the FortiGate unit restarts.Log & Report Log config Disk Memory The FortiGate local disk (if the FortiGate unit has one). the FortiGate unit produces the log in Comma Separated Value (CSV) format. Enter the settings the logging location requires. Traffic and content logs cannot be stored in the memory buffer. “Logging severity levels. Critical. the FortiGate unit begins to overwrite the oldest messages. For example. Select the blue arrow beside the location. The port number for communication with the syslog server. If you do not enable CSV format the FortiGate unit produces plain text files. Repeat steps 2 through 8 to configure other logging locations. FortiGate-60 Administration Guide 01-28003-0002-20040716 319 . The FortiLog unit is a log analyzer and manager that can combine the log information from various FortiGate units and other firewall units.” on page 321. A FortiLog unit. Alert and Emergency level messages. The setting options appear.

or day.” on page 321. Select the log files to upload to the FTP server. Disk settings Maximum size of log The maximum size of the log file that is saved to the local disk. Overwritten deletes the oldest log entry when the local disk is full. Event Log file. hour. Log files to upload 320 01-28003-0002-20040716 Fortinet Inc. Web Filter Log file. Critical. Alert and Emergency level messages. the unit logs Error. Unit Roll log day Roll log policy Level Log file upload settings Upload When Rolling Select to upload log files to an FTP server whenever a log file rolls. if you select Error.Log config Log & Report WebTrends settings Name/IP Level The domain name or IP address of the WebTrends server that stores the logs. Do not log stops logging messages when the local disk is full. “Logging severity levels. the log files are uploaded to the root directory of the FTP server. the current log file is saved and a new active log file is started. Enter the user name required to connect to the FTP server. If you do not specify a remote directory. if you select Error. The policy to follow for saving the current log and starting a new active log. Alert and Emergency level messages. The FortiGate unit logs all messages at and above the logging severity level you select. At midnight on the specified day the current log file is saved and a new active log file is started. The number of times the current log should be saved and a new active log started: each minute. Antivirus Log file. The unit of time that corresponds to the specified Roll Log Frequency: minute. . See Table 13. and Content Log file. Enter the password required to connect to the FTP server. Block traffic stops all network traffic when the local disk is full. Enter the port number used by the FTP server. “Logging severity levels. Spam Filter Log file. which is the standard FTP port. Attack Log file. The default maximum log file size is 10 MB and the maximum log file size allowed is 10 GB. Configure settings for the FTP server and select the type of log files to upload. For example. The FortiGate unit logs all messages at and above the logging severity level you select. The default port is 21. For example. the unit logs Error.” on page 321. hour. Upload Server IP Port Username Password Remote Directory Enter the IP address of the FTP server to which to upload the log files. You can upload the Traffic Log file. or day (as selected in the Unit drop down list). The day of the week when the log should be saved and a new log started. Critical. Enter the name of the path on the FTP server into which to transfer the log files. See Table 13. the current log file is saved and a new active log file is started. Roll log time Roll Log Frequency At the specified time of day. When the file log file reaches the specified maximum size.

if you select Error. See Table 13. Enter the remote directory in which to save the log files. Select the types of log files to upload. Enable encryption Local ID: Pre-shared key Table 13 describes the FortiGate logging severity levels. Alert and Emergency level messages. FortiGate-60 Administration Guide 01-28003-0002-20040716 321 . you must enable traffic logging for specific interfaces or firewall policies. The FortiGate unit logs all messages at and above the logging severity level you select. “Logging severity levels. if you select Error. Memory settings Level The FortiGate unit logs all messages at and above the logging severity level you select. General information about system operations. For example. the unit logs Error. Critical. For example. Traffic log messages do not generally have a severity level higher than Notification. FortiLog settings IP: Level: The IP address of the FortiLog unit that manages the logs. Enter the IP address of the logging server. Note: To record traffic log messages. Functionality could be affected. The default is 21 (FTP). Notification of normal events. This must match the device name assigned to this unit on the FortiLog unit.” on page 321. Immediate action is required. Functionality is affected. Select Upload When Rolling. Critical. See Table 13. the unit logs Error. you must set the logging severity level to Notification when configuring the logging location. Also.” on page 321. Alert and Emergency level messages. The pre-shared key used for encryption. Enter the Username and Password required on the logging server. The identifier for the FortiGate unit. Select Apply.Log & Report Log config To configure log file uploading 1 2 3 4 5 6 7 8 Select the blue arrow to expand Log file upload settings. Select to enable encryption of file transfer. “Logging severity levels. An error condition exists and functionality could be affected. Enter the port number on the logging server. Table 13: Logging severity levels Level Emergency Alert Critical Error Warning Notification Information Description The system has become unstable.

Select Test to send a test alert email to the configured recipients. The interval to wait before sending an alert e-mail for critical level log messages. 322 01-28003-0002-20040716 Fortinet Inc. Figure 67: Alert email configuration settings Authentication Enable SMTP Server SMTP User Password Email To Test Level Emergency Alert Critical Error Warning Notification Select the Authentication Enable check box to enable SMTP authentication. The interval to wait before sending an alert e-mail for emergency level log messages. The interval to wait before sending an alert e-mail for warning level log messages. The interval to wait before sending an alert e-mail for notification level log messages. The interval to wait before sending an alert e-mail for alert level log messages. The SMTP password. The FortiGate unit sends alert email for all messages at and above the logging severity level you select. The SMTP user name. The name/address of the SMTP server for email.Log config Log & Report Alert E-mail options In Alert E-mail options you specify the mail server and recipients for email messages and you specify the severity level and frequency of the messages. The interval to wait before sending an alert e-mail for error level log messages. . Enter one to three email recipients for alert email.

Note: If more than one log message is collected before an interval is reached. the messages are combined and sent out as one alert email. and password information if required. described in “Log filter options” on page 323. user. Log filter options For each logging location you enable. Configure the SMTP server.Log & Report Log config Information Apply The interval to wait before sending an alert e-mail for information level log messages. The FortiGate unit uses the SMTP server name to connect to the mail server. and must look up this name on your DNS server. Select Apply to activate any additions or changes to configuration. Select Apply. you can create a customized log filter based on the log types described in the following sections. one per Email To field. Figure 68: Example traffic and event log filter settings FortiGate-60 Administration Guide 01-28003-0002-20040716 323 . Note: Log locations must be enabled in Log Setting to be available for selection in the Log Filter. You can select specific events to trigger alert email in Log Filter. Type up to three email addresses. Configure the time limit in which to send email for each logging severity level. To configure alert email Note: Before configuring alert email make sure you configure at least one DNS server. Select Enable to enable SMTP Authentication if required. 1 2 3 4 5 6 7 Go to Log&Report > Alert E-mail. Select the logging severity level for which you want to send alert email.

blocks a file type. Anti-virus log The Anti-virus Log records virus incidents in Web. resets. FTP. such as user authentication event authentication. and configuration updates. such as link. You can also apply global settings. such as antivirus and IPS pattern updates and update failures. The FortiGate unit logs all protocol-related events. See “Enabling traffic logging” on page 326 for more information. You can apply the following filters: System Activity event IPSec negotiation event DHCP service event L2TP/PPTP/PPPoE service event Admin event HA activity event The FortiGate unit logs all system-related events. member. such as user logins. The FortiGate unit logs all high availability events. such as session or packet log. such as ping server failure and gateway status. The FortiGate unit logs all administrative events. 324 01-28003-0002-20040716 Fortinet Inc. Firewall The FortiGate unit logs all firewall-related events. The FortiGate unit logs all instances of oversized files.Log config Log & Report Traffic log The Traffic Log records all the traffic to and through the FortiGate interfaces. such as the request and response log. You can configure logging for traffic controlled by firewall policies and for traffic between any source and destination addresses. Pattern update event The FortiGate unit logs all pattern update events. and state information. and email traffic. such as progress and error reports. The FortiGate unit logs all traffic that violates the firewall policy settings. Note: You can enable traffic logging for specific interfaces or firewall policies. such as when a configuration has changed or a routing gateway has been added. such as manager and socket creation processes. You can apply the following filters: Virus infected Filename blocked File oversized The FortiGate unit logs all virus infections. The FortiGate unit logs all DHCP-events. You can apply the following filters: Policy allowed traffic Policy violation traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. Event log The Event Log records management and activity events. such as when the FortiGate unit detects an infected file. The FortiGate unit logs all IPSec negotiation events. The FortiGate unit logs all instances of blocked files. or blocks an oversized file or email. .

FortiGate-60 Administration Guide 01-28003-0002-20040716 325 . The FortiGate unit logs content meta-data for all POP3 traffic content. Content log The Content Log records content meta-data for web and email traffic: Log HTTP content Log FTP content Log SMTP content Log POP3 content Log IMAP content The FortiGate unit logs content meta-data for all HTTP traffic content. You can apply the following filters: Content block URL block URL exempt Blocked category ratings The FortiGate unit logs all instances of blocked content (specified in the banned words list). URL blocks. The FortiGate unit logs all instances of blocked email in POP3 traffic. You can apply the following filters: SMTP POP3 IMAP The FortiGate unit logs all instances of blocked email in SMTP traffic. and URL exempt events. ratings Category rating errors The FortiGate unit logs all instances of web category filtering rating errors. The FortiGate unit logs all instances of blocked URLs (specified in the URL block list). You can apply the following filters: Attack Signature Attack Anomaly The FortiGate unit logs all detected and prevented attacks based on the attack signature. The FortiGate unit logs all instances of blocked email in IMAP traffic. Attack log The Attack Log records attacks detected and prevented by the FortiGate unit. The FortiGate unit logs all access attempts to URLs blocked because of web category filtering settings. The FortiGate unit logs content meta-data for all IMAP traffic content. The FortiGate unit logs content meta-data for all FTP traffic content. The FortiGate unit logs all instances of allowed URLs (specified in the URL exempt list). and the action taken by the FortiGate unit. The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns. Monitored category The FortiGate unit logs all access attempts to URLs monitored because of web category filtering settings. Spam filter log The Spam Filter Log records blocking of address patterns and content in IMAP and POP3 traffic. The FortiGate unit logs content meta-data for all SMTP traffic content. and the action taken by the FortiGate unit.Log & Report Log config Web filter log The Web Filter Log records HTTP content blocks.

Select Log Traffic. Select the Edit icon for an interface. All connections to and through the interface are recorded in the traffic log. Select the Edit icon for a policy. Select the specific log sub-types to log for each location. To enable traffic logging for a firewall policy You can enable traffic logging for a firewall policy. 1 2 3 4 5 Go to Firewall > Policy. Enable the logging type for each location to which you want to log messages. Make sure you enable traffic logs for a logging location and set the logging severity level to Notification or lower. Select Apply. Select OK. Make sure you enable traffic log under Log Filter for a logging location and set the logging severity level to Notification or lower. Repeat steps 1 through 4 for each interface for which you want to enable logging. 1 2 3 4 5 6 Go to System > Network > Interface. . Traffic log messages do not generally have a severity level higher than Notification. To configure log filters 1 2 3 4 Go to Log&Report > Log Config > Log Filter. Select OK. All connections accepted by the firewall policy are recorded in the traffic log.Log config Log & Report Configuring log filters Configure log filters for each location to which you are saving logs. Note: To record traffic log messages you must set the logging severity level to Notification when configuring the logging location. 326 01-28003-0002-20040716 Fortinet Inc. Enabling traffic logging To enable traffic logging for an interface or VLAN subinterface You can enable traffic logging for an interface or VLAN subinterface. Select Log.

Figure 69: Sample list of logs stored on the FortiGate local disk The following table describes the column headings and the icons you can use to view and manage the logs when accessing logs saved to the local disk. downloading. This section describes: • • Local disk log access Memory buffer log access Local disk log access You can view. You can also download logs saved to the local disk in plain text or CSV format. Delete icon. view. Select the log type you wish to access. search. time. You can delete. navigate. FortiGate-60 Administration Guide 01-28003-0002-20040716 327 . and year the log file was last added to by the FortiGate unit. or viewing (in HTML) the logs by selecting the corresponding icon. month. Download icon. To access log messages on the FortiGate local disk 1 2 3 4 Go to Log&Report > Log Access. Select Disk from the Type dropdown list. Display the log file through the web-based manager. Delete the log entries from the log file (but not the file). Download the log as a text or CSV file. Note: FortiGate units do not save some types of logs to memory. or to perform a log search when already viewing the log. View/Search icon. You have the option of clearing or deleting. You can view these logs with Log Access only if your FortiGate unit contains a hard disk drive. The name(s) of the log file(s) of that type stored to disk. For some types of logs only disk storage is available. The size of the log file in bytes. Type File name Size Select the log location for which you want to view logs: disk or memory. Last access time The day of the week. Clear log icon. day. and download logs saved to the FortiGate local disk. and navigate logs stored to the local disk or memory buffer. Delete the entire log file.Log & Report Log access Log access Log Access provides access to logs saved to the FortiGate local disk or memory buffer.

Log access Log & Report To download log files from the FortiGate local disk When downloading a log file. Select Disk from the Type dropdown list. Figure 70: Search for log messages 5 Select the boolean operator AND or OR. Go to Log&Report > Log Access. Select OK. Select the log type you wish to access. . 1 2 3 4 5 6 Go to Log&Report > Log Access. you have the option of saving the log in plain text or CSV format. Select the View icon. See “Memory buffer log access” on page 329 for a description of the icons and features. AND means all the keywords must be found. 6 7 8 328 01-28003-0002-20040716 Fortinet Inc. Select the Search icon. Select Download file in normal or CSV format. 1 2 3 4 Select the log type you wish to access. Type any keywords for the search. Select Open to view the log file or Save to save the log file to your computer. The Log Search window is displayed. The log appears. Select a time to search for a log item that occurred at a specific time. OR means only one of the keywords must be found. Select Disk from the Type dropdown list. The search results are displayed. To view and search log messages on the FortiGate local disk When viewing logs through the web-based manager there are various navigation features at the top of the page. Select the Download icon for the file you wish to download.

Select the log type you wish to view. You have the option of clearing the log. Search icon. Select OK. To access log messages in the FortiGate memory buffer 1 2 3 4 Go to Log&Report > Log Access. AND means all the keywords must be found. OR means only one of the keywords must be found. Displays the line number of the first line in the display. Select Memory from the Type dropdown list. Type Current line Total lines Go to line Select the log location for which you want to view logs: disk or memory. Open the log search window. going to the previous or next log.Log & Report Log access Memory buffer log access You can view and navigate log messages saved to the FortiGate memory buffer. Figure 71: Viewing log messages from the memory buffer The following table describes the features and icons you can use to navigate and search the logs when viewing logs through the web-based manager. The Log Search window appears. 6 7 8 FortiGate-60 Administration Guide 01-28003-0002-20040716 329 . View to the next page in the log file. Type any keywords for the search. Displays the total number of lines in the log. The search results are displayed. To search log messages in the FortiGate memory buffer 1 2 3 4 5 Go to Log&Report > Log Access. Go to next page icon. or searching the log by selecting the corresponding icon. Select the log type you wish to access. Select the boolean operator AND or OR. Erase the log messages stored in the memory buffer. Select Memory from the Type dropdown list. Clear log icon. Go to previous page icon. Select the Search icon. Enter a line number and select Go to navigate to a specific line. Select a time to search for a log item that occurred at a specific time. View to the previous page in the log file. The log appears.

CLI configuration Log & Report CLI configuration This guide only covers Command Line Interface (CLI) commands and command keywords that are not represented in the web-based manager. All models. Default disable No default. Availability All models. Enter the pre-shared key for the IPSec VPN tunnel to a FortiLog unit. . Enter the local ID for an IPSec VPN tunnel to a FortiLog unit. Enter the IP address of the FortiLog unit. You can create an IPSec VPN tunnel if one or more FortiGate units are sending log messages to a FortiLog unit across the Internet. You can create an IPSec VPN tunnel if one or more FortiGate units are sending log messages to a FortiLog unit across the Internet. Note: The IPSec VPN settings for the FortiGate unit must match the VPN settings on the FortiLog unit. fortilog setting Note: The command keywords for fortilog setting that are not represented in the webbased manager are localid and psksecret. Using an IPSec VPN tunnel means that all log messages sent by the FortiGate are encrypted and secure. All models. No default. All models. Using an IPSec VPN tunnel means that all log messages sent by the FortiGate are encrypted and secure. 330 01-28003-0002-20040716 Fortinet Inc. psksecret <str_psk> No default. Command syntax pattern config log fortilog setting set <keyword> <variable> config log fortilog setting unset <keyword> get log fortilog setting show log fortilog setting log fortilog setting command keywords and variables Keywords and variables encrypt {enable | disable} localid <str_id> Description Enter enable to enable encrypted communication with the FortiLog unit. Use this command to configure log settings for logging to a FortiLog unit. disable All models. The FortiLog unit is a log analyzer and manager that can combine the log information from various FortiGate units. server <address_ipv4> status Enter enable to enable logging to a {disable | enable} FortiLog unit. For complete descriptions of working with CLI commands see the FortiGate CLI Reference Guide.

Use this command to configure log settings for logging to a remote syslog server. FortiGate-60 Administration Guide 01-28003-0002-20040716 331 . the settings are at default.Log & Report CLI configuration Example This example shows how to enable logging to a FortiLog unit. Default disable Availability All models. get log fortilog setting This example shows how to display the configuration for logging to a FortiLog unit. and add a pre-shared key for an IPSec VPN tunnel. If you do not enable CSV format the FortiGate unit produces plain text files. set the FortiLog IP address. syslogd setting Note: The only command keyword for syslog setting that is not represented in the webbased manager is the facility keyword.1 set localid net_host_c set psksecret J7fram54AhTWmoF5 end This example shows how to display the log setting for logging to a FortiLog unit. add a local ID.168. Command syntax pattern config log syslogd setting set <keyword> <variable> config log syslogd setting unset <keyword> get log syslogd setting show log syslogd setting log syslogd setting command keywords and variables Keywords and Description variables csv Enter enable to enable the FortiGate unit {disable | enable} to produce the log in Comma Separated Value (CSV) format.100. show log fortilog setting If the show command returns you to the prompt. config log fortilog setting set status enable set server 192. You can configure the FortiGate unit to send logs to a remote computer running a syslog server.

Enter the IP address of the syslog server that stores the logs. All models. 332 01-28003-0002-20040716 Fortinet Inc. Enter enable to enable logging to a remote syslog server. Facility can also be used to route messages to different files. Enter the port number for communication 514 with the syslog server. .CLI configuration Log & Report log syslogd setting command keywords and variables Keywords and variables facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} port <port_integer> server <address_ipv4> status {disable | enable} Table 14: Facility types Facility type alert audit auth authpriv clock cron daemon ftp kernel local0 – local7 lpr mail news ntp syslog security/authorization messages security/authorization messages (private) clock daemon cron daemon performing scheduled commands system daemons running background system processes File Transfer Protocol (FTP) daemon kernel messages reserved for local use line printer subsystem email system network news subsystem Network Time Protocol (NTP) daemon messages generated internally by the syslog daemon Description Description Enter the facility type. disable All models. facility indicates from which part of the system a log message originated. Also known as message category. All models. Default local7 Availability All models. No default. Facility types are described in Table 14.

get log syslogd setting This example shows how to display the configuration for logging to a remote syslog server. config log syslogd setting set status enable set server 220.Log & Report CLI configuration Example This example shows how to enable logging to a remote syslog server. and set the facility type to user. the settings are at default. show log syslogd setting If the show command returns you to the prompt.210. FortiGate-60 Administration Guide 01-28003-0002-20040716 333 .190 set port 601 set facility user end This example shows how to display the log setting for logging to a remote syslog server.200. configure an IP address and port for the server.

CLI configuration Log & Report 334 01-28003-0002-20040716 Fortinet Inc. .

Sites that promote or offer methods. also.80 FortiGuard categories FortiGuard is a web filtering solution provided by Fortinet. Cult or Occult 3. The FortiGate unit accesses the nearest FortiGuard server to determine the category of a requested Web page and then follows the policy configured for that user or interface. curses. or folkloric beliefs and practices. or use of marijuana. FortiGuard sorts thousands of Web pages into a wide variety of categories that users can allow. satanic or supernatural beings.FortiGate-60 Administration Guide Version 2. or monitor. and sites that provide information about or promote the cultivation. Sites that provide information about or promote illegal or questionable access to or use of computer or communication equipment. magic powers. software. Table 15 describes each FortiGuard category. Abused Drugs Sites that promote or provide information about the use of prohibited drugs.sites that provide information about how to bypass proxy server features or to gain access to URLs in any way that bypasses the proxy server. or databases. URL Translation Sites -. paraphernalia associated with such use or abuse. Description 2. preparation. Illegal or Questionable FortiGate-60 Administration Guide 01-28003-0002-20040716 335 . or other resources to affect or influence real events through the use of spells. Table 15: FortiGuard categories Category name Potentially Liable 1.sites that offer online translation of URLs. Sites that provide information about or promote religions not specified in Traditional Religions or other unconventional. Please see “Category block” on page 297 for more information about how FortiGuard works and how to configure it. These sites access the URL to be translated in a way that bypasses the proxy server. cultic. or the abuse or unsanctioned use of controlled or regulated drugs. Proxy Avoidance -. Sites that provide instruction in or promote nonviolent crime or unethical or dishonest behavior or the avoidance of prosecution. potentially allowing unauthorized access. Hacking 4. means of instruction. block.

Nudity -. Sites with content that is gratuitously offensive or shocking. the denigration or subjection of groups. Advocacy Groups 10. Sites that display full or partial nudity in a sexual context. Sites that promote change or reform in public policy. or that feature images or descriptions that are grotesque or frightening and of no redeeming value. but not sexual activity. Tasteless 336 01-28003-0002-20040716 Fortinet Inc. Alcohol and Tobacco 11. or behavior. with semi nudity permitted.FortiGuard categories Table 15: FortiGuard categories Category name 5. escort services. Pornography 15. not overtly sexual in intent or effect Sites that depict or graphically describe sexual acts or activity. Lingerie and Swimsuit -. Sites that feature or promote violence or bodily harm. Sites that offer information about or promote or are sponsored by groups advocating anti government beliefs or action. or injury.Sites that provide information about or are sponsored by organizations that oppose legal abortion or that seek increased restriction of abortion. Includes sites devoted in part or whole to scatology and similar topics or to improper language. Adult Materials 9. Gambling 12. Includes classic 'cheesecake.Sites that offer information about sex and sexuality. Militancy and Extremist 13. economic activities and relationships. Includes also sites offering lingerie or swimwear for sale. but not violent or frightening. Sex Education -.Sites that offer depictions of nude or semi nude human forms. involving a risk of losing money. promote.Sites that provide information about or are sponsored by organizations that support legal abortion or that offer support or encouragement to those seeking the procedure. nightclubs.Sites that offer images of models in suggestive but not lewd costume. sexual paraphernalia. or support the sale of alcoholic beverages or tobacco products or associated paraphernalia Sites that provide information about or promote gambling or support online gambling. Racism or Hate Description Sites that promote the identification of racial groups. or that gratuitously display images of death. Nudity 14. Pro-Choice -. public opinion. with no pornographic intent. gore. or the superiority of any group. social practice.' calendar. also sites offering direct links to such sites. Sites that provide information about. singly or in groups. including exhibitionism. Sites with neutral or balanced presentation of the issue. and pin-up art and photography. erotica. including self-inflicted harm. Violence Objectionable or Controversial 7. . sex-oriented businesses as clubs. Pro-Life -. 6. Abortion 8. humor. and sites supporting online purchase of such goods and services.

Web-based Email Potentially Bandwidth Consuming 24.Instant Messaging -. Peer-to-Peer File Sharing -. Games 21. Internet Radio and TV -. Streaming Media Potentially Security Violating 26.Sites that provide client software to enable peer-to-peer file sharing and transfer. or online games. advertisements. Malicious Web Sites 27. Personal Network Storage and Backup -Sites that store personal files on Internet servers for backup or exchange.Sport Hunting and Gun Clubs -. Advertisement 18. or support the sale of weapons and related items. promote. includes 'blogs' and 'mail magazines. generates http traffic (other than simple user identification and validation).Sites whose primary purpose is to provide radio or TV programming on the Internet. Brokerage and Trading 19. message boards. including war-game and paintball facilities. MP3 -.Sites that enable users to make telephone calls via the Internet or to obtain information or software for that purpose. Sites that provide advertising graphics or other ad content files. File Sharing and Storage 25. Sites whose primary function is to provide freeware and software downloads.Sites for sending/viewing digital post cards. Sites or pages that download software that. Web Chat -. or email Sites that host Web-based email. role-playing games. Includes sweepstakes and giveaways. Internet Telephony -.' Digital post cards . Sites that pay users to view Web sites. and list servers. video games. without the user's knowledge. Sites that support active trading of securities and management of investments. Sites that provide information about or promote electronic games.Sites that host Web chat services or that support or provide information about chat via HTTP or IRC. Potentially Non-productive 17. Weapons Description Sites that provide information about.Sites that provide information about or directories of gun clubs and similar groups. Internet Communication 22.Sites that support downloading of MP3 or other sound files or that serve as directories of such sites. Message Boards and Clubs -Sites for online personal and business clubs. Spyware FortiGate-60 Administration Guide 01-28003-0002-20040716 337 . computer games.FortiGuard categories Table 15: FortiGuard categories Category name 16. discussion groups.Sites that enable instant messaging. Pay to Surf 23. Sites that contain code that may intentionally modify end-user systems without their consent and cause harm. Freeware and Software Download 20.

Sites that offer current news and opinion.Sites sponsored by or providing information about political parties and interest groups focused on elections or legislation. Sites for children Financial Data and Services -. excluding those intended to arrange for sexual encounters and excluding those of exclusively gay or lesbian or bisexual interest. investment advice. Gay or Lesbian or Bisexual Interest 33. Sites that provide information or advice on personal health or medical services. Health 34. procedures. Personals and Dating -. movie theatres. Political Organizations -. humor. galleries. and other investment vehicles.Sites that provide information about approved drugs and their medical use. also. including those sponsored by newspapers. Education 31.FortiGuard categories Table 15: FortiGuard categories Category name General Interest 28. artists or review on entertainment. and insurance. Sites sponsored by museums. Includes banks. or that relate to educational events and activities.Sites that provide information about or promote the sale or use of chemicals not regulated by the FDA (such as naturally occurring compounds). Supplements and Unregulated Compounds -. theatres (but not movie theatres). also. but not drugs. or devices. by nonacademic research institutions.Sites that provide information about or cater to gay.Sites sponsored by schools and other educational facilities. Educational Institutions -. lesbian. sites whose purpose is the display of artworks.Sites that assist users in establishing interpersonal relationships. Educational Materials -. libraries. Includes self-help groups. Alternative Journals -. or bisexual lifestyles. Political Organizations 338 01-28003-0002-20040716 Fortinet Inc.Online equivalents to supermarket tabloids and other fringe publications. Description 29. music and programming guides. News and Media 37. but not online trading. Cultural Institutions 30. learned journals and similar publications. credit unions. general-circulation magazines. books. credit cards. Medicine 36. . Sites that offer information about or support the seeking of employment or employees. Gay or Lesbian or Bisexual Interest -. Financial Data and Services 32. galleries. and similar institutions. and magazines. or other media. Personals and Dating 38. Job Search 35. non-news radio and television. but excluding those that are sexually or issue-oriented. including those that support online shopping. comics. bonds.Sites that offer news and quotations on stocks. Prescribed Medications -.Sites that provide information about or that sell or provide curriculum materials or direct instruction. Arts and Entertainment Sites that provide information about or promote motion pictures.

and recreation. Hinduism.Sites sponsored by or that support or offer information about organizations devoted to professional advancement or workers interests. or catering services. Judaism. medications. but not electronic. Sites that provide information about matters of daily life. Traditional Religions -.Sites sponsored by or that support or offer information about organizations devoted chiefly to socializing or common interests other than philanthropy or professional advancement. Special Events 46. computer software or hardware. alcohol.Sites that provide information about renting. selling. buying. weapons. Christianity. jobs. Social and Affiliation Organizations -.Sites published and maintained by individuals for their personal selfexpression and ends. or indices or directories thereof.Sites that support searching the Web. Sites that support the online purchase of consumer goods and services except: sexual materials.Sites sponsored by or that support or offer information about organizations devoted to doing good as their primary activity. educational materials. review. Service and Philanthropic Organizations -.Sites that provide information about or promote Buddhism. including those that support online purchase of vehicles or parts. Real Estate -. Internet Auctions -. and Sikhism. Mormonism. Sites that provide information about or promote sports. excluding entertainment. Sports 47. advertise. active games. vehicles and parts. travel. Professional and Worker Organizations -. formularies. Hobbies -.Sites that provide information about or promote private and largely sedentary pastimes.FortiGuard categories Table 15: FortiGuard categories Category name 39. Search Engines and Portals 42. Shopping and Auction 43. Travel 48. Search Engines and Portals -. Sites that provide information about or promote travel-related services and destinations. video. dictionaries. and sports. Shinto. Reference Materials Description Sites that offer reference-shelf content such as atlases. 40. white and yellow pages. Restaurants and Dining -. health. Personal Web Sites -. swimwear. or financing residential real estate. or online games. news groups.Sites that list. sex. encyclopedias. Vehicles FortiGate-60 Administration Guide 01-28003-0002-20040716 339 . lingerie. dining. Christian Science. Society and Lifestyles 45.Sites that support the offering and purchasing of goods between individuals. Religion 41. Bahai. as well as atheism. and public statistical data. or promote food. Islam. investments. tobacco. Social Organizations 44. Sites devoted to a current event that requires separate categorization. Sites that provide information about or promote vehicles.

Content Delivery Networks -.Sites that discuss or explain laws of various government entities. Image Servers -. except for the armed forces.Web servers whose primary function is to deliver images. or agencies of any level of government.URLs that are generated dynamically by a Web server. and related business firms. Government and Legal Organizations 52. Network Errors -. Computer Security 51.Sites that provide information about or free downloadable tools for computer security. or business in general. software. Computer Security -. and services. business associations. 'Address Allocation for Private Intranets. Information Technology 53. Private IP Addresses -. bureaus. Military Organizations Others 54.Commercial hosts that deliver content to subscribing Web sites. the Internet.FortiGuard categories Table 15: FortiGuard categories Category name Business Oriented 49. peripherals. or top-level domain pages of Web communities. Dynamic Content 55. including sites supporting the sale of hardware. Dynamic Content -. Military -. Miscellaneous 56. .IP addresses defined in RFC 1918.URLs with hosts that do not resolve to IP addresses. Description 50. Sites sponsored by or providing information about computers.Sites of organizations that provide hosting services. software. Web Hosting -. Images (Media) -URLs ending with image file names. Web Hosting 340 01-28003-0002-20040716 Fortinet Inc. Sites sponsored by branches. Business and Economy Sites sponsored by or devoted to business firms.Sites sponsored by branches or agencies of the armed services. industry groups.

and list entries for FortiGate features. FortiGate-60 Administration Guide 01-28003-0002-20040716 341 . field. FortiGate model Feature system vdom system zone system interface system interface secondaryip system interface ip6 prefix list system ipv6_tunnel system accprofile system admin system snmp community system snmp community hosts 50A 2 20 12 32 32 4 8 8 3 8 60* 2 20 12 32 32 4 8 8 3 8 512 8 20 4 50 32 6 6 500 100 2 20 12 32 32 4 8 8 3 8 512 8 30 4 50 32 6 6 1000 200 16 50 4096 32 32 4 16 64 3 8 512 8 30 16 50 32 6 6 1000 300 32 50 4096 32 32 4 16 64 3 8 512 8 50 16 50 32 6 6 1000 400 64 100 4096 32 32 4 16 64 3 8 512 8 50 16 50 32 6 6 1000 500 64 100 4096 32 32 4 16 64 3 8 512 8 100 16 50 32 6 6 1000 800 64 100 4096 32 32 4 16 64 3 8 512 8 100 16 50 32 6 6 1000 1000 128 200 4096 32 32 4 64 256 3 8 512 8 200 16 50 32 6 6 1000 3000 512 300 4096 32 32 4 64 256 3 8 512 8 200 16 50 32 6 6 1000 3600 512 500 4096 32 32 4 64 256 3 8 512 8 200 16 50 32 6 6 1000 4000 512 500 4096 32 32 4 64 256 3 8 512 8 200 16 50 32 6 6 1000 5000 512 500 4096 32 32 4 64 256 3 8 512 8 200 16 50 32 6 6 1000 system session_ttl 512 port system dhcp server system dhcp ipmacbinding system dhcp exclude_range system mac address table system session helper user radius user ldap user local 8 10 4 50 32 6 6 20 * The FortiGate 60 values apply to the FortiGate-60 and the FortiWiFi-60.FortiGate-60 Administration Guide Version 2.80 FortiGate maximum values The following table contains the maximum number of table.

FortiGate maximum values FortiGate model Feature user group user group member webfilter bword webfilter urlexm webfilter urlblock webfilter urlpat firewall address firewall service predefined firewall service custom firewall service group firewall service group member firewall schedule onetime firewall schedule recurring firewall ippool firewall profile firewall vip firewall ipmacbinding table firewall addrgrp firewall addrgrp member firewall policy firewall dnstranslation firewall multicast policy vpn ipsec phase1 vpn ipsec phase2 vpn ipsec manualkey vpn ipsec concentrator vpn ipsec concentrator member vpn ipsec vip 50A 100 350 32 32 32 500 500 500 500 300 256 256 50 32 500 50 60* 100 350 32 32 32 500 500 500 500 300 500 500 50 32 500 100 100 100 350 32 32 32 500 500 500 500 300 256 256 50 32 500 1000 200 100 350 32 32 32 1000 500 500 500 300 256 256 50 32 500 1000 300 100 350 32 32 32 3000 500 500 500 300 256 256 50 32 500 2000 400 100 350 32 32 32 3000 500 500 500 300 256 256 50 32 500 2000 500 100 350 32 32 32 6000 500 500 500 300 256 256 50 32 500 2000 800 100 350 32 32 32 6000 500 500 500 300 256 256 50 32 500 2000 1000 100 350 32 32 32 500 500 500 300 256 256 50 32 500 5000 3000 100 350 32 32 32 500 500 500 300 256 256 50 200 1024 5000 3600 100 350 32 32 32 500 500 500 300 256 256 50 200 1024 5000 4000 100 350 32 32 32 500 500 500 300 256 256 50 200 1024 5000 5000 100 350 32 32 32 500 500 500 300 256 256 50 200 1024 5000 32000 32000 32000 32000 32000 32000 32000 32000 32000 32000 32000 32000 32000 10000 10000 10000 10000 10000 500 300 200 32 32 20 20 20 500 300 500 300 500 32 32 50 50 50 500 300 500 300 1000 32 32 80 80 80 500 300 500 300 2000 32 64 200 200 200 500 300 500 300 5000 32 64 1500 1500 1500 500 300 500 300 5000 32 64 1500 1500 1500 500 300 500 300 500 300 500 300 500 300 500 300 500 300 500 300 20000 20000 50000 50000 50000 50000 50000 32 128 3000 3000 3000 500 300 32 128 3000 3000 3000 500 300 32 128 5000 5000 5000 500 300 32 256 5000 5000 5000 500 300 32 256 5000 5000 5000 500 300 32 256 5000 5000 5000 500 300 32 256 5000 5000 5000 500 300 32 32 32 32 32 32 32 32 32 32 32 32 32 * The FortiGate 60 values apply to the FortiGate-60 and the FortiWiFi-60. . 342 01-28003-0002-20040716 Fortinet Inc.

FortiGate-60 Administration Guide 01-28003-0002-20040716 343 .FortiGate maximum values FortiGate model Feature antivirus filepattern antivirus heuristic rules antivirus quarfilepattern antispam bword antispam ipbwl antispam rbl 50A 56 50 20 32 32 32 60* 56 50 20 32 32 32 32 32 100 32 50 32 20 32 20 16 20 100 20 100 100 100 100 32 300 32 50 20 10 10 100 56 50 20 32 32 32 32 32 100 32 50 32 20 32 20 16 20 100 20 100 100 100 100 32 300 32 50 20 10 10 200 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 16 20 100 20 100 100 100 100 32 300 32 50 20 10 10 300 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 16 20 100 20 100 100 100 100 32 300 32 50 20 10 10 400 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 16 20 100 20 100 100 100 100 32 300 32 50 20 10 10 500 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 16 20 100 20 100 100 100 100 32 300 32 50 20 10 10 800 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 16 20 100 20 100 100 100 100 32 300 32 50 20 10 10 1000 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 100 20 100 20 100 100 100 100 32 300 32 50 20 10 10 3000 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 100 20 100 20 100 100 100 100 32 300 32 50 20 10 10 3600 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 100 20 100 20 100 100 100 100 32 300 32 50 20 10 10 4000 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 100 20 100 20 100 100 100 100 32 300 32 50 20 10 10 5000 56 50 20 32 32 32 32 32 100 32 50 100 20 100 20 100 20 100 20 100 100 100 100 32 300 32 50 20 10 10 antispam emailbwl 32 antispam mheader 32 ips anomaly limit ips custom log trafficfilter rule router access list router access list rule router prefix list router prefix list rule router key chain router key chain key router route map router route map rule 100 32 50 32 20 32 20 16 20 100 20 router rip distance 100 router rip distribute 100 list router rip neighbor 100 router rip network router rip passive interface router ospf area router ospf area range router ospf area virtual link router ospf area filter list 100 300 router rip offset list 32 router rip interface 32 50 20 10 10 * The FortiGate 60 values apply to the FortiGate-60 and the FortiWiFi-60.

FortiGate maximum values FortiGate model Feature router ospf ospf interface router ospf network router ospf neighbor router ospf passive interface router ospf redistribute router ospf summary address router ospf distribute list router static router policy router static6 50A 100 100 10 100 100 10 10 32 16 8 60* 100 100 10 100 100 10 10 32 16 8 100 100 100 10 100 100 10 10 32 16 8 200 100 100 10 100 100 10 10 500 100 500 300 100 100 10 100 100 10 10 500 100 500 400 100 100 10 100 100 10 10 500 100 500 500 100 100 10 100 100 10 10 500 100 500 800 100 100 10 100 100 10 10 500 100 500 1000 100 100 10 100 100 10 10 1000 100 500 3000 100 100 10 100 100 10 10 1000 100 500 3600 100 100 10 100 100 10 10 1000 100 500 4000 100 100 10 100 100 10 10 1000 100 500 5000 100 100 10 100 100 10 10 1000 100 500 * The FortiGate 60 values apply to the FortiGate-60 and the FortiWiFi-60. 344 01-28003-0002-20040716 Fortinet Inc. .

FTP servers. For the FortiGate-60 the external interface is WAN1 or WAN2. Layer Two (2) Tunneling Protocol: An extension to the PPTP protocol that enables ISPs to operate Virtual Private Networks (VPNs). To create an L2TP VPN. IP Address: An identifier for a computer or device on a TCP/IP network. FTP. A newer version of Ethernet. Each number can be zero to 255. Internet: A collection of networks connected together that span the entire globe using the NFSNET as their backbone. DNS. Internet Protocol: The component of TCP/IP that handles routing. applications. Internet Message Access Protocol: An Internet email protocol that allows access to your email from any IMAP compatible browser. Ethernet: A local-area network (LAN) architecture that uses a bus or star topology and supports data transfer rates of 10 Mbps. Domain Name Service: A service that converts symbolic node names to IP addresses.80 Glossary Connection: A link between machines. HTTP. it refers to any collection of interdependent networks. processes. can link different subnetworks.FortiGate-60 Administration Guide Version 2. Internet Control Message Protocol: Part of the Internet Protocol (IP) that allows for the generation of error messages. An IP address is a 32-bit numeric address written as four numbers separated by periods. IKE. This is the protocol used by the ping function when sending ICMP Echo Requests to a network host. Internet Key Exchange: A method of automatically exchanging authentication and encryption keys between two secure servers. Typically. Ethernet is one of the most widely implemented LAN standards.000 megabits) per second. HTTPS: The SSL protocol for transmitting private documents over the Internet using a Web browser. the DMZ contains servers accessible to Internet traffic. supports data transfer rates of 100 Mbps. physical. for example. Hyper Text Transfer Protocol: The protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted. ICMP. Gigabit Ethernet. FortiGate-60 Administration Guide 01-28003-0002-20040716 345 . File transfer Protocol: An application and TCP/ IP protocol used to upload or download files. supports data rates of 1 gigabit (1. With IMAP. test packets. Gateway: A combination of hardware and software that links different networks. External interface: The FortiGate interface that is connected to the Internet. Internal interface: The FortiGate interface that is connected to an internal (private) network. IMAP. your mail resides on the server. and what actions Web servers and browsers should take in response to various commands. SMTP (email) servers and DNS servers. your ISP’s routers must support L2TP. DMZ. L2TP merges PPTP from Microsoft and L2F from Cisco Systems. or both. IPSec is most often used to support VPNs. As a generic term. L2TP. called 100 Base-T (or Fast Ethernet). DMZ interface: The FortiGate interface that is connected to a DMZ network. Internet Protocol Security: A set of protocols that support secure exchange of packets at the IP layer. IPSec. IP. Gateways between TCP/ IP networks. and information messages relating to IP. and so on that can be logical. such as Web (HTTP) servers. Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. And the newest version.

Simple Network Management Protocol: A set of protocols for managing networks. 346 01-28003-0002-20040716 Fortinet Inc. which checks that the information is correct. called agents. this is an application for providing mail delivery services. Local Area Network: A computer network that spans a relatively small area. . Point-to-Point Tunneling Protocol: A Windows-based technology for creating VPNs. packets are often called datagrams. Port: In TCP/IP and UDP networks. Modem: A device that converts digital signals into analog signals and back again for transmission over telephone lines. SNMP. NTP provides accuracies to within tens of milliseconds across the Internet relative to Coordinated Universal Time (UTC).Glossary LAN. A set of rules for omitting parts of a complete IP address to reach a target destination without using a broadcast message. Each computer on a LAN is able to access data and devices anywhere on the LAN. Simple Mail Transfer Protocol: In TCP/IP networks. Routing: The process of determining a path to use to send data to its destination. a port is an endpoint to a logical connection. and XP. PPTP. Sometimes referred to as an Address Mask. This information is passed to a RADIUS server. MTU. Packet Internet Grouper: A utility used to determine whether a specific IP address is accessible. SMTP. Most LANs connect workstations and personal computers. SNMP works by sending messages to different parts of a network. Remote Authentication Dial-In User Service: An authentication and accounting system used by many Internet Service Providers (ISPs). If your messages are larger than one of the intervening MTUs. Post Office Protocol: A protocol used to transfer e-mail from a mail server to a mail client across the Internet. The port number identifies what type of port it is. One of the key features of a packet is that it contains the destination address in addition to the data. your ISP's routers must support PPTP. Point-to-Point Protocol: A TCP/IP protocol that provides host-to-network and router-to-router connections. and then authorizes access to the ISP system. RADIUS. Any packets larger than the MTU are divided into smaller packets before being sent. Ideally. Netmask: Also called subnet mask. Network Time Protocol: Used to synchronize the time of a computer to an NTP server. PPTP is supported by Windows 98. When users dial into an ISP they enter a user name and password. high capacity storage. port 80 is used for HTTP traffic. In IP networks. This means that many users can share data as well as physical resources such as printers. Used as a generic term for any device that provides services to the rest of the network such as printing. Management Information Base: A database of objects that can be monitored by an SNMP network manager. MIB. POP3. they get broken up (fragmented). Server: An application that answers requests from other devices (clients). NTP. For example. The protocol determines the type of error checking to be used. that a network can transmit. and network access. Packet: A piece of a message transmitted over a packet-switching network. which slows down transmission speeds. Ping. Protocol: An agreed-upon format for transmitting data between two devices. Most e-mail clients use POP. SNMP-compliant devices. It works by sending a packet to the specified address and waiting for a reply. MAC address. measured in bytes. the data compression method (if any). store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. To create a PPTP VPN. 2000. you want the MTU your network produces to be the same as the smallest MTU of all the networks between your machine and a message's final destination. Maximum Transmission Unit: The largest physical packet size. PPP. how the sending device indicates that it has finished sending a message. It can indicate a subnetwork portion of a larger network in TCP/IP. Media Access Control address: A hardware address that uniquely identifies each node of a network. Router: A device that connects LANs into an internal network and routes traffic between them. and how the receiving device indicates that it has received a message. Routing table: A list of valid paths through which data can be transmitted.

Worm: A program or algorithm that replicates itself over a computer network. would be part of the same subnet. VPN. like TCP. For example. such as using up the computer's resources and possibly shutting the system down. all devices with IP addresses that start with 100. IP networks are divided using a subnet mask. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. runs on top of IP networks. UDP provides very few error recovery services. Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. Virtual Private Network: A network that links private networks over the Internet. Unlike TCP.100. Subnet: A portion of a network that shares a common address component. spreading itself through computers or networks by this mechanism usually with harmful intent. Dividing a network into subnets is useful for both security and performance reasons.100. TCP. FortiGate-60 Administration Guide 01-28003-0002-20040716 347 . usually through email.Glossary SSH. VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that data cannot be intercepted. UDP. It is used primarily for broadcasting messages over a network. On TCP/IP networks. Transmission Control Protocol: One of the main protocols in TCP/IP networks. User Datagram Protocol: A connectionless protocol that. Virus: A computer program that attaches itself to other programs. Subnet Address: The part of the IP address that identifies the subnetwork. SSH provides strong secure authentication and secure communications over insecure channels. and performs malicious actions. offering instead a direct way to send and receive datagrams over an IP network. subnets are defined as all devices whose IP addresses have the same prefix.

.Glossary 348 01-28003-0002-20040716 Fortinet Inc.

59 bandwidth guaranteed 163. 221 csv 331 custom TCP service 173. 243 CLI 19 upgrading the firmware 32. 164 maximum 163. 219.80 Index A address 165 virtual IP 181 administrator account netmask 108. 237 Configuring the spoke 223 Configuring XAuth 215 contact information SNMP 95 content block web filter 290 Correction 246 Create new 212. 234 D date setting 79 Dead Peer Detection 215 FortiGate-60 Administration Guide 01-28003-0002-20040716 349 . 174 custom UDP service 173. 216. 34 cluster managing an HA cluster 91 cluster ID HA 92 command line interface 19 Concentrator 217. 109 trusted host 109 alert email enabling 323 options 322 Allow Inbound 232 Allow outbound 232 anomaly 265 list 266 antivirus 269 antivirus updates 117 through a proxy server 117 attack updates scheduling 117 through a proxy server 117 Authentication 214 authentication enabling 205 timeout 81 Authentication Algorithm 219. 164 banned word spam 311 browsing the Internet through a VPN tunnel 218. 174 customer service 22 B back up configuration 112 Backing up and restoring the local certificate and private key 244 backup mode modem 56. 220 concentrator adding 222 Concentrator list 221 Concentrator name 221 Concentrator options 221 configuration backup 112 reset to factory default 126 restore 112 Configuration Error 246 Configuring redundant IPSec VPNs 240 Configuring spokes 238 Configuring the hub 221. 220 Authentication Key 220 Authentication Method 213 AutoIKE IPSec VPN with certificates 228 AutoIKE IPSec VPN with preshared keys 227 Autokey Keep Alive 218 C CA certificates 245 upload 113 cache 301 cache_ttl 301 Certificate Name 214.FortiGate-60 Administration Guide Version 2.

220 Encryption Key 220 Encryption method 216 Exempt URL options 296 expire system status 30 H HA 82. . 83 cluster ID 92 configuration 83 device failover 82 group ID 84 heartbeat failover 82 introduction 18 link failover 82 managing a cluster 91 mode 84 monitor 93 monitor priorities 87 override master 85 password 85 priorities of heartbeat device 86 schedule 85 status 93 unit priority 84 HA cluster configuring 88 F facility 332 FDN FortiProtect Distribution Network 114 FDS FortiProtect Distribution Server 114 File block 270 File block list 271 firewall authentication timeout 81 configuring 157 introduction 15 overview 157 firewall policies modem 61 firewall policies for IPSec VPN adding 230 350 01-28003-0002-20040716 Fortinet Inc. 164 E Email address 308 Enable perfect forward secrecy (PFS) 218 Enable replay detection 218 Encryption 214 for FortiLog unit 321 Encryption Algorithm 212. 203. 202. 184 firewall policy guaranteed bandwidth 163.Index debug log back up 112 restore 112 deny split tunneling 218. 205 dynamic port forwarding 181. 164 maximum bandwidth 163. 213 Generating the certificate request 242 go HA monitor 92 GRE protocol 251 group ID HA 84 grouping services 175. 225 Dynamic DNS VPN 229 dynamic IP pool IP pool 166. 218 DHCP over IPSec 233 DHCP-IPSec 218 Dialup VPN 229 dialup VPN monitor 224 Disk logging settings 320 DMZ interface definition 345 dst 226 dst2 226 Dynamic DNS 213 dynamic DNS monitor 224. 176 groups user 205 guaranteed bandwidth 163. 52 ftp 195 G Gateway IP 212 Gateway Name 212. 33 Fortilog logging settings 321 fortilog setting 330 Fortinet customer service 22 FortiProtect Distribution Network 114 FortiProtect Distribution Server 114 from IP system status 30 from port system status 30. 219. 200. 164 firmware installing 35 re-installing current version 35 reverting to an older version 35 upgrading to a new version 31 upgrading using the CLI 32. 234 device failover HA 82 DH Group 215. 34 upgrading using the web-base manager 31.

345 Importing the signed local certificate 244 Inbound NAT 233 interface administrative status 42. 234 Internet key exchange 345 IP 86 IP Address 213 IP address 305 IP address list 305. 307. 218 FortiGate-60 Administration Guide 01-28003-0002-20040716 351 . 308. 60 K keepalive IPSec VPN tunnel 226 Keepalive Frequency 215 Key Size 243 Key Type 243 Keylife 215. 259 anomaly 265 anomaly list 266 IPSec 345 IPSec VPN 211 authentication for user group 205 Internet browsing 218. 59 configuring settings 57 connecting to FortiGate unit 57 standalone mode 56. 345 hub HA schedule 86 Hub and spoke VPNs 236 L L2TP 205. 345 idle timeout web-based manager 81 IKE 345 IMAP 171. 307. 308. 345 configuring gateway 253 configuring Windows XP client 255 enabling 253 overview 252 language web-based manager 81 Least-Connection HA schedule 86 Lifetime (sec/kb) 216 link failover HA 82 Local certificate list 242 Local certificates 242 local certificates upload 113 Local ID 215 Local SPI 220 Log & report 317 Log file upload settings 320 Log filter options 323 Log settings 318 Logging 327 logging 19 I ICMP 172.Index heartbeat failover 82 High Availability 83 high availability introduction 18 http 196 HTTPS 18. 310 IP pool adding 185 IP port HA schedule 86 IPS 17. 213 mode HA 84 Transparent 16 modem adding firewall policies 61 backup mode 56. 171. 234 monitor 224 ping generator 226 remote gateway 205 tunnel keepalive 226 IPSec VPN in Transparent mode 235 IPv6 70 M MAC address 346 Managing digital certificates 241 Manual Key 219 Manual key IPSec VPN 230 Manual key list 219 Manual key options 219 matching policy 158 maximum bandwidth 163. 164 maximum values FortiGate 341 member 208 Members 221 Memory logging settings 321 MIB FortiGate 98 MIME headers 309 Mode 212. 68 Internet browsing through a VPN tunnel 218. 310 IP address options 305.

346 configuring gateway 248 configuring Windows 98 client 249 enabling 248 general configuration steps 247 PPTP passthrough 251 predefined services 170 Pre-shared Key 214 Pre-shared key for FortiLog unit 321 priorities of heartbeat device 86 profile 194 protection 188 protection profile 188 protocol service 170 system status 30 Proxy ID Destination 225 Proxy ID Source 225 proxy server 117 push updates 117 push update configuring 118. 178. 164 policy routing 139 POP3 172.Index monitor HA monitor 93 IPSec VPN 224 monitor priorities HA 87 MTU size 47 definition 346 Phase 2 basic settings 217 Phase 2 list 216 ping generator IPSec VPN 226 policy enabling authentication 205 guaranteed bandwidth 163. 109 network address translation introduction 16 network intrusion detection 17 next hop router 50 none HA schedule 86 NTP 171. . 119 external IP address changes 119 management IP address changes 119 through a NAT device 119 through a proxy server 117 N Name 215 NAT introduction 16 push update 119 NAT/Route mode introduction 16 Nat-traversal 215 netmask administrator account 108. 180 Optional Information 243 options changing system options 80 Outbound NAT 233 override master HA 85 P P2 Proposal 218 passthrough PPTP 251 Password 215 password HA 85 Pattern block options 295 Peer identification 241 Peer option 214 Peer to peer VPN 228 Phase 1 212 Phase 1 advanced options 214 Phase 1 basic settings 213 Phase 1 list 212 Phase 2 216 Phase 2 advanced options 217 Q Quarantine 272 Quarantine list 272 Quick Mode Identities 218 R RADIUS definition 346 random HA schedule 86 RBL and ORDBL 306 352 01-28003-0002-20040716 Fortinet Inc. 346 NTP server 80 setting system date and time 79 O one-time schedule creating 177. 164 IPSec VPN 230 matching 158 maximum bandwidth 163. 346 port 332 port forward dynamic 181 port forwarding virtual IP 181 PPTP 205.

111 recurring schedule creating 179 Redundant IPSec VPNs 239 remote administration 50. 219. 332 service 169. 174 set time 80 Signature list 260 Signatures 259 SMTP 172 definition 346 smtp 196 SNMP contact information 95 definition 346 MIBs 98 traps 98 T TCP custom service 173. 225 timeout firewall authentication 81 idle 81 web-based manager 81 to IP system status 30 to port system status 30 Traffic Priority 163 Transparent mode 16 traps SNMP 98 Troubleshooting 246 trusted host administrator account 109 FortiGate-60 Administration Guide 01-28003-0002-20040716 353 . 111. 108. 234 src 226 src2 226 SSH 172. 301 custom TCP 173. 174 technical support 22 time setting 79 time zone 80 Timeout 217. 178. 174 group 175. 115. 174 custom UDP 173. 330. 180 creating recurring 179 HA 85 scheduled antivirus and attack updates 117 scheduled updates through a proxy server 117 scheduling 117 Script filter 302 server 330. 301. 332 HA monitor 93 interface 42. 60 static IP monitor 224. 220 Remote gateway 225 Remote SPI 220 reporting 19 restarting 113 restore configuration 112 reverting firmware to an older version 35 Round-Robin HA schedule 86 router next hop 50 routing 346 configuring 55 policy 139 routing table 346 spam banned word 311 Spam filter 303 Special rules 236 split tunneling deny 218. 121. 108.Index read & write access level administrator account 79. 225 static NAT virtual IP 181 Status 217 status 226. 174 user-defined UDP 173. 68 Subject Information 243 subnet definition 347 subnet address definition 347 syn interval 80 synchronize with NTP server 80 Syslog logging settings 319 system configuration 79 system date and time setting 79 system options changing 80 S schedule 177 automatic antivirus and attack definition updates 117 creating one-time 177. 53 Remote Gateway 213. 347 SSL 345 service definition 171 standalone mode 83 modem 56. 176 predefined 170 service name 170 user-defined TCP 173. 216. 122 read only access level administrator account 79. 217.

119 upgrade firmware 31 upgrading firmware using the CLI 32. 34 firmware using the web-based manager 31. . 174 user-defined UDP services 173. 335 content block 290 Web pattern block 294 Web script filter options 302 Web URL block list 293 web-based manager introduction 18 language 81 timeout 81 WebTrends logging settings 320 weighted round-robin HA schedule 86 Windows 2000 configuring L2TP dialup connection 254 configuring PPTP dialup connection 250 connecting to L2TP VPN 255 connecting to PPTP VPN 250 disabling IPSec for L2TP 254 Windows 98 configuring for PPTP 249 configuring PPTP dialup connection 249 connecting to PPTP VPN 249 installing PPTP support 249 Windows XP configuring for L2TP 255 configuring L2TP dialup connection 255 configuring L2TP VPN connection 256 configuring PPTP dialup connection 250 configuring PPTP VPN connection 250 connecting to L2TP VPN 257 connecting to PPTP VPN 251 disabling IPSec for L2TP 256 V virtual domain properties 128 virtual IP 181 dynamic port forwarding 184 port forwarding 181 static NAT 181 virus protection worm protection 14 VLAN overview 61 VPN introduction 17 IPSec 211 X XAuth 215 Enable as Client 215 Enable as Server 216 354 01-28003-0002-20040716 Fortinet Inc. 174 unit priority HA 84 up time HA monitor 93 update push 118. 33 Uploading a local certificate 244 URL block 292 URL exempt 295 URL options 293 user groups configuring 205 User-defined signatures 263 user-defined TCP services 173. 238 VPN Tunnel Name 220 U UDP custom service 173.Index tunnel keepalive IPSec VPN 226 Tunnel Name 216. 217 VPN certificates upload 113 VPN concentrator adding 222. 174 Usergroup 216 Username 225 W web content filtering introduction 14 Web filter 289.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->