ADMINISTRAT ION GUIDE

FortiGate™ Version 3.0 MR3

www.fortinet.com

FortiGate™ Administration Guide Version 3.0 MR3 24 November 2006 01-30003-0203-20061124 © Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents
Introduction ...................................................................................... 17
Introducing the FortiGate units ...................................................................... 17 FortiGate-5000 series chassis .................................................................... About the FortiGate-5000 series modules .................................................. FortiGate-3600A.......................................................................................... FortiGate-3600 ............................................................................................ FortiGate-3000 ............................................................................................ FortiGate-1000A.......................................................................................... FortiGate-1000AFA2 ................................................................................... FortiGate-1000 ............................................................................................ FortiGate-800 .............................................................................................. FortiGate-800F ............................................................................................ FortiGate-500A............................................................................................ FortiGate-500 .............................................................................................. FortiGate-400A............................................................................................ FortiGate-400 .............................................................................................. FortiGate-300A............................................................................................ FortiGate-300 .............................................................................................. FortiGate-224B............................................................................................ FortiGate-200A............................................................................................ FortiGate-200 .............................................................................................. FortiGate-100A............................................................................................ FortiGate-100 .............................................................................................. FortiGate-60/60M/ADSL.............................................................................. FortiWiFi-60/60A/60AM ............................................................................... FortiGate-50A.............................................................................................. FortiGuard Subscription Services ............................................................... FortiAnalyzer ............................................................................................... FortiClient.................................................................................................... FortiManager ............................................................................................... FortiBridge................................................................................................... FortiMail ...................................................................................................... FortiReporter ............................................................................................... 18 19 19 20 20 20 21 21 21 21 22 22 22 22 22 23 23 23 23 23 24 24 24 24 25 25 25 26 26 26 26

Fortinet family of products ............................................................................. 25

About this document....................................................................................... 26 Document conventions................................................................................ 28 FortiGate documentation ............................................................................... 29 Fortinet Tools and Documentation CD ........................................................ 30 Fortinet Knowledge Center ........................................................................ 30 Comments on Fortinet technical documentation ........................................ 31 Customer service and technical support ...................................................... 31

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

3

Contents

Web-based manager........................................................................ 33
Button bar features ......................................................................................... 34 Contact Customer Support ......................................................................... 34 Using the Online Help ................................................................................. 35 Logout ......................................................................................................... 37 Web-based manager pages ............................................................................ 37 Web-based manager menu ........................................................................ Lists............................................................................................................. Icons ........................................................................................................... Status bar.................................................................................................... 38 39 39 40

Using virtual domains ..................................................................... 43
Virtual domains................................................................................................ 43 VDOM configuration settings ...................................................................... 44 Global configuration settings....................................................................... 45 Enabling multiple VDOM operation ............................................................... 46 Configuring VDOMs and global settings....................................................... 46 Working with VDOMs and global settings ................................................... Adding interfaces to a VDOM ..................................................................... Assigning an administrator to a VDOM ....................................................... Changing the Management VDOM ............................................................. 47 48 49 49

System Status .................................................................................. 51
Status page ...................................................................................................... 51 Viewing system status ................................................................................ 51 Changing system information........................................................................ 58 Configuring system time ............................................................................. 58 Changing the FortiGate unit host name ...................................................... 58 Changing the FortiGate firmware................................................................... 59 Upgrading to a new firmware version ......................................................... 59 Reverting to a previous firmware version.................................................... 60 Viewing operational history............................................................................ 61 Manually updating FortiGuard definitions .................................................... 61 Viewing Statistics ............................................................................................ 62 Viewing the session list............................................................................... 62 Viewing the Content Archive information .................................................... 63 Viewing the Attack Log ............................................................................... 65

4

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Contents

System Network ............................................................................... 67
Interface............................................................................................................ 67 Interface settings......................................................................................... Configuring an ADSL interface.................................................................... Creating an 802.3ad aggregate interface.................................................... Creating a redundant interface.................................................................... Creating a wireless interface ....................................................................... Configuring DHCP on an interface .............................................................. Configuring an interface for PPPoE or PPPoA ........................................... Configuring Dynamic DNS service for an interface ..................................... Configuring a virtual IPSec interface ........................................................... Additional configuration for interfaces ......................................................... 69 73 74 75 76 77 79 80 81 82

Zone .................................................................................................................. 83 Zone settings............................................................................................... 84 Options ............................................................................................................. 84 DNS Servers ............................................................................................... 84 Dead gateway detection.............................................................................. 85 Configuring Network Options ...................................................................... 85 Routing table (Transparent Mode) ................................................................. 87 Transparent mode route settings ................................................................ 87 Configuring the modem interface .................................................................. 87 Configuring modem settings ....................................................................... Redundant mode configuration ................................................................... Standalone mode configuration .................................................................. Adding firewall policies for modem connections ......................................... Connecting and disconnecting the modem ................................................. Checking modem status.............................................................................. 88 90 91 91 91 92

VLAN overview................................................................................................. 92 FortiGate units and VLANs ......................................................................... 93 VLANs in NAT/Route mode............................................................................. 93 Rules for VLAN IDs ..................................................................................... 94 Rules for VLAN IP addresses ..................................................................... 94 Adding VLAN subinterfaces ........................................................................ 95 VLANs in Transparent mode .......................................................................... 96 Rules for VLAN IDs ..................................................................................... 98 Transparent mode virtual domains and VLANs .......................................... 98 Troubleshooting ARP Issues..................................................................... 101 FortiGate IPv6 support .................................................................................. 101

System Wireless............................................................................. 103
The FortiWiFi wireless LAN interface .......................................................... 103 Channel assignments.................................................................................... 104 System wireless settings (FortiWiFi-60)...................................................... 106
FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

5

Contents

System wireless settings (FortiWiFi-60A and 60AM) ................................. 107 Wireless MAC Filter....................................................................................... 108 Wireless Monitor............................................................................................ 109

System DHCP ................................................................................. 111
FortiGate DHCP servers and relays............................................................. 111 Configuring DHCP services.......................................................................... 112 Configuring an interface as a DHCP relay agent ...................................... 113 Configuring a DHCP server ...................................................................... 114 Viewing address leases ................................................................................ 115 Reserving IP addresses for specific clients .............................................. 115

System Config................................................................................ 117
HA ................................................................................................................... 117 HA options ................................................................................................ Cluster members list ................................................................................. Viewing HA statistics................................................................................. Changing subordinate unit host name and device priority ........................ Disconnecting a cluster unit from a cluster ............................................... Configuring SNMP .................................................................................... Configuring an SNMP community............................................................. Fortinet MIBs............................................................................................. FortiGate traps .......................................................................................... Fortinet MIB fields ..................................................................................... Replacement messages list ...................................................................... Changing replacement messages ............................................................ Changing the authentication login page.................................................... Changing the FortiGuard web filtering block override page ...................... Changing the SSL-VPN login message .................................................... Changing the authentication disclaimer page ........................................... 117 120 122 123 124 125 125 127 128 130 135 136 138 139 139 139

SNMP .............................................................................................................. 124

Replacement messages................................................................................ 135

VDOM operation mode and management access ...................................... 139 Changing operation mode......................................................................... 139 Management access................................................................................. 141

System Admin ................................................................................ 143
Administrators ............................................................................................... 143 Configuring RADIUS authentication for administrators ............................. 144 Viewing the administrators list .................................................................. 144 Configuring an administrator account ....................................................... 145 Access profiles .............................................................................................. 147 Viewing the access profiles list ................................................................. 150 Configuring an access profile.................................................................... 150
FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

6

Contents

FortiManager .................................................................................................. 151 Settings........................................................................................................... 152 Monitoring administrators ............................................................................ 153

System Maintenance...................................................................... 155
Backup and restore ....................................................................................... 155 FortiGuard Center.......................................................................................... 159 FortiGuard Distribution Network ................................................................ FortiGuard Services .................................................................................. Configuring the FortiGate unit for FDN and FortiGuard services .............. Troubleshooting FDN connectivity ............................................................ Updating antivirus and attack definitions................................................... Enabling push updates.............................................................................. 159 159 160 164 164 165

License ........................................................................................................... 169

System Chassis (FortiGate-5000 series)...................................... 171
SMC................................................................................................................. 171 Blades ............................................................................................................. 172 Chassis monitoring event log messages .................................................... 174

Switch (FortiGate-224B) ................................................................ 175
Overview......................................................................................................... 175 Viewing WAN ports and WAN VLAN interfaces.......................................... 176 Configuring a WAN port VLAN interface .............................................. 176 Viewing switch-LAN ports ............................................................................ 178 Configuring a switch-LAN interface ........................................................... 179 Viewing switch VLANs .................................................................................. 180 Configuring a switch VLAN ....................................................................... 181 Configuring port monitoring......................................................................... 182 Using Spanning-Tree Protocol ..................................................................... 183 Configuring Spanning-Tree settings.......................................................... 183 Configuring Spanning-Tree VLAN settings ............................................... 185 Configuring Spanning-Tree VLAN port settings ........................................ 186 Configuring IGMP snooping ......................................................................... 187 Configuring QoS ............................................................................................ 187 Configuring QoS settings .......................................................................... Configuring CoS-Map settings .................................................................. Configuring DSCP-Map settings ............................................................... Viewing QoS rate limits ............................................................................. Adding a QoS rate limit ............................................................................. 187 188 188 188 189

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

7

Contents

Configuring port quarantine......................................................................... 189 Viewing client profiles ............................................................................... Configuring a client profile ........................................................................ Viewing access policies ............................................................................ Configuring an access policy .................................................................... 190 190 191 192

Configuring dynamic policies ...................................................................... 193 Viewing quarantine policies ...................................................................... 193 Configuring a dynamic policy .................................................................... 193 Configuring 802.1X authentication .............................................................. 195 Viewing switch status ................................................................................... 196 Monitoring access results ......................................................................... Viewing quarantine port information ......................................................... Viewing the MAC table.............................................................................. Creating a MAC table entry....................................................................... Viewing statistics....................................................................................... 196 197 197 198 198

Router Static .................................................................................. 201
Routing concepts ......................................................................................... 201 How the routing table is built .................................................................... How routing decisions are made .............................................................. Multipath routing and determining the best route...................................... How route sequence affects route priority ............................................... Equal Cost Multipath (ECMP) Routes....................................................... 202 202 202 203 204

Static Route ................................................................................................... 204 Working with static routes ........................................................................ 204 Default route and default gateway ........................................................... 205 Adding a static route to the routing table ................................................. 208 Policy Route .................................................................................................. 208 Adding a route policy ............................................................................... 210 Moving a route policy ................................................................................ 211

Router Dynamic ............................................................................. 213
RIP................................................................................................................... 213 How RIP works ......................................................................................... Viewing and editing basic RIP settings ..................................................... Selecting advanced RIP options ............................................................... Overriding the RIP operating parameters on an interface ........................ 214 214 216 217

8

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Contents

OSPF ............................................................................................................... 218 OSPF autonomous systems ..................................................................... Defining an OSPF AS ............................................................................... Viewing and editing basic OSPF settings ................................................. Selecting advanced OSPF options ........................................................... Defining OSPF areas ................................................................................ Specifying OSPF networks ....................................................................... Selecting operating parameters for an OSPF interface ............................ 218 219 220 222 223 224 225

BGP ................................................................................................................. 226 How BGP works ........................................................................................ 226 Viewing and editing BGP settings ............................................................. 227 Multicast ......................................................................................................... 228 Viewing and editing multicast settings ...................................................... 228 Overriding the multicast settings on an interface ...................................... 230

Router Monitor ............................................................................... 233
Displaying routing information .................................................................... 233 Searching the FortiGate routing table ......................................................... 235

Firewall Policy ................................................................................ 237
About firewall policies................................................................................... 237 How policy matching works ....................................................................... 238 Viewing the firewall policy list...................................................................... 238 Adding a firewall policy.............................................................................. 239 Moving a policy to a different position in the policy list.............................. 240 Configuring firewall policies......................................................................... 240 Firewall policy options ............................................................................... Configuring intra-VLAN firewall policies .................................................... Adding authentication to firewall policies .................................................. Adding traffic shaping to firewall policies .................................................. IPSec firewall policy options...................................................................... SSL-VPN firewall policy options ................................................................ Options to check FortiClient on hosts ....................................................... 243 246 247 248 251 252 252

Firewall policy examples............................................................................... 253 Scenario one: SOHO sized business ........................................................ 253 Scenario two: enterprise sized business ................................................... 256

Firewall Address ............................................................................ 259
About firewall addresses .............................................................................. 259 Viewing the firewall address list .................................................................. 260 Configuring addresses.................................................................................. 261 Viewing the address group list..................................................................... 261 Configuring address groups ........................................................................ 262

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

9

..................................................... 287 Adding a load balance port forwarding virtual IP for an IP address range and port range.............................................................................................................................. 279 Adding a static NAT virtual IP for a single IP address .................................................................................................................................................................... 292 IP pools................................................................................................. 275 Virtual IPs ..................................................................... 267 Viewing the service group list.....................................0 MR3 Administration Guide 01-30003-0203-20061124 ............................................................................................Contents Firewall Service. 271 Viewing the one-time schedule list......................... 292 Viewing the VIP group list ............................................................................................................................................................................. 275 Viewing the virtual IP list ........ 280 Adding a static NAT virtual IP for an IP address range.................. 298 10 FortiGate Version 3........ 275 How virtual IPs map connections through the FortiGate unit ............................................................................................................................................... 283 Adding static NAT port forwarding for an IP address range and a port range ................................................................................................. 297 Default protection profiles ........................................ 297 What is a protection profile .............................................. 272 Configuring recurring schedules.... 285 Adding a load balance virtual IP for an IP address range .................................................................................................................... 273 Firewall Virtual IP ....................................................................... 294 Configuring IP Pools ...................................................... 263 Viewing the predefined service list..... 289 Adding dynamic virtual IPs......... 268 Configuring service groups.............. 269 Firewall Schedule.................. 266 Configuring custom services .......... 282 Adding static NAT port forwarding for a single IP address and a single port .......................................................................................................................................................................... 295 Firewall Protection Profile.......................... 272 Viewing the recurring schedule list .. 263 Viewing the custom service list .................................................................................................................................................................................................................................... 271 Configuring one-time schedules.............................. 291 Virtual IP Groups ................................................ 278 Configuring virtual IPs . 293 IP pools and dynamic NAT ..................................................................................... 298 Viewing the protection profile list............... 294 IP Pools for firewall policies that use fixed ports .......... 292 Configuring VIP groups .................................................................................. 294 Viewing the IP pool list ............................................................................

................................................................................................................................................................................. 338 Importing CA certificates ........................................................................ IM and P2P options .......0 MR3 Administration Guide 01-30003-0203-20061124 11 .................... Importing a signed server certificate .............................Contents Configuring a protection profile............................ 320 Creating a new manual key configuration ..................... 298 Antivirus options............................................................................ 323 Monitor ....................................................................................................................................................................... Spam filtering options................................................................................................................. 299 301 302 303 305 305 306 307 Adding a protection profile to a policy ................................................ Defining phase 2 advanced settings ................... Creating a new phase 2 configuration ...................................................................... 310 Creating a new phase 1 configuration .................... Importing separate server certificate and private key files ............................................................................................................................................ Logging options. 308 config firewall profile.................. 322 Defining concentrator options ..................... Web filtering options....................... 333 Local Certificates .................................................................................................................................................................................................................................................................................................................................................................................................... 329 Monitor........................................................................................................................................................................ 308 Protection profile CLI configuration .................................. 321 Concentrator ................................................................................... Content archive options ........................................................................................................... 309 Auto Key .. Importing an exported server certificate and private key ................................ 324 VPN PPTP ............................................................................................................................................. 327 PPTP Range ............................................................... Defining phase 1 advanced settings .................................................................................... Downloading and submitting a certificate request............ 331 VPN Certificates ............... 308 VPN IPSEC ............. FortiGuard-Web filtering options .................................................................................................................................................................... 333 Generating a certificate request ............................................................................................................................ IPS options ............. 309 Overview of IPSec interface mode ................................................................................................ 327 VPN SSL... 334 336 336 337 337 CA Certificates ............................................................ 338 FortiGate Version 3........................................................................................................................ Internet browsing configuration .......................................................... 329 Config ............. 311 314 316 317 319 Manual Key .........................................................

.............................. 348 349 350 351 352 Configuring peers and peer groups ... 343 Configuring a RADIUS server ..................................... 341 Setting authentication timeout.............. 347 User group .............. 365 12 FortiGate Version 3.................................................................................. 355 Antivirus elements .............................................................................................................................. Configuring FortiGuard override options for a user group ........................................................................................ Viewing the AutoSubmit list ............................................................................. 346 Configuring a Windows AD server .......................................................................................... 355 FortiGuard antivirus ................................................................................ 341 Local user accounts........................................................................................................................... 339 Importing a certificate revocation list........................................................................................... 357 File pattern .............................................................................................................................................................................................. 342 RADIUS servers ................................................................................... Creating a new file pattern list....................................... 355 Order of operations .............................................................................................................. Configuring quarantine options ..................................................................................................................................................................................................................................................................................................................................... 356 Antivirus settings and controls........................................................ Configuring a user group ................Contents CRL ............................................. 341 Configuring user authentication .......................................................................................................................................................................................................0 MR3 Administration Guide 01-30003-0203-20061124 ................................................. 347 User group types........................................................ 357 Viewing the file pattern list catalog............................. 364 Viewing the grayware list ........ 343 LDAP servers ............................................... Viewing the file pattern list ....................... User group list........................................................................................................................................................................... 354 AntiVirus ............................................ Configuring the AutoSubmit list................................. 342 Configuring a user account ................................................................................ 364 Viewing the virus list ........ Viewing the Quarantined Files list.......................................................... 358 358 359 360 361 362 362 363 Quarantine............................................................................................................................... 344 Configuring an LDAP server ................................................... 340 User ................. Configuring SSL VPN user group options.................... 345 Windows AD servers................. 360 Config ............................................................... Configuring the file pattern list ........................................................................................................

................................................. 371 Configuring predefined signature groups ............................................................... Configuring IPS protocol decoders ............................Contents Antivirus CLI configuration . 370 When to use IPS ............................................................................................................................................................................................................................................................................................................................................................................. 373 Configuring predefined signatures ............... 369 About intrusion protection ...............................0 MR3 Administration Guide 01-30003-0203-20061124 13 ................... 381 How web filtering works....................................................................................................................................................................................................................................................... 380 system autoupdate ips .............. 378 Configuring IPS traffic anomalies ............................................. (config ips anomaly) config limit ............................ 382 FortiGate Version 3........................................................................................... config antivirus heuristic ................ ips global ip_protocol .................. 374 Creating custom signatures ......................................................................... 371 Viewing the predefined signature list ............................................................................................................................................................ 381 Order of web filtering ................................................................................................. Configuring IPS protocol decoder groups .............. 367 367 367 368 Intrusion Protection ................................................... 374 Custom signatures ........................................ 379 IPS CLI configuration ................................................ 374 Viewing the custom signature list ..................................................................... 376 Viewing the protocol decoder list ........................................................................................................................................................................................................ 369 IPS settings and controls .... 380 380 380 380 380 Web Filter................................................................ config antivirus quarantine ............................................................ ips global socket-size ...................................................... config antivirus service <service_name> ................................................ ips global fail-open ............................................................................. 381 Web filter controls .............................................................................................. 378 Viewing the traffic anomaly list .................................................................................. Upgrading IPS protocol decoder list................ 370 Predefined signatures ..................................................... 376 377 377 377 Anomalies.................................... 367 system global optimize .......................................................................................................... 375 Protocol Decoders...............

.. 384 Viewing the web content block list catalog........................................Contents Content block.................................................................................................................... Viewing the URL filter list catalog ........ FortiGuard-Web Filter reports ............................................................................ Configuring the antispam IP address list ........ Category block CLI configuration .............................................................. Creating a new antispam banned word list ..................................... Configuring the antispam email address list .......................................... Moving URLs in the URL filter list ............................................................ Creating local categories .................................................................................. Configuring the antispam banned word list ................................................................................................................ Viewing the web content block list ................................ Creating a new web content exempt list ............................................................... Viewing the web content exempt list ..................................... Creating a new URL filter list ........ 402 Banned word................................................................ 404 405 405 406 407 407 408 409 409 410 410 411 Black/White List................. Configuring the URL filter list ........................... 389 FortiGuard .............................................. Creating a new web content block list............. Viewing the web content exempt list catalog ................................................. Viewing the antispam IP address list ....... 384 385 385 386 387 387 388 389 389 390 390 391 392 393 393 394 397 397 398 399 399 URL filter ................................................................ 401 Order of Spam Filtering........................................................................................................... 401 Anti-spam filter controls ..................... Configuring the web content exempt list .................................................................................................... Configuring the web content block list ................................................................................ Viewing the local ratings list ....... Configuring local ratings .................................................................................. Viewing the override list ............................................. Viewing the antispam email address list ................................................................................................................................................................................. Viewing the antispam email address list catalog ................................................................. Viewing the URL filter list ........................................................................................................ 393 Antispam. Configuring override rules ...................................................... Creating a new antispam email address list .................................................. Configuring FortiGuard-Web filtering ............................................................................................................................... 401 Antispam ................................................................. Creating a new antispam IP address list................................................................................ 404 Viewing the antispam banned word list catalog .......................................................................................................................................................... Viewing the antispam IP address list catalogue................................................... 407 14 FortiGate Version 3. Viewing the antispam banned word list..........................0 MR3 Administration Guide 01-30003-0203-20061124 ..............................................................................................................................................................................................................Web Filter ...............

..................................................... 429 Logging to a FortiAnalyzer unit .......................................................... 417 Configuring IM/P2P protocols ..................................................................... 413 Regular expression vs....................................................................................................................................................................................................... Logging to memory ........ 423 424 424 425 Log&Report .......... 419 419 420 420 420 Statistics........................................................................................................................................................................................................................ 429 430 430 431 432 432 High Availability cluster logging ..................... 433 FortiGate Version 3.... 427 Log severity levels................................................................................ 412 Using Perl regular expressions................................... Viewing the User List ..................................... wildcard match pattern .......................................... 421 Viewing statistics by protocol ......................................................................................................................................... Perl regular expression formats ................................................................................................................ 427 FortiGate Logging................................................... 419 How to enable and disable IM/P2P options ........................................................................................................................................................... Logging to WebTrends.............................0 MR3 Administration Guide 01-30003-0203-20061124 15 ................................................................... How to configure protocols that are not supported .......................... 412 config spamfilter rbl ................................ 423 Viewing the Current Users list .................................................................................................................................................................................................................................................... 421 Viewing overview statistics................... How to configure IM/P2P options within a protection profile ............................................... How to configure older versions of IM/P2P applications .. Configuring a policy for unknown IM users ............................ 413 413 413 413 414 IM/P2P .............................................................. How to configure IM/P2P decoder log settings ............................................................................ Testing the FortiAnalyzer configuration................................................... Case sensitivity ..Contents Advanced antispam configuration..... Logging to a Syslog server........................................... Connecting to FortiAnalyzer using Automatic Discovery .................................................................... Adding a new user to the User List ...... 412 config spamfilter mheader .................................................................. 428 Storing Logs.............. 422 User............... Word boundary................................................................................................................................................ 417 Overview.......................................................................................... Example regular expressions ........................................................................

............................................................................................................................................................................................................................ Editing scheduled FortiAnalyzer reports .................................................................................................. IM and P2P log ............................................................................................................................................................................................................................. 451 Printing your FortiAnalyzer report ...................................................................................................................... 434 435 435 436 436 437 437 438 438 439 440 440 Log Access ...................................................................................................... 434 Traffic log ............................................................................................ Configuring a FortiAnalyzer report .........................................................................0 MR3 Administration Guide 01-30003-0203-20061124 ............................. Filtering log messages ............................Contents Log types............................................ Web filter log ....................................... 444 445 446 451 Viewing FortiAnalyzer reports from a FortiGate unit ..................................................................................................................................... Column settings .............................. 442 Reports .......................................................................................................................................... Antivirus log ... 442 Configuring Alert Email ... 438 Content Archive..................................................................................... FortiAnalyzer reports................................................................................................................. Viewing log information............... 451 Viewing parts of a FortiAnalyzer report ............... 444 Basic traffic reports .................................................................................................................................................................................................................................. 453 16 FortiGate Version 3............................. 452 Index............... Accessing log messages stored in memory................................. Accessing logs stored on the FortiAnalyzer unit .............................................................................. 441 Alert Email........................ Event log ............ Spam filter log ............. Attack log ...............................................................

logging. IPSec. and antivirus services. which leverages breakthroughs in chip design. firewall. security and content analysis. FortiGate™ Unified Threat Management appliances improve network security. enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. reporting with FortiAnalyzer. and help you use communications resources more efficiently without compromising the performance of your network. intrusion detection. administration profiles. content filtering. spam filtering. FortiGate Version 3. reduce network misuse and abuse.Introduction Introducing the FortiGate units Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. and IM/P2P filtering Network-level services such as firewall.0 MR3 Administration Guide 01-30003-0203-20061124 17 . This chapter contains the following sections: • • • • • Introducing the FortiGate units Fortinet family of products About this document FortiGate documentation Customer service and technical support Introducing the FortiGate units All FortiGate Unified Threat Management Systems deliver similar SOHO or enterprise-class network-based antivirus. and traffic shaping Management services such as user authentication. secure web and CLI administrative access. and network-based intrusion detection/prevention features. VPN. and SNMP The FortiGate Unified Threat Management System uses Fortinet’s Dynamic Threat Prevention System (DTPS™) technology. easily managed security device that delivers a full suite of capabilities including: • • • Application-level services such as virus protection. IPSec and SSL VPN. web content filtering. networking. intrusion protection. FortiGate Systems are ICSA-certified for firewall. The unique ASICaccelerated architecture analyzes content and behavior in real-time. FortiGate Systems are dedicated.

antivirus protection. FortiGate-5050 chassis You can install up to five FortiGate-5000 series modules in the five slots of the FortiGate-5050 ATCA chassis. FortiGate-5020 chassis You can install one or two FortiGate-5000 series modules in the two slots of the FortiGate-5020 ATCA chassis. The FortiGate-5050 chassis also includes a hot swappable cooling fan tray. The FortiGate-5140 chassis also includes three hot swappable cooling fan trays. PWR ACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM PWR ACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM PWR ACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM PWR ACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM FILTER USB RESET STATUS PWR ACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM PWR ACC CONSOLE USB 1 2 3 4 5 6 7 8 STA IPM MANAGEMENT E T H O MANAGEMENT E T H O CONSOLE PWR ACC USB 1 2 3 4 5 6 7 8 STA IPM CONSOLE USB CONSOLE USB CONSOLE USB CONSOLE USB CONSOLE USB SYSTEM CONSOLE R S 2 3 2 SYSTEM CONSOLE R S 2 3 2 3 CONSOLE PWR ACC USB 1 2 3 4 5 6 7 8 STA IPM 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 1 POWER 2 3 4 5 6 SMC 1 CLK EXT FLT OK INT FLT HOT SWAP RESET CLK EXT FLT OK INT FLT 7 7 7 7 7 7 HOT SWAP RESET 8 8 8 8 8 8 ETH0 Service RESET STATUS LED MODE LED MODE STA IPM STA IPM STA IPM STA IPM STA IPM STA IPM Hot Swap PSU A PSU B CONSOLE 1 6 2 5 3 4 5 6 ALT ON/OFF PWR IPM USB RESET CONSOLE 1 6 2 5 3 4 5 6 ALT ON/OFF STATUS PWR IPM 0 FA N T R AY 1 FA N T R AY 2 FA N T R AY 18 FortiGate Version 3.Introducing the FortiGate units Introduction FortiGate-5000 series chassis The FortiGate-5000 series Security Systems are chassis-based systems that MSSPs and large enterprises can use to provide subscriber security services such as firewall.0 MR3 Administration Guide 01-30003-0203-20061124 . The FortiGate-5140 is a 12U chassis that contains two redundant hot swappable DC power entry modules that connect to -48 VDC Data Center DC power. The FortiGate-5050 is a 5U chassis that contains two redundant DC power connections that connect to -48 VDC Data Center DC power. The wide variety of system configurations available with FortiGate-5000 series provide flexibility to meet the changing needs of growing high performance networks. VPN. 5140 13 11 9 7 5 3 1 2 5140SAP T SE RE L 2 1 3 R R CA ITI MAJO MINO USER USER USER CR SERIAL 1 SERIAL 2 ALARM 4 6 8 10 12 14 5 4 USB CONSOLE CONSOLE PWR ACC USB 1 2 3 4 5 6 7 8 STA IPM PWR ACC PWR ACC PWR ACC PWR ACC PWR ACC PWR ACC CONSOLE SYSTEM LED MODE ZRE Z R E 0 Z R E 0 14 12 10 CLK E2 Z R E 1 Z R E 1 ETH0 ETH1 EXT FLT 2 5000SM 10/100 link/Act 10/100 link/Act ETH0 Service RESET STATUS MANAGEMENT HOT SWAP E T H O R S 2 3 2 Z R E 0 Z R E 1 Z R E 2 15 13 INT FLT OK E1 RESET 11 9 7 5 3 1 8 6 4 2 0 Z R E 2 E2 14 12 E1 15 13 11 9 7 5 3 1 ZRE E2 14 12 10 8 6 4 2 0 ZRE E1 15 Z R E 2 14 12 10 CLK E2 8 6 4 2 0 13 11 9 7 10 8 6 4 2 0 Hot Swap ALARM RESET 5 3 1 2 12 5000SM 10/100 link/Act 10/100 link/Act ETH0 ETH1 SERIAL 1 SERIAL 2 RESET Hot Swap ETH0 ETH1 ETH0 ETH1 Hot Swap ETH0 Service STATUS ETH0 Service STATUS SMC 5000SM 10/100 link/Act 10/100 link/Act 5050SAP EXT FLT 1 MANAGEMENT CONSOLE SYSTEM HOT SWAP E T H O R S 2 3 2 Z R E 0 Z R E 1 Z R E 2 INT FLT OK E1 5000SM 10/100 link/Act 10/100 link/Act LED MODE 15 13 ZRE RESET 11 9 7 5 3 1 FortiGate-5140 chassis You can install up to 14 FortiGate-5000 series modules in the 14 slots of the FortiGate-5140 ATCA chassis. high-performance and failure-proof solution. The FortiGate-5020 is a 4U chassis that contains two redundant AC to DC power supplies that connect to AC power. spam filtering. web filtering and intrusion prevention (IPS). This modular approach provides a scalable. The FortiGate-5020 chassis also includes an internal cooling fan tray. The FortiGate-5000 series chassis support multiple hot-swappable FortiGate-5000 series modules and power supplies.

FortiGate-3600A The FortiGate-3600A unit provides carrierclass levels of performance and reliability demanded by large enterprises and service providers. and supports load-balanced operation.1Q VLANs and multiple virtual domains. The FortiGate-5005FA2 module also supports high-end features including 802. which minimize single-point failures. meeting the needs of the most demanding applications. The FortiGate-5001SX module supports high-end features including 802. FortiGate-5002FB2 module The FortiGate-5002FB2 module is an independent high-performance FortiGate security system with a total of 6 Gigabit ethernet interfaces.0 MR3 Administration Guide 01-30003-0203-20061124 19 . Two of the FortiGate-5002FB2 interfaces include Fortinet technology to accelerate small packet performance.1Q VLANs and multiple virtual domains. The FortiGate-5001FA2 module is similar to the FortiGate-5001SX module except that two of the FortiGate-5001FA2 interfaces include Fortinet technology to accelerate small packet performance. two of which include Fortinet technology to accelerate small packet performance. and other high end FortiGate features. FortiGate-5001SX module The FortiGate-5001SX module is an independent high-performance security system with eight Gigabit ethernet interfaces. FortiGate-5005FA2 module The FortiGate-5001SX module is an independent high-performance security system with eight Gigabit ethernet interfaces. All FortiGate-5000 series units are high capacity security systems with multiple gigabit interfaces. reliability and easy management makes the FortiGate-3600A a natural choice for managed service offerings. FortiGate-5001FA2 module The FortiGate-5001FA2 module is an independent high-performance security system with six Gigabit ethernet interfaces.Introduction Introducing the FortiGate units About the FortiGate-5000 series modules Each FortiGate-5000 series module is a standalone security system that can also function as part of an HA cluster. The unit uses multiple CPUs and FortiASIC chips to deliver throughput of 4Gbps. CONSOLE PWR Esc Enter 1 2 3 4 5 6 7 8 9 10 MODEM USB Hi-Temp FortiGate Version 3. The high-capacity. The FortiGate-3600A unit includes redundant power supplies. All FortiGate-5000 series modules are also hot swappable. multiple virtual domain capacity.

meeting the needs of the most demanding applications. worms. The high-capacity. trojans and other threats. The FortiGate-1000A automatically keeps up to date information on Fortinet’s FortiGuard Subscription Services by the FortiGuard Distribution Network. reliability and easy management makes the FortiGate-3600 a natural choice for managed service offerings. which minimize single-point failures. ensuring around-the-clock protection against the latest viruses. The FortiGate-3600 unit includes redundant power supplies. POWER 1 2 3 Esc Enter Hi-Temp 4/HA INT EXT 1 2 3 4/HA INTERNAL EXTERNAL FortiGate-1000A The FortiGate-1000A Security System is a high-performance solution for the most demanding large enterprise and service providers. reliability. phishing and pharming attacks. meeting the needs of the most demanding applications.Introducing the FortiGate units Introduction FortiGate-3600 The FortiGate-3600 unit provides carrierclass levels of performance and reliability demanded by large enterprises and service providers. and supports load-balanced operation. 20 FortiGate Version 3. and easy management of the FortiGate-3000 makes it a natural choice for managed service offerings. The unit uses multiple CPUs and FortiASIC chips to deliver throughput of 4Gbps. P2P or VOIP including identity theft methods such as spyware. POWER 1 4 2 3 Esc Enter Hi-Temp 5/HA INT EXT 1 2 3 4 5/HA INTERNAL EXTERNAL FortiGate-3000 The FortiGate-3000 unit provides the carrier-class levels of performance and reliability demanded by large enterprises and service providers. The FortiGate-1000A has flexible architecture to quickly adapt to emerging technologies such as IM. The unit uses multiple CPUs and FortiASIC chips to deliver a throughput of 3Gbps.0 MR3 Administration Guide 01-30003-0203-20061124 . including load-balanced operation and redundant failover with no interruption in service. The FortiGate-3000 unit includes redundant power supplies to minimize singlepoint failures. The high capacity.

enhancing small packet performance. using multiple CPUs and FortiASIC chips to deliver a throughput of 2Gps. VLAN support. The FortiGate-800 also provides stateful failover HA. rapid deployment. usability.0 MR3 Administration Guide 01-30003-0203-20061124 21 . The FortiGate-1000 unit includes support for redundant power supplies to minimize single-port failures. and virtual domains. who demand top network security performance. load-balanced operation. DMZ and HA interfaces. when you are configuring a cluster of FortiGate units. Esc Enter 1 2 3 4 / HA INTERNAL EXTERNAL FortiGate-800 The FortiGate-800 provides high throughput. The FortiGate-800F also provides stateful failover HA. The FortiGate-1000AFA2 also delivers critical security functions in a hardened security platform. INTERNAL EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB Esc Enter PWR 8 FortiGate-800F The FortiGate-800F provides the same features as the FortiGate-800. low operational costs and most importantly a superior detection rate against known and unknown anomalies. and redundant failover with no interruption in service. CONSOLE USB A1 A2 FortiGate-1000 The FortiGate-1000 unit is designed for larger enterprises. The FortiGate800F provides the flexibility. reliability and easy management large enterprises are looking for. a total of eight network connections.The FortiGate-800 is a natural choice for large enterprises. External. PWR INTERNAL EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB Esc Enter 800F FortiGate Version 3. The FortiGate1000 meets the needs of the most demanding applications. and support for the RIP and OSPF routing protocols.Introduction Introducing the FortiGate units FortiGate-1000AFA2 The FortiGate1000AFA2 Security System is a high-performance solution for the most demanding large enterprise and service providers. The FortiGate-1000AFA2 features two extra optical fiber ports with Fortinet’s FortiAccel™ technology. using four fibre-optic Internal. tuned for reliability. (four of which are userdefined).

making the FortiGate-300A a good choice for mission critical applications. availability. and easy management of the FortiGate-500A makes it a natural choice for managed service offerings. and reliability. the FortiGate-500A is the choice for mission critical applications.0 MR3 Administration Guide 01-30003-0203-20061124 . which includes automatic failover with no session loss. INTERNAL EXTERNAL DMZ HA 1 2 3 4 5 6 7 8 Esc Enter FortiGate-400A The FortiGate-400A unit meets enterprise-class requirements for performance. With a total of 10 network connections. reliability. making it the choice for mission critical applications. (including a 4-port LAN switch). Esc Enter CONSOLE USB 10/100 10/100/1000 1 2 3 4 5 6 A FortiGate-400 The FortiGate-400 unit is designed for larger enterprises. Esc Enter CONSOLE 1 2 3 4 / HA FortiGate-300A The FortiGate-300A unit meets enterprise-class requirements for performance. reliability. Esc Enter CONSOLE USB 10/100 1 2 3 4 10/100/1000 5 6 22 FortiGate Version 3. The flexibility. availability. The flexibility. The FortiGate-400A also supports high availability (HA) and features automatic failover with no session loss. and reliability.Introducing the FortiGate units Introduction FortiGate-500A The FortiGate-500A unit provides the carrier-class levels of performance and reliability demanded by large enterprises and service providers. The FortiGate-500 supports high availability (HA). The FortiGate-300A also supports high availability (HA) and includes automatic failover with no session loss. The FortiGate400 unit is capable of throughput up to 500Mbps and supports high availability (HA). and easy management makes the FortiGate-500 a natural choice for managed service offerings. Esc Enter CONSOLE USB LAN 10/100 10/100/1000 L1 L2 L3 L4 1 2 3 4 5 6 A FortiGate-500 The FortiGate-500 unit is designed for larger enterprises. and high-availability features with automatic failover with no session loss.

The FortiGate-200 also supports high availability (HA). You can apply this at the port level or at the inter-VLAN level. and branch office applications. The FortiGate200 unit is an easy-to-deploy and easy-to-administer solution. Esc Enter FortiGate-224B The FortiGate-224B unit provides both layer-2 and layer3 security features. This feature makes the FortiGate-300 an excellent choice for mission-critical applications. Esc Enter CONSOLE USB 1 2 INTERNAL 3 4 DMZ1 DMZ2 WAN1 WAN2 A FortiGate-200 The FortiGate-200 unit is designed for small businesses. home offices or even branch office applications. Non-compliant clients are restricted to a quarantine VLAN. home office and branch office applications.Introduction Introducing the FortiGate units FortiGate-300 The FortiGate-300 unit is designed for larger enterprises. which includes automatic failover with no session loss. FortiGate Version 3. It provides protection between external networks or the Internet and your internal networks. as well as providing protection between different segments of your internal network. The FortiGate300 unit features high availability (HA). • • • • FortiGate-200A The FortiGate-200A unit is an easy-to-deploy and easy-to-administer solution that delivers exceptional value and performance for small office. POWER STATUS INTERNAL EXTERNAL DMZ CONSOLE INTERNAL EXTERNAL DMZ FortiGate-100A The FortiGate-100A unit is designed to be an easy-to-administer solution for small offices. route and port-based VLANs firewall protection between internal networks and the Internet firewall protection between secure switch ports firewall-like security policies to control communication between switch ports. 1 3 5 7 9 11 13 15 17 19 21 23 25 26 WAN1 WAN2 USB CONSOLE 2 4 6 8 10 12 14 16 18 20 22 24 The FortiGate-224B features: • Access control to enforce software security requirements for client workstations. home offices.0 MR3 Administration Guide 01-30003-0203-20061124 INTERNAL PWR STATUS WAN 1 LINK 100 WAN 2 LINK 100 DMZ 1 LINK 100 DMZ 2 LINK 100 1 LINK 100 2 LINK 100 3 LINK 100 4 LINK 100 A 23 .

and can be upgraded to future radio technologies. virtual domains. The FortiWiFi-60 serves as the connection point between wireless and wired networks or the center-point of a standalone wireless network. PWR STATUS INTERNAL LINK 100 EXTERNAL LINK 100 24 FortiGate Version 3. and the RIP and OSPF routing protocols. The FortiGate60ADSL includes an internal ADSL modem. It combines mobility and flexibility with FortiWiFi Antivirus Firewall features. and the RIP and OSPF routing protocols. high availability (HA). FortiGate-60/60M/ADSL The FortiGate-60 unit is designed for telecommuters remote offices. SMB and branch office applications. and retail stores. INTERNAL PWR WLAN 1 LINK 100 2 LINK 100 3 LINK 100 4 LINK 100 DMZ LINK 100 WAN1 LINK 100 WAN2 LINK 100 FortiGate-50A The FortiGate-50A unit is designed for telecommuters and small remote offices with 10 or fewer employees.Introducing the FortiGate units Introduction The FortiGate-100A supports advanced features such as 802. INTERNAL EXTERNAL DMZ POWER STATUS The FortiGate-100 supports advanced features such as 802. INTERNAL PWR STATUS 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 FortiWiFi-60/60A/60AM The FortiWiFi-60 model provides a secure. FortiGate-100 The FortiGate-100 unit is designed for SOHO.0 MR3 Administration Guide 01-30003-0203-20061124 .1Q VLAN.1Q VLAN. The FortiGate-60 unit includes an external modem port that can be used as a backup or stand alone connection to the Internet while the FortiGate-60M unit includes an internal modem that can also be used either as a backup or a standalone connection to the Internet. virtual domains. wireless LAN solution for wireless connections. A The FortiGate-50 unit includes an external modem port that can be used as a backup or stand alone connection to the Internet.

FortiAnalyzer FortiAnalyzer™ provides network administrators with the information they need to enable the best protection and security for their networks against attacks and vulnerabilities. FortiClient FortiClient™ Host Security software provides a secure computing environment for both desktop and laptop users running the most popular Microsoft Windows operating systems. network management. You can also use the unit as a storage device where users can access and share files. These services are created with the latest security technology and designed to operate with the lowest possible operational costs. logging.com/products. They ensure the latest attacks are detected and blocked before harming your corporate resources or infecting your end-user computing devices. FortiAnalyzer features include: • • • • collects logs from FortiGate devices and syslog devices and FortiClient creates hundreds of reports using collected log data scans and reports vulnerabilities stores files quarantined from a FortiGate unit The FortiAnalyzer unit can also be configured as a network analyzer to capture real-time traffic on areas of your network where firewalls are not employed.fortinet. reporting.Introduction Fortinet family of products Fortinet family of products Fortinet offers a family of products that includes both software and hardware appliances for a complete network security solution including mail. including the reports and logs that are saved on the FortiAnalyzer hard disk. FortiGuard Subscription Services includes: • • • • • FortiGuard Antivirus Service FortiGuard Intrusion Prevention subscription services (IPS) FortiGuard Web Filtering FortiGuard Antispam Service FortiGuard Premier Service An online virus scanner and virus encyclopedia is also available for your reference. FortiClient offers many features including: • • • • creating VPN connections to remote networks configuring real-time protection against viruses guarding against modification of the Windows registry virus scanning. FortiGate Version 3. For more information on the Fortinet product family. updated and managed by a global team of Fortinet security professionals. and security along with FortiGate Unified Threat Manager Systems.0 MR3 Administration Guide 01-30003-0203-20061124 25 . go to www. FortiGuard Subscription Services FortiGuard Subscription Services are security services created.

high performance features for detecting and blocking malicious attachments and spam. such as FortiGuard Antispam/Antivirus support. FortiManager emphasizes ease of use. including easy integration with third party systems. enabling an administrator to efficiently distribute FortiClient to several users’ computers with preconfigured settings. FortiBridge FortiBridge™ products are designed to provide enterprise organizations operating FortiGate units in Transparent mode with continuous network traffic flow in the event of a power outage or a FortiGate system failure. The FortiBridge unit bypasses the FortiGate unit to make sure that the network can continue processing traffic. FortiReporter reveals network abuse. flexible heuristic scanning and reporting capabilities to incoming and outgoing email traffic.0 MR3 Administration Guide 01-30003-0203-20061124 . heuristic scanning. manages bandwidth requirements. With FortiManager you can configure multiple FortiGate devices and monitor their status.About this document Introduction FortiClient also offers a silent installation feature. including providing customizable actions a FortiBridge unit takes in the event of a power outage or FortiGate system failure. monitors web usage. including identifying ways to proactively secure their networks before security threats arise. and ensures employees are using the office network appropriately. You can also view real-time and historical logs for FortiGate devices. FortiMail FortiMail™ provides powerful. About this document This FortiGate FortiOS v3. as well as over 30 network and security devices from third-party vendors. FortiBridge products are easy to use and deploy. FortiReporter allows IT administrators to identify and respond to attacks. This guide also contains some information about the FortiGate CLI. Built on Fortinet’s award winning FortiOS and FortiASIC technology. The FortiMail unit has reliable. greylisting. FortiManager FortiManager™ meets the needs of large enterprises (including managed security service providers) responsible for establishing and maintaining security policies across many dispersed FortiGate installations. FortiMail antivirus technology extends full content inspection capabilities to detect the most advanced email threats. and Bayesian scanning. 26 FortiGate Version 3. FortiReporter FortiReporter Security Analyzer software generates easy-to-understand reports and can collect logs from any FortiGate unit.0 Administration Guide provides detailed information about FortiGate™ web-based manager options and how to use them.

Firewall menu. defining access profiles for administrators. System Config contains procedures for configuring HA and virtual clustering. Then User. enable FortiProtect™ Distribution Network (FDN) updates. content archive and attack log statistics. and web administration ports. including changing the unit firmware. Router menu. A static route causes packets to be forwarded to a destination other than the factory configured default gateway. register the FortiGate unit. This chapter also describes the status changes that you can make. The information in this document is also available in a slightly different form as FortiGate web-based manager online help. System Maintenance details how to back up and restore the system configuration. Router Dynamic contains information about how to configure dynamic protocols to route traffic through large or complex networks. Using virtual domains provides information about how to define and manage virtual domains on the FortiGate unit. and system time. and enter a license key to increase the maximum number of virtual domains.Introduction About this document This administration guide describes web-based manager functions in the same order as the web-based manager menu. and Log & Report are all described in single chapters. Web Filter. and VPN menu gets a separate chapter. and changing the operation mode. unit information. IM/P2P. The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. session log.0 from the FortiGate page of the Fortinet Technical Documentation web site as well as from the Fortinet Knowledge Center. each item in the System menu. This administration guide contains the following chapters: • Web-based manager provides an introduction to the features of the FortiGate web-based manager and includes information about how to register a FortiGate unit and about how to use the web-based manager online help. and defining general administrative settings such as language. create bug reports. host name. configuring SNMP and replacement messages. You can find more information about FortiOS v3. AntiSpam. configuring FortiManager™ access. System Network explains how to configure physical and virtual interfaces and DNS settings on the FortiGate unit. The document concludes with a detailed index. including system status. • • • • • • • • • • FortiGate Version 3. System Admin guides you through adding and editing administrator accounts. Following these chapters. AntiVirus. system resources. and the alert message console. Router Static explains how to define static routes and create route policies.0 MR3 Administration Guide 01-30003-0203-20061124 27 . System DHCP provides information about how to configure a FortiGate interface as a DHCP server or DHCP relay agent. The document begins with a general description of the FortiGate web-based manager and a description of FortiGate virtual domains. Intrusion Protection. System Status describes the status information that you can view. System Wireless describes how to configure the Wireless LAN interface on a FortiWiFi-60 unit. timeouts.

private IP addresses are used for both private and public IP addresses. Firewall Schedule describes how to configure one-time and recurring schedules for firewall policies. User details how to control access to network resources through user authentication. You can view IM and P2P statistics to gain insight into how the protocols are being used within the network. • • • • • • • • • • Document conventions The following document conventions are used in this guide: • • In the examples. Firewall Policy describes how to add firewall policies to control connections and traffic between FortiGate interfaces. VPN SSL provides information about basic SSL VPN settings.0 MR3 Administration Guide 01-30003-0203-20061124 .509 security certificates. Firewall Virtual IP describes how to configure and use virtual IP addresses and IP pools. and view the basic reports available through the web-based manager. Log&Report describes how to enable logging. Notes and Cautions are used to provide important information: Note: Highlights useful additional information. VPN IPSEC provides information about the tunnel-mode and route-based (interface mode) Internet Protocol Security (IPSec) VPN options available through the web-based manager. and VLAN subinterfaces. Firewall Protection Profile describes how to configure protection profiles for firewall policies. The list displays the entries in the FortiGate routing table. IM/P2P explains how to configure IM and P2P options when a firewall protection profile is created. view log files. Firewall Address describes how to configure addresses and address groups for firewall policies. Switch (FortiGate-224B) describes how to configure the switch portion of your FortiGate-224B unit. Intrusion Protection explains how to configure IPS options when a firewall protection profile is created. zones. VPN PPTP explains how to use the web-based manager to specify a range of IP addresses for PPTP clients.About this document Introduction • • • • • • • • • Router Monitor explains how to interpret the Routing Monitor list. VPN Certificates explains how to manage X. 28 FortiGate Version 3. Antispam explains how to configure spam filter options when a firewall protection profile is created. Firewall Service describes available services and how to configure service groups for firewall policies. AntiVirus explains how to enable antivirus options when you create a firewall protection profile. Web Filter explains how to configure web filter options when a firewall protection profile is created.

FortiGate Installation Guide Describes how to install a FortiGate unit. antivirus protection.com. FortiGate Version 3. • FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit. how to apply intrusion prevention. default configuration information. In the Gateway Name field. Includes a hardware reference.Introduction FortiGate documentation ! Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Typographic conventions Fortinet documentation uses the following typographical conventions: Convention Menu commands Keyboard input Code examples Example Go to VPN > IPSEC > Phase 1 and select Create New. web content filtering. The following FortiGate product documentation is available: • • FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit. and how to configure a VPN. Choose the guide for your product model number. and basic configuration procedures. and spam filtering. Central_Office_1).forticare.</H4> Welcome! CLI command syntax Document names File content Program output Variables <address_ipv4> FortiGate documentation The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs. config sys global set ips-open enable end config firewall policy edit id_integer set http_retry_count <retry_integer> set natip <address_ipv4mask> end FortiGate Administration Guide <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service. including how to define FortiGate protection profiles and firewall policies. installation procedures.0 MR3 Administration Guide 01-30003-0203-20061124 29 . connection procedures. type a name for the remote VPN peer or client (for example.

technical notes. • FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands. You can access online help from the web-based manager as you work. and backing up and restoring installed certificates and private keys. For the latest versions of all Fortinet documentation see the Fortinet Technical Documentation web site at http://docs. importing CA root certificates and certificate revocation lists. and describes how to configure web-only mode and tunnel-mode SSL VPN access for remote users through the web-based manager. the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units.com. installing signed certificates. and more. FAQs. • FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks. FortiGate Certificate Management User Guide Contains procedures for managing digital certificates including generating certificate requests. Visit the Fortinet Knowledge Center at http://kc. • FortiGate IPSec VPN User Guide Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager. 30 FortiGate Version 3.FortiGate documentation Introduction • FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. • FortiGate VLANs and VDOMs User Guide Describes how to configure VLANs and VDOMS in both NAT/Route and Transparent mode. • FortiGate SSL VPN User Guide Compares FortiGate IPSec VPN and FortiGate SSL VPN technology. • • FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web-based manager.forticare.com. • FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center.forticare. Includes detailed examples. The documents on this CD are current for your product at shipping time. Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product.0 MR3 Administration Guide 01-30003-0203-20061124 . • FortiGate High Availability User Guide Contains in-depth information about the FortiGate high availability feature and the FortiGate clustering protocol. The knowledge center contains troubleshooting and how-to articles.

configure easily. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly.fortinet.Introduction Customer service and technical support Comments on Fortinet technical documentation Please send information about any errors or omissions in this document. to techdoc@fortinet. and operate reliably in your network. or any Fortinet technical documentation. FortiGate Version 3.com to learn about the technical support services that Fortinet provides.com. Please visit the Fortinet Technical Support web site at http://support.0 MR3 Administration Guide 01-30003-0203-20061124 31 .

0 MR3 Administration Guide 01-30003-0203-20061124 .Customer service and technical support Introduction 32 FortiGate Version 3.

you can configure and manage the FortiGate unit. The following topics are included in this section: FortiGate Version 3.Web-based manager Web-based manager This section describes the features of the user-friendly web-based manager administrative interface of your FortiGate unit. The saved configuration can be restored at any time. Once you are satisfied with a configuration. you can back it up. Figure 1: Example FortiGate-5001SX Web-based manager dashboard You can use the web-based manager to configure most FortiGate settings and to monitor the status of the FortiGate unit. The web-based manager supports multiple languages. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service.0 MR3 Administration Guide 01-30003-0203-20061124 33 . You can configure the FortiGate unit for HTTP and HTTPS administration from any FortiGate interface. Using HTTP or a secure HTTPS connection from any computer running a web browser. see “Connecting to the web-based manager” in the Installation Guide for your unit. For information about connecting to the web-based manager.

0 MR3 Administration Guide 01-30003-0203-20061124 . Visit the FortiGuard Center.Button bar features Web-based manager • • Button bar features Web-based manager pages Button bar features The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features. Find out about Fortinet Training and Certification. 34 FortiGate Version 3. Figure 2: Web-based manager button bar Contact Customer Support Logout Online Help Contact Customer Support The Contact Customer Support button opens the Fortinet Support web page in a new browser window. Register your FortiGate unit (Product Registration). From this page you can: • • • • • Access the Fortinet Knowledge Center. go to Product Registration and follow the instructions. Log into Customer Support (Support Login). To register your FortiGate unit.

Use this button to make it easier to find helpful online help pages. Display the next page in the online help. The online help page that is displayed contains information and procedures related to the controls on the current web-based manager page. and search to access all of the information in the online help. Display the previous page in the online help. Print the current online help page. Previous Next Email Print Bookmark Select Show Navigation to display the online help navigation pane.Web-based manager Button bar features Using the Online Help The Online Help button displays online help for the current web-based manager page. The online help system also includes a number of controls that you can use to find additional information. index. Send an email to Fortinet Technical Documentation at techdoc@fortinet.com. You can use this email address to let us know if you have a comment about or correction for the online help or any other Fortinet technical documentation product. Figure 3: Viewing system status online help page Show Navigation Previous Next Bookmark Print Email Show Navigation Open the online help navigation pane. From the navigation pane you can use the online help table of contents. Add an entry for this online help page to your browser bookmarks or favorites list.0 MR3 Administration Guide 01-30003-0203-20061124 35 . Figure 4: Online help page with navigation pane Contents Index Search Show in Contents FortiGate Version 3. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. Most help pages also contains hyperlinks to related topics.

authenticate. • • • To search in the help system 1 2 3 4 From any web-based manager page. See “About searching the online help” on page 36 for information about how to search for information in the online help. select the online help button. Type one or more words to search for in the search field and then press enter or select Go. The search pane lists the names of all the online help pages that contain the word or words that you entered. In some cases the search only finds exact matches. Help pages with one or more of the search words in the help page title are ranked highest. authenticates. search. Display the online help index. the more likely the help page includes useful or detailed information about the word or words that you are searching for. You can navigate through the table of contents to find information in the online help. The help pages found by the search are ranked in order of relevance. Please note the following about the search: • If you search for multiple words. Select Search. You can select Show in Contents to display the table of contents showing the location of the current help page. Index Search Show in Contents About searching the online help Using the online help search. You can use the index to find information in the online help.Button bar features Web-based manager Contents Display the online help table of contents. or hyperlinks to find information in the online help. the search finds help pages that contain all of the words that you entered. Select a name from the list to display that help page. and so on. Select Show Navigation to display the online help navigation pane. For example. 36 FortiGate Version 3. You can use the asterisk (*) as a search wildcard character that is replaced by any number of characters. For example if you search for windows the search may not find pages containing the word window. Display the online help search. authentication. The higher the ranking. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. If you have used the index. The search does not find help pages that only contain one of the words that you entered. the table of contents may not be visible or the table of contents may be out of sync with the current help page. Using the keyboard to navigate in the online help You can use the keyboard shortcuts listed in Table 1 to display and find information in the online help. you can search for one word or multiple words in the full text of the FortiGate online help system.0 MR3 Administration Guide 01-30003-0203-20061124 . if you search for auth* the search finds help pages containing auth. You can work around this using the * wildcard (for example by searching for window*).

0 MR3 Administration Guide 01-30003-0203-20061124 37 . To view a different tab. Display the Search tab. When you select a menu item.Web-based manager Web-based manager pages Table 1: Online help navigation keys Key Alt+1 Alt+2 Alt+3 Alt+4 Alt+5 Alt+7 Function Display the table of contents. like this: 1 Go to System > Network > Interface. When you select one of the submenu items. Add an entry for this online help page to your browser bookmarks or favorites list. such as System. Print the current online help page. you remain logged-in until the idle timeout (default 5 minutes) expires. Send an email to Fortinet Technical Documentation at techdoc@fortinet. Go to the previous page.com. If you simply close the browser or leave the web-based manager. it expands to reveal a submenu. FortiGate Version 3. the associated page opens at its first tab. Display the index. You can use this email address to let us know if you have a comment about or correction for the online help or any other Fortinet technical documentation product. Log out before you close the browser window. many of which have multiple tabs. The procedures in this manual direct you to a page by specifying the menu item. Use this button to make it easier to find helpful online help pages. Go to the next page. select the tab. Web-based manager pages The web-based manager interface consists of a menu and pages. the submenu item and the tab. Alt+8 Alt+9 Logout The Logout button immediately logs you out of the web-based manager.

Also configure virtual IP addresses and IP pools. time and set system options. Configure virtual private networks.0 MR3 Administration Guide 01-30003-0203-20061124 . Configure email spam filtering. virtual domains. Configure logging. Configure firewall policies and protection profiles that apply the network protection features. Configure user accounts for use with firewall policies that require user authentication. Also configure external authentication servers. System Router Firewall VPN User Anti-Virus Intrusion Prevention Web Filter Anti-Spam IM/P2P Log & Report Configure system facilities. 38 FortiGate Version 3. Configure monitoring and control of internet messaging and peer-to-peer messaging. View log messages. such as network interfaces. Configure the intrusion prevention system. DHCP services.Web-based manager pages Web-based manager Figure 5: Parts of the web-based manager Tabs Page Button bar Menu Status bar Web-based manager menu The menu provides access to configuration options for all major features of the FortiGate unit. Configure antivirus protection. Configure web filtering. Configure the router.

This icon is used in some dialog boxes and some lists. Figure 6: Example of a web-based manager list Delete Edit The list shows some information about each item and the icons in the right-most column enable you to take action on the item. There are lists of network interfaces. Table 1 describes the icons that are available in the web-based manager. you can select Delete to remove the item or select Edit to modify the item. Delete an item. The dialog box for creating a new item is similar to the one for editing an existing item.0 MR3 Administration Guide 01-30003-0203-20061124 39 . Pause the mouse pointer over the icon to view the tooltip. Table 2: web-based manager icons Icon Name Change Password Description Change the administrator password. This icon appears in the Administrators list if your access profile enables you to give write permission to administrators. This icon appears in lists where the item can be deleted and you have write permission on the page. Column Settings Delete Description Download or Backup FortiGate Version 3. Icons The web-based manager has icons in addition to buttons to enable you to interact with the system. firewall policies. Clear a log file. Select the columns to display. and so on. The tooltip for this icon displays the Description field for this table entry. In this example.Web-based manager Web-based manager pages Lists Many of the web-based manager pages are lists. This icon is used in Log Access and firewall Policy lists among others. There are tooltips to assist you in understanding the function of the icon. Clear Collapse Collapse this section to hide some fields. To add another item to the list. administrators. Download a log file or back up a configuration file. This opens a dialog box in which you define the new item. users. you select Create New.

Expand Filter Go Insert Policy Create a new policy to precede the current one. otherwise it is grey. Status bar The status bar is at the bottom of the web-based manager screen. Edit Edit a configuration.Web-based manager pages Web-based manager Table 2: web-based manager icons Icon Name Download Description Download a Certificate Signing Request. before Move to Move item in list. This icon appears in lists where you have write permission on the page. Do a search. This icon appears in lists instead of the Edit icon when you do not have write permission on that page. Update the information on this page. A dialog opens in which you can specify filters. Restore Restore a configuration from a file. Previous page Refresh View previous page of list.0 MR3 Administration Guide 01-30003-0203-20061124 . Expand this section to reveal more fields. View View a configuration. Set a filter on one or more columns in this table. Figure 7: Status bar The status bar shows • • how many administrators are logged into the FortiGate unit (see “Monitoring administrators” on page 153) how long the FortiGate unit has been operating since the last time it was restarted 40 FortiGate Version 3. This icon is used in some dialog boxes and some lists. The icon is green on columns where a filter is active. Next page View next page of list.

0 MR3 Administration Guide 01-30003-0203-20061124 41 .Web-based manager Web-based manager pages FortiGate Version 3.

0 MR3 Administration Guide 01-30003-0203-20061124 .Web-based manager pages Web-based manager 42 FortiGate Version 3.

providing separate firewall and routing services to multiple networks. See “Enabling multiple VDOM operation” on page 46. The following topics are included in this section: • • • Virtual domains Enabling multiple VDOM operation Configuring VDOMs and global settings Virtual domains Virtual domains (VDOMs) enable a FortiGate unit to function as multiple independent units. See “VDOM configuration settings” on page 44 To configure and use VDOMs. this enables the organization to manage its configuration independently.Using virtual domains Virtual domains Using virtual domains This section describes how to use virtual domains to operate your FortiGate unit as multiple virtual units.The operating mode.The one exception is if you configure inter-VDOM routing using CLI commands. NAT/Route or Transparent. To travel between VDOMs a packet must pass through a firewall on a physical interface. routing. you can create firewall policies for connections between VLAN subinterfaces or zones in the VDOM. When a packet enters a VDOM. is independently selectable for each VDOM. In a VDOM. A single FortiGate unit is then flexible enough to serve multiple departments of an organization. user authentication. If the VDOM is created to serve an organization. Packets do not cross the virtual domain border internally. you must assign interfaces or VLAN subinterfaces to it. it is confined to that VDOM. and VPN configurations. Using VDOMs can also simplify administration of complex configurations because you do not have to manage as many routes or firewall policies at one time. When you create and configure a VDOM. Note: The FortiGate-224B unit does not support multiple virtual domains in this release. Optionally. FortiGate Version 3. you must enable virtual domain configuration.0 MR3 Administration Guide 01-30003-0203-20061124 43 . separate organizations or be the basis for a service provider’s managed security service. The packet then arrives at another VDOM on a different interface where it must pass through another firewall before entering. Both VDOMs are on the same FortiGate unit. VDOMs provide separate security domains that allow separate zones. you can assign an administrator account that can log in only to that VDOM. firewall policies.

each FortiGate unit has a VDOM named root. You can also move physical interfaces from the root VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. VLAN subinterfaces. one web filter configuration. The default super admin can also access these settings. see “VLAN overview” on page 92. logging. For more information on VDOMs. For more information on VLANs. you can go to System > Status and look at Virtual Domain in the License Information section to see the maximum number of virtual domains supported on your FortiGate unit. By default. A regular administrator for the VDOM sees only these settings. alert email. firewall policies. If virtual domain configuration is enabled and you log in as the default super admin. FDN-based updates and NTP-based time setting use addresses and routing in the management VDOM to communicate with the network. For a complete list of shared configuration settings. By default. but must first select which VDOM to configure. This means that there is one intrusion prevention configuration. They can connect only to network resources that communicate with the management virtual domain. but can be changed. see “Global configuration settings” on page 45. zones. you can purchase a license key to increase the maximum number of VDOMs to 25. one antivirus configuration. It applies to all VDOMs. and so on. For FortiGate models numbered 3000 and higher. • System settings • • • • • Zones DHCP services Operation mode (NAT/Route or Transparent) Management IP (Transparent mode) Router configuration 44 FortiGate Version 3.Virtual domains Using virtual domains The remainder of FortiGate functionality is global. firewall policies. your FortiGate unit supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. VDOMs share firmware versions. 50. The management VDOM is set to root by default. routing settings. and VPN settings. zones. and VPN settings.0 MR3 Administration Guide 01-30003-0203-20061124 . VDOM configuration settings The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains. For more information see “License” on page 169. Management systems such as SNMP. As well. For more information see “Changing the Management VDOM” on page 49 Once you add a VDOM you can configure it by adding VLAN subinterfaces. antivirus and attack databases. one protection profile configuration. routing settings. see the FortiGate VLANs and VDOMs Guide. This VDOM includes all of the FortiGate physical interfaces. 100 or 250.

0 MR3 Administration Guide 01-30003-0203-20061124 45 . When virtual domain configuration is enabled. where applicable Dead gateway detection HA configuration SNMP configuration Replacement messages Administrators (Each administrator belongs to only one VDOM.Using virtual domains Virtual domains • Firewall settings • • • • • • Policies Addresses Service groups and custom services Schedules Virtual IPs IP pools IPSec PPTP SSL Users User groups RADIUS and LDAP servers Microsoft Windows Active Directory servers • VPN configuration • • • • User settings • • • • • • P2P Statistics (view/reset) Logging configuration. only the default super admin can access global settings. Each VDOM can use or configure only its own interfaces. log access and log reports Global configuration settings The following configuration settings affect all virtual domains. Firmware version (on System Status page) Idle and authentication timeout Web-based manager language LCD panel PIN. • System settings • Physical interfaces and VLAN subinterfaces (Each physical interface or VLAN subinterface belongs to only one VDOM.) DNS settings Host name. System time. Each VDOM can configure only its own administrators.) Access profiles FortiManager configuration Configuration backup and restore FDN update configuration Bug reporting Predefined services Protection Profiles • • • • • • • • • • • • • • • • • • • • Firewall VPN certificates Antivirus configuration FortiGate Version 3.

Go to System > Admin > Settings. The admin account can configure all VDOM configurations. the web-based manager and the CLI are changed as follows: • • • • Global and per-VDOM configurations are separated. Enable Virtual Domain Configuration. Select Apply. • Configuring VDOMs and global settings When Virtual Domain Configuration is enabled. you can enable multiple VDOM operation on the FortiGate unit. You can now log in again as admin. To enable virtual domain configuration 1 2 3 4 Log in to the web-based manager as admin. The admin account can connect through any interface in the root VDOM or though any interface that belongs to a VDOM for which a regular administrator account has been assigned. The FortiGate unit logs you off. only the default super admin account can: • • • • • configure global settings create or delete VDOMs configure multiple VDOMs assign interfaces to a VDOM assign an administrator to a VDOM 46 FortiGate Version 3. Only the admin account can view or configure global options. A regular administrator account can configure only the VDOM to which it is assigned and can access the FortiGate unit only through an interface that belongs to that VDOM.0 MR3 Administration Guide 01-30003-0203-20061124 .Enabling multiple VDOM operation Using virtual domains • • • • Intrusion Prevention configuration Web filter configuration Antispam configuration IM configuration • • Statistics User lists and policies Enabling multiple VDOM operation Using the default admin administration account. When Virtual Domain Configuration is enabled.

Enable to select VDOM for deletion or to set as the management VDOM. Only the super admin can assign physical interfaces or VLAN subinterfaces to VDOMs. Use this list to manage VDOMs. The web-based manager displays a screen similar to that described in the Web-based manager module (see “Web-based manager” on page 33) except that it shows only global settings. Create New Set Management Delete Selection FortiGate Version 3. The VDOM must not have the same name as an existing VLAN or zone. The management VDOM is indicated in brackets. Only the super admin can assign an administrator to a VDOM. You cannot delete the root VDOM. For more information see “Changing the Management VDOM” on page 49. The default management VDOM is root. An administrator account whose access profile provides read and write access to Admin Users can create additional administrators in its own VDOM.0 MR3 Administration Guide 01-30003-0203-20061124 47 . A regular administrator account can create a VLAN subinterface on a physical interface within their own VDOM. Working with VDOMs and global settings When you log in as admin and virtual domain configuration is enabled. The VDOM name can be a maximum of 11 characters long. the VDOM appearing first in the table will be assigned as the management VDOM. Enter a name and select OK.Using virtual domains Configuring VDOMs and global settings A VDOM is not useful unless it contains at least two physical interfaces or VLAN subinterfaces for incoming and outgoing traffic. Use the << Main Menu control to return to the virtual domains list. the webbased manager displays the list of virtual domains. If more than one VDOM is selected when Set Management is selected. Figure 8: Virtual domains list Selection Global Configuration Configure global settings. Delete the selected VDOM. Change the management VDOM to the selected VDOM. Only the super admin can configure a VDOM unless you create and assign a regular administrator to that VDOM. Add a new VDOM.

Interfaces are part of global configuration settings. Note: An interface or subinterface is available for reassigning or removing once the delete icon is displayed. To assign an interface to a VDOM 1 2 3 4 5 Log in as admin. Use the << Main Menu control to return to the virtual domains list. the super admin must create the VLAN subinterface and assign it to the required VDOM. either NAT (NAT/Route) or Transparent.Configuring VDOMs and global settings Using virtual domains Name The name of the VDOM. The VDOM operation mode. all physical interfaces are in the root virtual domain. By default. inter-VDOM routing enables you to communicate between VDOMs internally without using a physical interface. Select Edit for the interface that you want to reassign. Use the << Main Menu control to return to the virtual domains list. Select the name to configure that VDOM. These can be physical or virtual interfaces such as VLAN subinterfaces. Assigning an interface to a VDOM The following procedure describes how to reassign an existing interface from one virtual domain to another. For information on creating VLAN subinterfaces. the interface is used of a configuration somewhere. Go to System > Network > Interface. The web-based manager displays a screen similar to that described in the Web-based manager section (see “Web-based manager” on page 33) except that it shows only VDOM-specific settings. To do this. For information on configuring inter-VDOM interfaces. Select the Virtual Domain to which to reassign the interface.0 MR3 Administration Guide 01-30003-0203-20061124 . see “Adding VLAN subinterfaces” on page 95. see the FortiGate CLI Reference and the FortiGate VLANs and VDOMs Guide. As of FortiOS v3. You cannot remove an interface from a VDOM if the interface is included in of any of the following configurations: • • • • • • routing proxy arp (only accessible through the CLI) DHCP server zone firewall policy IP pool Delete these items or modify them to remove the interface before proceeding. 48 FortiGate Version 3. Select Global Configuration. The status bar at the bottom of the screen shows which VDOM you are configuring. VLAN subinterfaces often need to be in a different VDOM than their physical interface.0 MR1. This feature is only configurable with the CLI. Operation Mode Adding interfaces to a VDOM A VDOM must contain at least two interfaces. Until then.

Virtual Domain Configuration must be enabled. A regular administrator assigned to a VDOM can log in to the web-based manager or the CLI only on interfaces that belong to that VDOM. and create new routes for this interface in the new VDOM. Changing the Management VDOM Changing the management VDOM will change the VDOM where your FortiGate unit’s management traffic originates. Only the super admin or a regular administrator of the root domain can log in by connecting to the console interface. FortiGate Version 3. To change the management VDOM 1 2 3 Select Global Configuration. Create and/or configure the new administrator account as required. The super admin can connect to the web-based manager or CLI through any interface that permits management access. You should manually delete any routes that include this interface.Using virtual domains Configuring VDOMs and global settings 6 Configure other settings as required and select OK. Existing firewall IP pools and virtual IP addresses for this interface are deleted. Management VDOM traffic includes: • • • • • SNMP logging alert email FDN-based updates NTP-based time setting Before you change the management VDOM. 5 6 From the Virtual Domain list. Management traffic will now originate from the new management VDOM. The interface is assigned to the VDOM. Select Set Management to apply the changes. you need to create an administrator account for that VDOM. Select the VDOM that will be the new management VDOM.0 MR3 Administration Guide 01-30003-0203-20061124 49 . For detailed information about configuring an administrator account. To assign an administrator to a VDOM 1 2 3 4 Log in as the super admin. Select Global Configuration. see “Configuring an administrator account” on page 145. Assigning an administrator to a VDOM If you are creating a VDOM to serve an organization that wants to administer its own resources. ensure Virtual Domain Configuration is selected. See “Interface settings” on page 69. Note: You cannot change the management VDOM if any administrators are using RADIUS authentication. Select Apply. Go to System > Admin >Administrators. select the VDOM this administrator manages.

0 MR3 Administration Guide 01-30003-0203-20061124 .Configuring VDOMs and global settings Using virtual domains 50 FortiGate Version 3.

To view this page. If you also have system configuration write access. go to System > Status to view the System Status page. the dashboard of your FortiGate unit. For information on access profiles. FortiGate administrators whose access profiles permit read access to system configuration can view system status information. FortiGuard™ license information. you can modify system information and update FortiGuard . HA is not available on FortiGate models 50A.AV and FortiGuard . also known as the system dashboard. 50AM and 224B. uptime. for a snapshot of the current operating status of the FortiGate unit. system resource usage.0 MR3 Administration Guide 01-30003-0203-20061124 51 .System Status Status page System Status This section describes the System Status page. FortiGate Version 3. The following topics are included in this section: • • • • • • Status page Changing system information Changing the FortiGate firmware Viewing operational history Manually updating FortiGuard definitions Viewing Statistics Status page View the System Status page. see “Access profiles” on page 147. Viewing system status The System Status page displays by default when you log in to the web-based manager. For more information.IPS definitions. For information on access profiles. the Status page includes basic HA cluster status information including the name of the cluster and the cluster members including their hostnames. your access profile must permit read access to system configuration. FortiGate administrators whose access profiles permit write access to system configuration can change or update FortiGate unit information. alert messages and network statistics. go to System > Config > HA. To view more complete status information for the cluster. see “HA” on page 117. At any time. When the FortiGate unit is part of an HA cluster. see “Access profiles” on page 147. At a glance you can view the current system status of the FortiGate unit including serial number.

and minutes since the FortiGate unit was last started.Status page System Status Figure 9: System status System information Figure 10: Example FortiGate-5001 System Information Serial Number The serial number of the current FortiGate unit. The current date and time according to the FortiGate unit internal clock.0 MR3 Administration Guide 01-30003-0203-20061124 . hours. Select Change to change the time or configure the FortiGate unit to get the time from an NTP server. Uptime System Time 52 FortiGate Version 3. The serial number is specific to the FortiGate unit and does not change with firmware upgrades. See “Configuring system time” on page 58. The time in days.

The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2. grey if the FortiGate unit cannot connect to the FortiGuard network. type of connection. FortiGate units can operate in NAT mode or Transparent mode. Select Update to upload a new FortiClient software image to this FortiGate unit from your management computer. Cluster Name Cluster Members Virtual Cluster 1 Virtual Cluster 2 Firmware Version FortiClient Version The currently loaded version of FortiClient.0 MR3 Administration Guide 01-30003-0203-20061124 53 . Select change to switch between NAT and Transparent mode. Except for model 224B. The FortiGate unit updates the license information status indicators automatically by connecting to the FortiGuard network. and when they logged in. See “Changing operation mode” on page 139 If virtual domains are enabled. IP address they are connecting from. See “HA” on page 117. and yellow if the license has expired. and FortiGuard subscriptions. Operation Mode The operating mode of the FortiGate unit. See “HA” on page 117. Select Update to change the firmware. The number of administrators currently logged into the FortiGate unit. A virtual domain can be operating in either NAT mode or Transparent mode. FortiGuard subscriptions status indicators are green for OK. The additional information includes user name. this field is not displayed. The version of the firmware installed on the current FortiGate unit. See “HA” on page 117. The FortiGate unit must be operating in HA mode with virtual domains enabled to display these fields. See “Changing the FortiGate unit host name” on page 58. FortiGate Version 3. Select Change to change the host name. Selecting Change will take you to the System > Admin > Settings screen where you can turn virtual domains on or off. The status of virtual domains. The name of the HA cluster for this FortiGate unit. Virtual Domain Current Administrators License Information License information displays the status of your FortiGate support contract. The FortiGate units in the HA cluster. This is only available on units that support FortiClient. Information displayed about each member includes hostname. See “Upgrading to a new firmware version” on page 59. serial number. The Change option will not be displayed if you have more than one virtual domain configured. The FortiGate unit must be operating in HA mode to display this field. this field shows the operating mode of the current virtual domain.System Status Status page Host Name The host name of the current FortiGate unit. The FortiGate unit must be operating in HA mode with virtual domains not enabled to display this field. and if the unit is a primary (master) or subordinate (slave) unit in the cluster. Select Details to view more information about each administrator that is logged. If the FortiGate unit is in HA mode.

select Update. issue date and service status. If your license has expired you can select Renew two renew the license. Contact your local reseller. expiry date and service status. see “Updating the FortiGuard IPS Definitions manually” on page 62. If your license has expired you can select Renew two renew the license. If your license has expired you can select Renew two renew the license. If Renew is visible. you need to renew your support contract. The number of virtual domains the unit supports. The FortiGuard Antispam license type. If Not Registered is displayed. FortiGuard Subscriptions AntiVirus AV Definitions Intrusion Protection IPS Definitions Web Filtering Antispam Virtual Domain System Resources Any System Resources that are not displayed on the status page can be viewed as a graph by selecting the History icon. select Update. Figure 12: Example System Resources History 54 FortiGate Version 3. you can select the Purchase More link to purchase a license key through Fortinet Support to increase the maximum number of VDOMs. For more information. See “License” on page 169. The current installed version of the FortiGuard Antivirus Definitions. expiry date and service status. The FortiGuard intrusion protection license version. If your license has expired you can select Renew two renew the license.0 MR3 Administration Guide 01-30003-0203-20061124 . To update the definitions manually. see “Updating the FortiGuard AV Definitions manually” on page 61. select Register to register the unit. To update the definitions manually.Status page System Status Figure 11: Example License Information Support Contract The support contract number and expiry date. The FortiGuard Web Filtering license type. For more information. issue date and service status. The FortiGuard Antivirus license version. The current installed version of the Intrusion Prevention System (IPS) attack definitions. For FortiGate models 3000 or higher.

memory. Pause the mouse pointer over the interface to view the IP address. Otherwise. the FortiAnalyzer illustration appears grey.0 MR3 Administration Guide 01-30003-0203-20061124 55 . This page also shows the virus and intrusion detections over the last 20 hours. the FortiAnalyzer unit illustration is dark. CPU Usage Memory Usage FortiAnalyzer Disk Quota Automatic Refresh Interval Select how often the Status page automatically updates from none to 30 seconds. The current status of the FortiAnalyzer disk quota used for the FortiGate unit displayed as a pie chart and a percentage. For more information see “Viewing operational history” on page 61. Figure 13: Example FortiGate-3000 interface status (FortiAnalyzer connected) To the right of the unit front panel illustration is a panel labeled FortiAnalyzer connected the FortiGate unit by a line. Memory usage for management processes (for example. If a network interface is shaded green. Interface Status An illustration of the FortiGate unit front panel shows the status of the unit’s ethernet interfaces. The current CPU status displayed as a dial gauge and as a percentage. If the FortiGate unit has been configured to send log data to a FortiAnalyzer unit. This is available only if you have configured logging to a FortiAnalyzer unit. The web-based manager displays memory usage for core processes only. that interface is connected. FortiGate Version 3.System Status Status page History icon View a graphical representation of the last minute of CPU. for HTTPS connections to the web-based manager) is excluded. The web-based manager displays CPU usage for core processes only. and network usage. otherwise there is a red “X” on the connecting line. netmask and current status of the interface. sessions. The current memory status displayed as a dial gauge and as a percentage. CPU usage for management processes (for example. You can select Refresh Now to update the Status page immediately. for HTTPS connections to the web-based manager) is excluded. Selecting none indicates the Status page will not be updated. A green check mark on the connecting line indicates that logging from this unit is enabled on the FortiAnalyzer unit.

Statistics The statistics section of the status page is designed to allow you to see at a glance what is happening on your FortiGate unit with regards to network traffic and protection. The named administrator downgraded the firmware to an older version on either the active or non-active partition. select Show All to view the entire list in a new window. see “Viewing Statistics” on page 62. For detailed procedures involving the statistics list. simply select Details for a detailed list of the most recent activity. If there is insufficient space for all of the messages. The restart could be due to operator action or power off/on cycling. You can quickly see the amount and type of traffic as well as any attack attempts on your system. saved locally or backed up to an external source.Status page System Status Alert Message Console Alert messages help you track changes to your FortiGate unit. content can be blocked or pass unscanned under these conditions. To investigate an area that draws your attention.0 MR3 Administration Guide 01-30003-0203-20061124 . The antivirus engine was low on memory for the duration of time shown. The information displayed in the statistics section is saved in log files that can be saved to a FortiAnalyzer unit. The following types of messages can appear in the Alert Message Console: Figure 14: Example Alert Message Console Show All System restart Firmware upgraded by <admin_name> Firmware downgraded by <admin_name> FortiGate has reached connection limit for <n> seconds The system restarted. Each message shows the date and time that it was posted. To clear alert messages. select Show All and then select Clear Alert Messages at the top of the new window. This will delete all current alert messages from your FortiGate unit. Depending on model and configuration. The named administrator upgraded the firmware to a more recent version on either the active or non-active partition. You can use this data to see trends in network activity or attacks over time and deal with it accordingly. See “Logging to a FortiAnalyzer unit” on page 429. Found a new FortiAnalyzer Shows that the FortiGate unit has either found or lost Lost the connection to FortiAnalyzer the connection to a FortiAnalyzer unit. 56 FortiGate Version 3.

The Details pages list the most recent 10 items. A summary of viruses. e-mail. destination and other information. The number of communications sessions being processed by the FortiGate unit. Shut down the FortiGate unit. This procedure deletes all configuration changes that default you have made. See “Viewing the session list” on page 62. Reset Icon Sessions Content Archive Attack Log System Operation If your access profile includes system configuration write privileges. Reset the Archive and Attack Log counts to zero. Reset to factory Restart the FortiGate unit with the configuration that it had when it was first powered on. but it does not change the firmware version or the antivirus or attack definitions. providing the time. attacks. FTP. The Details pages list the last 64 items of the selected type and provide links to the FortiAnalyzer unit where the archived traffic is stored. Counts are reset when the FortiGate unit reboots or when you select to the reset icon. the Details pages provide a link to the Log & Report > Log Config > Log Settings page. Select Details for detailed information. Select the required operation from the System Operation list and then select Go.System Status Status page Figure 15: Example Statistics Reset Since The date and time when the counts were reset. source.0 MR3 Administration Guide 01-30003-0203-20061124 57 . stopping all traffic flow. FortiGate Version 3. If logging to a FortiAnalyzer unit is not configured. you can perform the following operations from the Status page: Reboot Shutdown Restart the FortiGate unit. and IM/P2P traffic that has passed through the FortiGate unit. A summary of the HTTP. spam email messages and URLs the unit has intercepted. You can restart the FortiGate unit after shutdown only by turning the power off and then on.

Update the display of the current FortiGate system date and time. To find an NTP server that you can use. select Change on the System Time line. You must specify the server and synchronization interval. saving changes Set Time Synchronize with NTP Server Server Sync Interval Select to set the FortiGate system date and time to the values you set in the Hour. see “SNMP” on page 124. For information about SNMP. Select the current FortiGate system time zone.ntp. Administrators whose access profiles permit system configuration write access can change the FortiGate unit host name. Specify how often the FortiGate unit should synchronize its time with the NTP server. Year. Select to use an NTP server to automatically set the system date and time. Configuring system time 1 2 3 Go to System > Status. The default host name is the FortiGate unit serial number.org. The host name is also used as the SNMP system name. For example. Enter the IP address or domain name of an NTP server. Select the time zone and then either set the date and time manually or configure synchronization with an NTP server. Changing the FortiGate unit host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. In the System Information section. host name and the operation mode.Changing system information System Status Changing system information FortiGate administrators whose access profiles permit write access to system configuration can change the system time. Automatically adjust Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and standard clock for daylight time. Second. For example FGT8002805030003 would be a FortiGate-800 unit. 58 FortiGate Version 3. a setting of 1440 minutes causes the FortiGate unit to synchronize its time once a day. Figure 16: Time Settings System Time Refresh Time Zone The current FortiGate system date and time. see http://www. Month and Day fields. Minute.0 MR3 Administration Guide 01-30003-0203-20061124 .

This process takes a few minutes. select Update on the Firmware Version line. upgrades to the new firmware version.0 MR3 Administration Guide 01-30003-0203-20061124 59 . In the Host Name field of the System Information section. Select OK. select Change. Go to System > Status. In the New Name field. use the procedure “To update antivirus and attack definitions” on page 164 to make sure that antivirus and attack definitions are up to date. and in the CLI prompt. To change the FortiGate unit host name 1 2 3 4 Go to System > Status > Status. FortiGate Version 3. Log into the web-based manager as the super admin. and displays the FortiGate login. Select OK. The FortiGate unit uploads the firmware image file. The new host name is displayed in the Host Name field. To upgrade the firmware using the web-based manager 1 2 3 4 5 6 Copy the firmware image file to your management computer. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. or select Browse and locate the file.System Status Changing the FortiGate firmware Note: If the FortiGate unit is part of an HA cluster. Changing the FortiGate firmware FortiGate administrators whose access profiles permit maintenance read and write access can change the FortiGate firmware. Follow the appropriate procedure for the firmware change you want to perform: • • Upgrading to a new firmware version Reverting to a previous firmware version Upgrading to a new firmware version Use the following procedure to upgrade the FortiGate unit to a newer firmware version. Type the path and filename of the firmware image file. and is added to the SNMP System Name. you should use a unique hostname to distinguish the unit from others in the cluster. type a new host name. In the System Information section. Firmware changes either upgrade to a newer version or revert to an earlier version. restarts. closes all sessions. After you install new firmware. 7 Log into the web-based manager. or an administrator account that has system configuration read and write privileges.

Changing the FortiGate firmware System Status 8 9 Go to System > Status and check the Firmware Version to confirm that the firmware upgrade is successfully installed. For information about updating antivirus and attack definitions. To revert to a previous firmware version using the web-based manager 1 2 Copy the firmware image file to the management computer. Back up your FortiGate unit configuration to preserve this information. This process takes a few minutes. 3 4 5 6 Go to System > Status. Under System Information > Firmware Version. Select OK. Restore your configuration. see “Backup and restore” on page 155. Log into the FortiGate web-based manager. email filtering lists. Update antivirus and attack definitions. 60 FortiGate Version 3. For information about antivirus and attack definitions. 7 8 9 Log into the web-based manager. see “FortiGuard Center” on page 159. This also reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures. use the procedure “To update antivirus and attack definitions” on page 164 to make sure that antivirus and attack definitions are up to date. reverting from FortiOS v3. Note: To use this procedure you must login using the super admin account. see “To update antivirus and attack definitions” on page 164. For information about restoring your configuration.0 MR3 Administration Guide 01-30003-0203-20061124 . or select Browse and locate the file. select Update. see “Backup and restore” on page 155. restarts. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. 10 Update antivirus and attack definitions. For information. you might not be able to restore the previous configuration from the backup configuration file. resets the configuration. The FortiGate unit uploads the firmware image file. web content lists. Reverting to a previous firmware version Use the following procedure to revert your FortiGate unit to a previous firmware version. If you are reverting to a previous FortiOS™ version (for example. and changes to replacement messages.0 to FortiOS v2.8). Go to System > Status and check the Firmware Version to confirm that the firmware is successfully installed. reverts to the old firmware version. or an administrator account that has system configuration read and write privileges. After you install new firmware. Type the path and filename of the firmware image file. and displays the FortiGate login.

Select History in the upper right corner of the System Resources section.AV and FortiGuard . Number of sessions over the preceding interval. see “FortiGuard Center” on page 159. Number of intrusion attempts detected over the preceding interval. FortiGate Version 3. Number of Viruses detected over the preceding interval. Note: For information about configuring the FortiGate unit for automatic AV and automatic IPS (attack) definitions updates. Network utilization for the preceding interval.System Status Viewing operational history Viewing operational history The System Resource History page displays six graphs representing system resources and protection activity. Memory usage for the preceding interval.Intrusion Protection definitions at any time from the License Information section of the System Status page. Figure 17: Sample system resources history Time Interval CPU Usage History Memory Usage History Session History Network Utilization History Virus History Intrusion History Select the time interval that the graphs show. Updating the FortiGuard AV Definitions manually 1 2 Download the latest AV definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Manually updating FortiGuard definitions You can update your FortiGuard . 1 2 Go to System > Status.0 MR3 Administration Guide 01-30003-0203-20061124 61 . Start the web-based manager and go to System > Status > Status. CPU usage for the preceding interval.

In the License Information section.AV Definitions version information has updated. The FortiGate unit updates the AV definitions. in the AV Definitions field of the FortiGuard Subscriptions. or select Browse and locate the attack definitions update file. 4 5 6 Viewing Statistics The System Status Statistics provide information about sessions. This takes about 1 minute. in the IPS Definitions field of the FortiGuard Subscriptions. Start the web-based manager and go to System > Status > Status. select Update. Select OK to copy the AV definitions update file to the FortiGate unit. type the path and filename for the AV definitions update file. content archiving and network protection activity. select Details on the Sessions line. select Update. Go to System > Status > Status to confirm that the FortiGuard . Go to System > Status > Status to confirm that the IPS Definitions version information has updated. Updating the FortiGuard IPS Definitions manually 4 5 6 1 2 3 Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. The Anti-Virus Definitions Update dialog box appears. Viewing the session list The session list displays information about the current communications sessions on the FortiGate unit. Figure 18: Session list 62 FortiGate Version 3. This takes about 1 minute.Viewing Statistics System Status 3 In the License Information section. The Intrusion Prevention System Definitions Update dialog box appears. To view the session list 1 2 Go to System > Status > Status. In the Update File field. type the path and filename for the attack definitions update file. The FortiGate unit updates the attack definitions. Select OK to copy the attack definitions update file to the FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 . or select Browse and locate the AV definitions update file. In the Update File field. In the Statistics section.

udp. Refresh Page up Page down Line Clear All Filters Filter Icon The icon at the top of all columns except #. in seconds. FortiGate Version 3. for example).0 MR3 Administration Guide 01-30003-0203-20061124 63 . The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session. The number following the ‘/’ is the number of active sessions on the FortiGate unit. Stop an active communication session. You can select the Details link beside each traffic type to view more information. email. The time. Select to reset any display filters that may have been set. You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. For example if there are 5 sessions and you enter 3. and Expiry. select Details for HTTP. tcp. Viewing archived HTTP content information 1 2 Go to System > Status > Status. The source port of the connection. Destination Port The destination port of the connection. only the sessions numbered 3. Select All to view sessions being processed by all virtual domains. 4 and 5 will be displayed. you can view statistics about HTTP. The destination IP address of the connection. before the connection expires. FTP and IM traffic through the FortiGate unit. When selected it brings up the Edit Filter dialog allowing you to set the display filters by column. Protocol Source Port Destination Address Policy ID Source Address The source IP address of the connection. Your access profile must include read and write access to System Configuration. Update the session list. View the next page in the session list. This is only available if multiple virtual domains are enabled. or icmp. View previous page in the session list. In the Content Archive section. Expiry (sec) Delete icon Viewing the Content Archive information From the Statistics section of the System Status page. for example. The service protocol of the connection. Enter the line number of the session to start the displayed session list.System Status Viewing Statistics Virtual Domain Select a virtual domain to list the sessions being processed by that virtual domain.

In the Content Archive section. Date and Time From To Subject The time that the email passed through the FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 . The User ID that logged into the FTP server. The IP address from which the URL was accessed. In the Content Archive section. The subject line of the email. The names of files that were downloaded. The names of files that were uploaded. select Details for IM. In the Content Archive section.Viewing Statistics System Status Date and Time From URL The time when the URL was accessed. The recipient’s email address. 64 FortiGate Version 3. The IP address of the FTP server that was accessed. Viewing archived FTP content information 1 2 Go to System > Status > Status. Date and Time Destination User Downloads Uploads The time of access. select Details for Email. select Details for FTP. The sender’s email address. Viewing archived IM content information 1 2 Go to System > Status > Status. Viewing archived Email content information 1 2 Go to System > Status > Status. The URL that was accessed.

You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. In the Attack Log section. POP or IMAP. Viewing the Attack Log From the Statistics section of the System Status page.0 MR3 Administration Guide 01-30003-0203-20061124 65 . In the Attack Log section. you can view statistics about the network attacks that the FortiGate unit has stopped. Date and Time From->To IP From->To Email Accounts Service SPAM Type The time that the spam was detected. In the Attack Log section.System Status Viewing Statistics Date / Time Protocol Kind Local Remote Direction The time of access. The service type. Viewing attacks blocked 1 2 Go to System > Status > Status. Date and Time From To Service Virus The time when the virus was detected. such as POP or HTTP. The local address for this transaction. The service type. The target host of the attack. The service type. Viewing spam email detected 1 2 Go to System > Status > Status. The remote address for this transaction If the file was sent or received. The kind of IM traffic this transaction is. The protocol used in this IM session. select Details for IPS. The type of attack that was detected and prevented. The name of the virus that was detected. such as SMTP. Viewing viruses caught 1 2 Go to System > Status > Status. You can select the Details link beside each attack type to view more information. The sender and intended recipient email addresses. The intended recipient’s email address or IP address. select Details for AV. FortiGate Version 3. Date and Time From To Service Attack The time that the attack was detected. The sender and intended recipient IP addresses. The sender’s email address or IP address. The source of the attack. select Details for Spam. The type of spam that was detected.

Date and Time From URL Blocked The time that the attempt to access the URL was detected. The host that attempted to view the URL.0 MR3 Administration Guide 01-30003-0203-20061124 . In the Attack Log section. select Details for Web. 66 FortiGate Version 3.Viewing Statistics System Status Viewing URLs blocked 1 2 Go to System > Status > Status. The URL that was blocked.

in this section the term interface can refer to a physical FortiGate interface or to a FortiGate VLAN subinterface. 192. Interface In NAT/Route mode.168.1.0 MR3 Administration Guide 01-30003-0203-20061124 67 . you can use the short form of the netmask.System Network Interface System Network This section describes how to configure your FortiGate unit to operate in your network. Basic network settings include configuring FortiGate interfaces and DNS settings. You can • • • • • • modify the configuration of a physical interface add and configure VLAN subinterfaces configure an ADSL interface aggregate several physical interfaces into an IEEE 802.3ad interface (models 800 and higher only) combine physical interfaces into a redundant interface add wireless interfaces (WiFi-60A and WiFi-60AM models only) Note: Unless stated otherwise.1.100/255. go to System > Network > Interface to configure FortiGate interfaces. For example.0 can also be entered as 192. More advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate network configuration.168.100/24. see “FortiGate units and VLANs” on page 93. For information about VLANs. The following topics are included in this section: • • • • • • • • • Interface Zone Options Routing table (Transparent Mode) Configuring the modem interface VLAN overview VLANs in NAT/Route mode VLANs in Transparent mode FortiGate IPv6 support Note: Where you can enter both an IP address and a netmask in the same field.255. FortiGate Version 3.255.

Other names are generic such as port1. you can configure the ADSL interface. See “Configuring an ADSL interface” on page 73. The administrative access configuration for the interface. Name The names of the physical interfaces on your FortiGate unit. This interface is also available as an HA heartbeat interface.3ad aggregated interface.3ad aggregate interface” on page 74 or “Creating a redundant interface” on page 75. not the component interfaces. See “VLAN overview” on page 92. you can also create an IEEE 802. they also appear in the name list. External and DMZ. only the aggregate interface is listed. below the physical or aggregated interface to which they have been added. See “Creating an 802. You can connect to this interface to manage the FortiGate unit. On models 800 and higher. Description icon The tooltip for this icon displays the Description field for this interface. if you combine several interfaces into an aggregate interface. See “Configuring the modem interface” on page 87.regular administrator view Figure 20: Interface list . Once visible these interfaces can be treated as regular physical interfaces interfaces. If you have added VLAN subinterfaces. This option is available only on 5000 models. IP/Netmask Access 68 FortiGate Version 3. show backplane Select to make the two backplane interfaces visible as port9 and port10. See “Additional configuration for interfaces” on page 82. If virtual domain configuration is enabled. Some names indicate the default function of the interface such as Internal. The name and number of a physical interface depends on the model. The same is true for redundant interfaces. The oob/ha interface is the FortiGate model 4000 out of band management interface.Interface System Network Figure 19: Interface list .0 MR3 Administration Guide 01-30003-0203-20061124 . you can view information only for the interfaces that are in your own virtual domain. On FortiGate 60ADSL units. unless you are the super admin The current IP address/netmask of the interface. On FortiGate models 800 and higher. FortiGate models numbered 50 and 60 provide a modem interface.admin view with virtual domain configuration enabled Create New Select Create New to create a VLAN subinterface.

The administrative status for the interface. If the administrative status is a red arrow. This column is visible only to the super admin and only when virtual domain configuration is enabled. see “Switch (FortiGate224B)” on page 175. For information about configuring these interfaces. To edit an existing interface. If the administrative status is a green arrow. To change the administrative status. but you can specify its endpoint addresses. select the Edit icon for that interface. or view an entry.0 MR3 Administration Guide 01-30003-0203-20061124 69 .System Network Interface Virtual Domain The virtual domain to which the interface belongs. On FortiGate model 224B. view icons Interface settings Go to System > Network > Interface. You cannot create a virtual IPSec interface here. For more information. enable administrative access and provide a description. the interface is up and can accept network traffic. Status Delete. select Bring Down or Bring Up. Figure 21: Create New Interface settings Figure 22: Edit Interface settings FortiGate Version 3. Select Create New to create a new interface. see “Configuring a virtual IPSec interface” on page 81. and Delete. edit. the interface is administratively down and cannot accept traffic. edit. you can also configure individual ports on the 24-port switch.

Interface

System Network

Name Type

Enter a name for the interface. You cannot change the name of an existing interface. On models 800 and higher, you can create VLAN, 802.3ad Aggregate, and Redundant interfaces. On models WiFi-60A and WiFi-60AM, you can create wireless interfaces and VLAN subinterfaces. On the 60ADSL model, you can configure an ADSL interface. Other models support creation of VLAN interfaces only and have no Type field. To configure an ADSL interface, see “Configuring an ADSL interface” on page 73. To create a VLAN subinterface, see “FortiGate units and VLANs” on page 93. To create an aggregate interface, see “Creating an 802.3ad aggregate interface” on page 74. To create a redundant interface, see“Creating a redundant interface” on page 75. To create a wireless interface, see “Creating a wireless interface” on page 76. You cannot change the type of an existing interface. Select the name of the physical interface on which to create the VLAN. Once created, the VLAN subinterface is listed below its physical interface in the Interface list. You cannot change the interface of an existing VLAN subinterface. This field is only displayed when Type is set to VLAN. Move the interfaces to be included in the 802.3ad aggregate or Redundant interface from the Available interfaces list to the Selected interfaces list. This field is only displayed when Type set to either 802.3ad aggregate or Redundant interface. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. You cannot change the VLAN ID of an existing VLAN subinterface. The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. See “VLAN overview” on page 92. This field is only displayed when Type is set to VLAN.

Interface

Physical Interface Members

VLAN ID

Virtual Domain Select the virtual domain to which this VLAN subinterface belongs. This is available to the super admin account when virtual domain configuration is enabled. See “Using virtual domains” on page 43. Addressing mode To configure a static IP address for the interface, select Manual. You can also configure the interface for dynamic IP address assignment. See “Configuring DHCP on an interface” on page 77 or “Configuring an interface for PPPoE or PPPoA” on page 79. Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects. Two interfaces cannot have IP addresses on the same subnet. This field is only available when Manual addressing mode is selected. Select DDNS to configure a Dynamic DNS service for this interface. Additional fields are displayed. See “Configuring Dynamic DNS service for an interface” on page 80. To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. See “Dead gateway detection” on page 85.

IP/Netmask

DDNS

Ping Server

Administrative Select the types of administrative access permitted on this interface. Access HTTPS Allow secure HTTPS connections to the web-based manager through this interface. FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

70

System Network

Interface

PING HTTP

Interface responds to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this interface. Allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page 125. Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. To change the MTU, select Override default MTU value (1 500) and enter the MTU size based on the addressing mode of the interface • 68 to 1 500 bytes for manual mode • • • 576 to 1 500 bytes for DHCP mode 576 to 1 492 bytes for PPPoE mode

SSH SNMP TELNET MTU

up to 16 110 bytes for jumbo frames (FortiGate models numbered 3000 and higher) This field is available only on physical interfaces. VLANs inherit the parent interface MTU size by default. For more information, see “Additional configuration for interfaces” on page 82. Log Select Log to record logs for any traffic to or from the interface. To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower. Go to Log&Report > Log Config to configure logging locations and types. For information about logging see “Log&Report” on page 427. Select the blue arrow to expand or hide this section and add additional IP addresses to this interface. See “Secondary IP Addresses” on page 72 Optionally, enter a description up to 63 characters long.

Secondary IP Address Description

Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.

Jumbo Frames
Jumbo frames can be 9 000 bytes or more, much larger than standard Ethernet frames. Standard Ethernet frames (packets) can be a maximum of 1 500 bytes including header information. As new Ethernet standards have been implemented (such as Gigabit Ethernet), 1 500-byte frames have been kept for backward compatibility. FortiGate models numbered 3000 and higher support jumbo frames. Jumbo frames support up to a theoretical limit of 64 000 bytes in IPv4. However, jumbo frame maximum size is typically limited by other factors such as the 32-bit Ethernet CRC checksum. Even with these factors, a frame of 9 000 bytes is common and up to 16 110 bytes is possible. To be able to send jumbo frames over a route, all Ethernet devices on that route must support jumbo frames. Otherwise your jumbo frames are not recognized and they are dropped.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

71

Interface

System Network

If you have standard ethernet and jumbo frame traffic on the same interface, routing alone cannot route them to different routes based only on frame size. However you can use VLANs to make sure the jumbo frame traffic is routed over network devices that support jumbo frames. VLANs will inherit the MTU size from the parent interface. You will need to configure both ends of the route as well as all switches and routers along the route as part of the VLAN. For more information on VLAN configurations, see the VLAN and VDOM guide.

Secondary IP Addresses
An interface can be assigned more than one IP address. You can create and apply separate firewall policies for each IP address on an interface. You can also forward traffic and use RIP or OSPF routing with secondary IP addresses. There can be up to 32 secondary IP addresses per interface. and primary and secondary IP addresses can share the same ping generator. The following restrictions must be in place before you are able to assign a secondary IP address. • • • A primary IP address must be assigned to the interface first. The interface must use manual addressing mode. By default, IP addresses cannot be part of the same subnet. To allow interface subnet overlap use the CLI command:

config system global (global)# set allow-interface-subnet-overlap enable (global)#end Secondary IP addresses cannot terminated a VPN tunnel. You can use the CLI command config system interface to add a secondary IP address to an interface. For more information, see config secondaryip under system interface in the FortiGate CLI Reference.
Figure 23: Adding Secondary IP Addresses

IP/Netmask

Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects. Two interfaces cannot have IP addresses on the same subnet. This field is only available when Manual addressing mode is selected. To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. See “Dead gateway detection” on page 85. Multiple addresses can share the same ping server. This field is optional.

Ping Server

72

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

System Network

Interface

Administrative Access HTTPS PING HTTP

Select the types of administrative access permitted on the secondary IP. These can be different from the primary address. Allow secure HTTPS connections to the web-based manager through this secondary IP. Secondary IP responds to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this secondary IP. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this secondary IP. Allow a remote SNMP manager to request SNMP information by connecting to this secondary IP. See “Configuring SNMP” on page 125. Allow Telnet connections to the CLI through this secondary IP. Telnet connections are not secure and can be intercepted by a third party. Select Add to add the configured secondary IP address to the secondary IP table shown below. Addresses in this table are not added to the interface until you select OK or Apply at the bottom of this screen. A table that shows all the secondary IP addresses that have been added to this interface. These addresses are not permanently added to the interface until you select OK or Apply at the bottom of the screen. Otherwise some addresses may be removed from the table due to the above restrictions. The number of the secondary IP address. There can be up to 32 additional IP addresses on an interface.

SSH SNMP

TELNET

Add

Secondary IP table

#

IP/Netmask The IP address and netmask for this secondary IP. Ping Server The IP address of the ping server for this address. The ping server can be shared by multiple addresses. The ping server is optional. Enable Access Delete Icon Indicates if the ping server option is selected. The administrative access methods for this address. They can be different from the primary IP address.

!

Caution: Secondary IP addresses you add may be automatically removed before they are added to the interface. This happens if the restrictions listed above are not met, and is done without warning. It is recommended that after adding a secondary IP, you return to the secondary IP table and verify your new address is listed. If not, one of the restrictions prevented the address from being added.

Configuring an ADSL interface
The information that you need to provide for the ADSL interface depends on the addressing mode your ISP requires you to use. Static addressing using IPOA or EOA requires only an IP address and netmask. If you are using dynamic addressing, you need to configure it as described in “Configuring DHCP on an interface” on page 77 or “Configuring an interface for PPPoE or PPPoA” on page 79. To configure an ADSL interface, your FortiGate unit cannot be in Transparent mode. Go to System > Network > Interface. Select Create New or select the Edit icon of an existing interface. In the Addressing mode section, select IPoA or EoA.
FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

73

Interface

System Network

Figure 24: Settings for an ADSL interface

Address mode IPOA EOA DHCP PPPoE PPPoA Gateway Connect to Server

Select the addressing mode that your ISP specifies. IP over ATM. Enter the IP address and netmask that your ISP provides. Ethernet over ATM, also known as Bridged mode. Enter the IP address and netmask that your ISP provides. See “Configuring DHCP on an interface” on page 77. See “Configuring an interface for PPPoE or PPPoA” on page 79. See “Configuring an interface for PPPoE or PPPoA” on page 79. Enter the default gateway. Enable Connect to Server so that the interface automatically attempts to connect. Disable this option if you are configuring the interface offline. Select the MUX type: LLC Encap or VC Encap. Your ISP must provide this information.

Virtual Circuit Identification Enter the VPI and VCI values your ISP provides. MUX Type

Creating an 802.3ad aggregate interface
You can aggregate (combine) two or more physical interfaces to increase bandwidth and provide some link redundancy. This has the benefit of higher bandwidth but has more potential points of failure than redundant interfaces. The interfaces must connect to the same next-hop routing destination. FortiGate firmware on models 800 and higher implements IEEE standard 802.3ad for link aggregation. An interface is available for aggregation only if • • • • • • • • • it is a physical interface, not a VLAN interface it is not already part of an aggregated or redundant interface it is in the same VDOM as the aggregated interface it has no defined IP address and is not configured for DHCP or PPPoE it has no DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy, VIP, IP Pool or multicast policy it is not an HA heartbeat interface it is not one of the FortiGate 5000 series backplane interfaces

When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface page. It is no longer individually configurable and is not available for inclusion in firewall policies, VIPs, IP pools or routing.

74

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

System Network

Interface

Figure 25: Settings for an 802.3ad aggregate interface

To create an 802.3ad Aggregate interface 1 2 3 4 5 Go to System > Network > Interface. Select Create New. In the Name field, enter a name for the aggregated interface. The interface name must not be the same as any other interface, zone or VDOM. From the Type list, select 802.3ad Aggregate. One at a time, in the Available Interfaces list, select each interface that you want to include in the aggregate interface and then select the right arrow button to move it to the Selected Interfaces list. If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see: • • 7 8 “Configuring DHCP on an interface” on page 77 “Configuring an interface for PPPoE or PPPoA” on page 79

6

Configure other interface options as required. Select OK.

Creating a redundant interface
You can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails. Redundant links differ from link aggregation in that traffic is only going over one interface at any time (no matter how many are in the redundant link), but redundant interfaces allow for more robust configurations with fewer possible points of failure. This is important in a fully meshed HA configuration. FortiGate firmware on models 800 and higher implements redundant interfaces. An interface is available to be in a redundant interface only if • • • • • • it is a physical interface, not a VLAN interface it is not already part of an aggregated or redundant interface it is in the same VDOM as the redundant interface it has no defined IP address and is not configured for DHCP or PPPoE it has no DHCP server or relay configured on it it does not have any VLAN subinterfaces

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

75

Interface

System Network

• •

it is not referenced in any firewall policy, VIP, IP Pool or multicast policy it is not monitored by HA

When an interface is included in a redundant interface, it is not listed on the System > Network > Interface page. It is no longer individually configurable and is not available for inclusion in firewall policies, VIPs, IP pools or routing.
Figure 26: Settings for a redundant interface

To create a redundant interface 1 2 3 4 5 Go to System > Network > Interface. Select Create New. In the Name field, enter a name for the redundant interface. The interface name must not be the same as any other interface, zone or VDOM. From the Type list, select Redundant Interface One at a time, in the Available Interfaces list, select each physical interface that you want to include in the redundant interface and then select the right arrow button to move it to the Selected Interfaces list. The interfaces you add will be used in the order they appear in the Selected Interfaces list. For example if the first interface in the list fails, the second interface is used. If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see: • • 7 8 “Configuring DHCP on an interface” on page 77 “Configuring an interface for PPPoE or PPPoA” on page 79

6

Configure other interface options as required. Select OK.

Creating a wireless interface
On FortiWiFi-60A and FortiWiFi-60AM models, you can create wireless WLAN interfaces. (To create a wireless interface on a FortiWiFi-60 unit, see “System wireless settings (FortiWiFi-60)” on page 106.) 1 2 3 4 Go to System > Network > Interface. Select Create New. In the Name field, enter a name for the wireless interface. The interface name must not be the same as any other interface, zone or VDOM. From the Type list, select Wireless.

76

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

System Network

Interface

5

In the Wireless Settings section, enter the following information:
Figure 27: Wireless interface settings

SSID

Enter the wireless network name that the FortiWiFi-60 unit broadcasts. Users who want to use the wireless network must configure their computers to connect to the network that broadcasts this network name. Select if you want the unit to broadcast its SSID. (Access Point mode only) To use WEP, select WEP64 or WEP128. To use WPA (available in Access Point mode only), select WPA Preshared Key or WPA_Radius. Users of the FortiWiFi-60 wireless network must configure their computers with the same settings. For a 64-bit WEP key, enter 10 hexadecimal digits (0-9 af). For a 128-bit WEP key, enter 26 hexadecimal digits (0-9 a-f). Users of the wireless network must configure their computers with the same key. For WPA Pre-shared Key security mode, enter the preshared key. Users of the wireless network should configure their computers with the same key. For WPA Radius security mode, choose the Radius server name from the list. The Radius server must be configured in User > Radius. For more information, see “RADIUS servers” on page 343. This applies to WPA mode. Select either TKIP or AES (WPA2) data encryption. The Request to Send (RTS) threshold sets the time the unit waits for Clear to Send (CTS) acknowledgement from another wireless device. Set the maximum size of a data packet before it is broken into two or more packets. Reducing the threshold can improve performance in environments that have high interference.

SSID Broadcast Security Mode

Key

Pre-shared Key

RADIUS Server Name

Data Encryption RTS Threshold

Fragmentation Threshold

6 7

Configure other interface options as required. Select OK.

Configuring DHCP on an interface
If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request. The interface is configured with the IP address and optionally DNS server addresses and default gateway address that the DHCP server provides. Go to System > Network > Interface. Select Create New or select the Edit icon of an existing interface. In the Addressing mode section, select DHCP.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

77

Interface

System Network

Figure 28: Interface DHCP settings

Figure 29: ADSL interface DHCP settings

Status

Displays DHCP status messages as the FortiGate unit connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message. This is only displayed if you selected Edit. Status can be one of: • initializing - No activity. • • • Obtained IP/Netmask Renew Expiry Date connecting - The interface is attempting to connect to the DHCP server. connected - The interface retrieves an IP address, netmask, and other settings from the DHCP server. failed - The interface was unable to retrieve an IP address and other information from the DHCP server.

The IP address and netmask leased from the DHCP server. This is only displayed if Status is connected. Select to renew the DHCP license for this interface. This is only displayed if Status is connected. The time and date when the leased IP address and netmask is no longer valid. This is only displayed if Status is connected. The IP address of the gateway defined by the DHCP server. This is only displayed if Status is connected, and if Receive default gateway from server is selected,. Enter the administrative distance for the default gateway retrieved from the DHCP server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.

Default Gateway Distance

Retrieve default Enable Retrieve default gateway from server to retrieve a default gateway from server gateway IP address from the DHCP server. The default gateway is added to the static routing table.

78

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

FortiGate units support many of the PPPoE RFC features (RFC 2516) including unnumbered IPs. initial discovery timeout and PPPoE Active Discovery Terminate (PADT). Configuring an interface for PPPoE or PPPoA If you configure the interface to use PPPoE or PPPoA. Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a DHCP server. Figure 30: Interface PPPoE settings Figure 31: ADSL interface PPPoE or PPPoA settings FortiGate Version 3. Go to System > Network > Interface. In the Addressing mode section. On models numbered 100 and lower. PPPoA is only available on FortiGate models that support ADSL.0 MR3 Administration Guide 01-30003-0203-20061124 79 . Select Create New or select the Edit icon of an existing interface. Disable this option if you are configuring the interface offline. you should also enable Obtain DNS server address automatically in System > Network > Options. See “Configuring Network Options” on page 85. the FortiGate unit automatically broadcasts a PPPoE or PPPoA request.System Network Interface Override internal DNS Enable Override internal DNS to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page. select PPPoE or PPPoA. You can disable Connect to Server if you are configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE or PPPoA request.

Initial discovery timeout. Select Status to refresh the addressing mode status message. Enter the administrative distance for the default gateway retrieved from the PPPoE or PPPoA server. The PPPoE or PPPoA account password. The administrative distance. specifies the relative priority of a route when there are multiple routes to the same destination. Dynamic DNS is available only in NAT/Route mode. Set initial PADT timeout to 0 to disable. The interface was unable to retrieve an IP address and other information from the PPPoE or PPPoA server. The time to wait before starting to retry a PPPoE or PPPoA discovery. failed Reconnect Select to reconnect to the PPPoE or PPPoA server. The interface retrieves an IP address. No activity. PADT must be supported by your ISP. PPPoE or PPPoA connection information is displayed. initializing connected connecting The interface is attempting to connect to the PPPoE or PPPoA server. Enable Retrieve default gateway from server to retrieve a default gateway IP address from a PPPoE server. Enable DDNS. Initial Disc Timeout Initial PADT timeout Distance Retrieve default gateway from server Override internal Enable Override internal DNS to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the DNS PPPoE or PPPoA server. A lower administrative distance indicates a more preferred route. Use this timeout to shut down the PPPoE or PPPoA session if it is idle for this number of seconds. Go to System > Network > Interface. The default gateway is added to the static routing table.Interface System Network Status Displays PPPoE or PPPoA status messages as the FortiGate unit connects to the PPPoE or PPPoA server and gets addressing information. just below the Addressing mode section. User Name Password Unnumbered IP The PPPoE or PPPoA account user name. Specify the IP address for the interface. Set Initial Disc Timeout to 0 to disable. Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Configuring Dynamic DNS service for an interface When the FortiGate unit has a static domain name and a dynamic public IP address.0 MR3 Administration Guide 01-30003-0203-20061124 80 . and other settings from the PPPoE server. Status can be one of the following 4 messages. this IP address can be the same as the IP address of another interface or can be any IP address. The default distance for the default gateway is 1. FortiGate Version 3. Disable this option if you are configuring the interface offline. use one of them. and configure the DDNS service using the information they have provided to you. Select Create New or select the Edit icon of an existing interface. an integer from 1-255. netmask. If your ISP has assigned you a block of IP addresses. This is only displayed if Status is connected. you can use a DDNS service to update Internet DNS servers when the IP address for the domain changes. Connect to server Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE or PPPoA server when you select OK or Apply. When the status is connected. This is only displayed if you selected Edit. Otherwise.

Figure 32: DDNS service configuration Server Select a DDNS server to use. see • • • “Overview of IPSec interface mode” on page 309 “Auto Key” on page 310 or “Manual Key” on page 320 configure IP addresses for the local and remote endpoints of the IPSec interface so that you can run dynamic routing over the interface or use ping to test the tunnel enable administrative access through the IPSec interface enable logging on the interface enter a description for the interface Go to System > Network > Interface and select Edit on an IPSec interface to: • • • Figure 33: Virtual IPSec interface settings FortiGate Version 3. For more information. You also select a physical or VLAN interface from the Local Interface list. The FortiGate unit can connect only to one of these services. Domain Username The user name to use when connecting to the DDNS server. The client software for these services is built into the FortiGate firmware.0 MR3 Administration Guide 01-30003-0203-20061124 81 . Configuring a virtual IPSec interface You create a virtual IPSec interface by selecting IPSec Interface Mode in VPN > IPSec > Auto Key or VPN > IPSec > Manual Key when you create a VPN. Password The password to use when connecting to the DDNS server. The virtual IPSec interface is listed as a subinterface of that interface in System > Network > Interface. This is to prevent flooding the DDNS server. it will retry three times at one minute intervals and then change to retrying at three minute intervals.System Network Interface If at any time your Fortigate unit cannot contact the DDNS server. The fully qualified domain name of the DDNS service.

Allow SSH connections to the CLI through this interface. Select OK to save the changes. Administrative Access HTTPS PING HTTP SSH SNMP TELNET Log Description Additional configuration for interfaces To control administrative access to an interface For a VDOM running in NAT/Route mode. enter a description up to 63 characters long. Select the types of administrative access permitted on this interface. For more information on configuring administrative access in Transparent mode. For information about logging see “Log&Report” on page 427. Telnet connections are not secure and can be intercepted by a third party. If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface. Select the Administrative Access methods for the interface.Interface System Network Name Virtual Domain IP Remote IP The name of the IPSec interface. Enable secure administrative access to this interface using only HTTPS or SSH. Change these passwords regularly. You can allow remote administration of the FortiGate unit. Allow HTTP connections to the web-based manager through this interface. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • • • Use secure administrative user passwords. enter IP addresses for the local and remote ends of the tunnel. HTTP connections are not secure and can be intercepted by a third party.0 MR3 Administration Guide 01-30003-0203-20061124 82 . FortiGate Version 3. To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower. However. Go to Log&Report > Log Config to configure logging locations and types. See “Configuring SNMP” on page 125. Select the VDOM of the IPSec interface. allowing remote administration from the Internet could compromise the security of the FortiGate unit. Interface responds to pings. 1 2 3 4 Go to System > Network > Interface. Allow Telnet connections to the CLI through this interface. Choose an interface and select Edit. Allow secure HTTPS connections to the web-based manager through this interface. You should avoid this unless it is required for your configuration. you can control administrative access to the interfaces in that VDOM. see “VDOM operation mode and management access” on page 139. Optionally. Allow a remote SNMP manager to request SNMP information by connecting to this interface. Select Log to record logs for any traffic to or from the interface. Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 152). These two addresses must not be used anywhere else in the network. Use this setting to verify your installation and for testing.

which slows down transmission. you select the names of the interfaces and VLAN subinterfaces to add to the zone. rename and edit zones. To configure traffic logging for connections to an interface 1 2 3 4 Go to System > Network > Interface. you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits. Choose a physical interface and select Edit. Zone You can use zones to group related interfaces and VLAN subinterfaces. Select OK to save the changes. they are broken up or fragmented. Select the Log check box to record log messages whenever a firewall policy accepts a connection to this interface. Note: If you change the MTU. the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.System Network Zone To change the MTU size of the packets leaving an interface To improve network performance. you need to reboot the FortiGate unit to update the MTU value of VLAN subinterfaces on that interface. but not between interfaces in the zone. 1 2 3 4 Go to System > Network > Interface. Set the MTU size. Note: The FortiGate model 224B does not support zones in this release. make sure you are configuring the correct virtual domain before adding or editing zones. Choose an interface and select Edit. Figure 34: Zone list FortiGate Version 3. Experiment by lowering the MTU to find an MTU size for best network performance. Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. Ideally. If you have added multiple virtual domains to your FortiGate configuration. When you add a zone. and delete zones from the zone list. If you group interfaces and VLAN subinterfaces into a zone.0 MR3 Administration Guide 01-30003-0203-20061124 83 . Zones are added to virtual domains. Select Override default MTU value (1500). you can configure policies for connections to and from this zone. If the packets that the FortiGate unit sends are larger. You can add zones.

Interface Members The names of the interfaces added to the zone. The names of the zones that you have added. including alert email and URL blocking. Select Block intra-zone traffic to block traffic between interfaces or VLAN subinterfaces in the same zone. DNS Servers Several FortiGate functions use DNS. You can specify the IP addresses of the DNS servers to which your FortiGate unit connects. These options are set on the Configuring Network Options screen. This list includes configured VLANs. See “Configuring DHCP on an interface” on page 77 or “Configuring an interface for PPPoE or PPPoA” on page 79. Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Options Network options include DNS server and dead gateway detection settings. Zone settings Go to System > Network > Zone to configure zones. Figure 35: Zone options Name Block intra-zone traffic Enter the name to identify the zone. Edit/View icons Delete icon Edit or view a zone. DNS requests sent to the interface are forwarded to the DNS server addresses that you configured or that the FortiGate unit obtained automatically.Options System Network Create New Name Block intra-zone traffic Select Create New to create a new zone. Interface names depend on the FortiGate model. Hosts on the attached network use the interface IP address as their DNS server. You can configure FortiGate models numbered 100 and lower to obtain DNS server addresses automatically. FortiGate Version 3. Delete a zone. DNS server IP addresses are usually supplied by your ISP. To obtain these addresses automatically. Interface members Select the interfaces that are part of this zone. at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode.0 MR3 Administration Guide 01-30003-0203-20061124 84 . Select Create New or select the Edit icon for a zone to modify that zone.

FortiGate models 200 and higher FortiGate Version 3. the ping server is the next-hop router that leads to an external network or the Internet. Typically. To apply dead gateway detection to an interface. you must configure a ping server on it.0 MR3 Administration Guide 01-30003-0203-20061124 85 . To add a ping server to an interface 1 2 3 4 5 Go to System > Network > Interface. Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select OK to save the changes. Choose an interface and select Edit. Configuring Network Options Go to System > Network > Options to configure DNS servers and Dead Gateway Detection settings. Figure 36: Networking Options . The ping period (Detection Interval) and the number of failed pings that is considered to indicate a loss of connectivity (Failover Detection) are set in System > Network > Options. Select the Enable check box.System Network Options Dead gateway detection Dead gateway detection periodically pings a ping server to confirm network connectivity.

Available only in NAT/Route mode. For information about adding a ping server to an interface. also obtain the DNS server IP address. Primary DNS Server Secondary DNS Server Local Domain Name Enter the primary DNS server IP address. Use the following DNS server This option applies only to FortiGate models 100 and lower. Select the interfaces that forward DNS requests they receive to the DNS servers that you configured.Options System Network Figure 37: Networking Options . Enter a number in seconds to specify how often the FortiGate unit pings the target.models numbered 100 and lower Obtain DNS server address automatically This option applies only to FortiGate models 100 and lower. addresses Use the specified Primary and Secondary DNS server addresses. Dead Gateway Detection Dead gateway detection confirms connectivity using a ping server added to an interface configuration. see “Dead gateway detection” on page 85. Enter the domain name to append to addresses with no domain portion when performing DNS lookups. Enter the secondary DNS server IP address. Enter the number of times that the ping test fails before the FortiGate unit assumes that the gateway is no longer functioning. You should also enable Override internal DNS in the DHCP settings of the interface. See “Configuring DHCP on an interface” on page 77. Detection Interval Fail-over Detection 86 FortiGate Version 3. When DHCP is used on an interface. Enable DNS forwarding from This option applies only to FortiGate models 100 and lower operating in NAT/Route mode.0 MR3 Administration Guide 01-30003-0203-20061124 .

/Mask To create a default route. Remove a route. Transparent mode route settings Go to System > Network > Routing Table and select Create New to add a route.0. The destination IP address for this route. the next hop routing gateway routes traffic to the Internet. The IP address of the next hop router to which this route directs traffic. • • In redundant (backup) mode. 1 is most preferred. The relative preferability of this route. You can also select the Edit icon of an existing route to modify it. The netmask for this route. In standalone mode.0. The the relative preferability of this route.0 MR3 Administration Guide 01-30003-0203-20061124 87 . set the Destination IP and Mask to 0. you can use the modem as either a backup interface or a standalone interface in NAT/Route mode.System Network Routing table (Transparent Mode) Routing table (Transparent Mode) In Transparent mode. Gateway Enter the IP address of the next hop router to which this route directs traffic. Figure 39: Transparent mode route options Destination IP Enter the destination IP address and netmask for this route. Edit or view a route.0. the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable. Figure 38: Routing table Create New # IP Mask Gateway Distance Delete icon View/edit icon Move To icon Add a new route. FortiGate Version 3. Distance Configuring the modem interface On FortiGate models with modem support. 1 is most preferred. Route number. go to System > Network > Routing Table to add static routes from the FortiGate unit to local routers. For an Internet connection. Change the position of a route in the list. the modem interface is the connection from the FortiGate unit to the Internet.

Configuring modem settings Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts. Models 50A and 60 can connect to an external modem through a USB-to-serial converter.Configuring the modem interface System Network When connecting to the ISP. you can configure modem operation in the web-based manager. in either configuration. The AUX port is only available on FortiGate models 1000A. See “Configuring modem settings”. and configure how the modem dials and disconnects. For these models. You can configure up to three dialup accounts. Figure 40: Modem settings (Standalone) 88 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 . Note: The modem interface is not the AUX port which is a port that is used for a remote console connection . see the config system aux command in the FortiGate CLI Reference. See the system modem command in the FortiGate CLI Reference. and 3000A. FortiGate models 50AM and 60M have a built-in modem. You can configure and use the modem in NAT/Route mode only. select standalone or redundant operation. the FortiGate unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP. For these models. you must configure modem operation using the CLI.it has no associated interface. For more information. 1000AFA2.

You cannot select Dial on demand if Autodial is selected. you can select Hang Up to manually disconnect the modem. Configure up to three dialup accounts. Configure a higher value if you find the FortiGate unit switching repeatedly between the primary interface and the modem interface. The modem disconnects after the idle timeout period. (Standalone mode only) Select to dial the modem automatically if the connection is lost or the FortiGate unit is restarted. (Standalone mode only) Select Dial Now to manually connect to a dialup account. “connecting”.0 MR3 Administration Guide 01-30003-0203-20061124 89 . (Redundant mode only) Select the ethernet interface for which the modem provides backup service. “disconnecting” or “hung up” (Standalone mode only). (Standalone mode only) Select to dial the modem when packets are routed to the modem interface. (Redundant mode only) Enter the time (1-60 seconds) that the FortiGate unit waits before switching from the modem interface to the primary interface.System Network Configuring the modem interface Figure 41: Modem settings (Redundant) Enable Modem Modem status Dial Now/Hang Up Select to enable the FortiGate modem. In Standalone mode. (Standalone mode only) Enter the timeout duration in minutes. the modem disconnects. You cannot select Auto-dial if Dial on demand is selected. The maximum number of times (1-10) that the FortiGate unit modem attempts to reconnect to the ISP if the connection fails. The default redial limit is 1. Select None to have no limit on redial attempts. The modem status shows one of: “not active”. The FortiGate unit tries connecting to each account in order until a connection can be established. “connected”. the modem is an independent interface. The default is 1 second. Select Standalone or Redundant mode. Mode Auto-dial Redundant for Dial on demand Idle timeout Holddown Timer Redial Limit Dialup Account FortiGate Version 3. In Redundant mode. After this period of inactivity. the modem is a backup facility for a selected Ethernet interface. If the modem is connected. after the primary interface has been restored.

Enter the following information: Mode Redundant for Holddown timer Redial Limit Dialup Account 1 Dialup Account 2 Dialup Account 3 Redundant From the list. The password sent to the ISP. Do not add spaces to the phone number. See “Adding firewall policies for modem connections” on page 91. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces. 4 5 6 Select Apply. Configure firewall policies for connections to the modem interface. Redundant mode configuration The modem interface in redundant mode backs up a selected ethernet interface. see “Redundant mode configuration” on page 90. Make sure to include standard special characters for pauses. Note: Do not add policies for connections between the modem interface and the interface that the modem is backing up. The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface can again connect to its network.Configuring the modem interface System Network Phone Number The phone number required to connect to the dialup account. The user name (maximum 63 characters) sent to the ISP. country codes. For the FortiGate unit to be able to switch from an ethernet interface to the modem you must select the name of the interface in the modem configuration and configure a ping server for that interface. User Name Password To configure the modem in Redundant mode. the modem automatically dials the configured dialup accounts. If that ethernet interface disconnects from its network. the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface. When the modem connects to a dialup account. 90 FortiGate Version 3. Enter the ISP phone number. user name and password for up to three dialup accounts. select the interface to back up. see “Standalone mode configuration” on page 91. Configure a ping server for the ethernet interface the modem backs up. See “To add a ping server to an interface” on page 85. and other functions as required by your modem to connect to your dialup account. To configure redundant mode 1 2 3 Go to System > Network > Modem.0 MR3 Administration Guide 01-30003-0203-20061124 . Enter the maximum number of times to retry if the ISP does not answer. To configure the modem in Standalone mode. Enter the number of seconds to continue using the modem after the interface is restored. Select Redundant mode.

or FQDN. Configure firewall policies for connections to the modem interface. go to Firewall > Address. Enter the following information: Mode Auto-dial Dial on demand Idle timeout Redial Limit Dialup Account 1 Dialup Account 2 Dialup Account 3 Standalone Select if you want the modem to dial when the FortiGate unit restarts. See “Adding firewall policies for modem connections” on page 91. For information about adding firewall policies. You can also hang up or redial the modem manually. or until it connects to a dialup account. the modem connects to a dialup account to provide a connection to the Internet. When you add addresses. user name and password for up to three dialup accounts. For information about adding addresses. You can add one or more addresses to the modem interface. the FortiGate unit redials the modem. see “Adding a firewall policy” on page 239.0 MR3 Administration Guide 01-30003-0203-20061124 91 . Connecting and disconnecting the modem The modem must be in Standalone mode. Adding firewall policies for modem connections The modem interface requires firewall addresses and policies.” on page 261. Select Enable USB Modem. IP range. The modem redials the number of times specified by the redial limit. Enter the maximum number of times to retry if the ISP does not answer. To connect to a dialup account 1 2 3 Go to System > Network > Modem. You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit. FortiGate Version 3. To operate in standalone mode 1 2 Go to System > Network > Modem. see “To add an IP address. After this period of inactivity. Select if you want the modem to connect to its ISP whenever there are unrouted packets. the modem disconnects. Make sure there is correct information in one or more Dialup Accounts. You can configure the modem to dial when the FortiGate unit restarts or when there are unrouted packets. the modem interface appears on the policy grid. Enter the timeout duration in minutes. You must configure firewall policies for connections between the modem interface and other FortiGate interfaces.System Network Configuring the modem interface Standalone mode configuration In standalone mode. If the connection to the dialup account fails. Enter the ISP phone number. 3 4 Select Apply.

see the FortiGate VLANs and VDOMs Guide. Modem status is one of the following: not active connecting connected disconnecting hung up The modem is not connected to the ISP. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information. A VLAN segregates devices logically instead of physically. A VLAN segregates devices by adding 802.0 MR3 Administration Guide 01-30003-0203-20061124 . Select Hang Up if you want to disconnect from the dialup account. go to System > Network > Modem. (Standalone mode only) The modem will not redial unless you select Dial Now. A green check mark indicates the active dialup account. The modem is connected to the ISP. The modem has disconnected from the ISP. The FortiGate unit initiates dialing into each dialup account in turn until the modem connects to an ISP. and other network devices that communicate as if they were on the same LAN segment. servers. Each VLAN is treated as a broadcast domain. Checking modem status You can determine the connection status of your modem and which dialup account is active. The IP address and netmask assigned to the modem interface appears on the System Network Interface page of the web-based manager. Select Dial Now. 1 2 Go to System > Network > Modem. If the modem is connected to the ISP. The modem is attempting to connect to the ISP. To check the modem status. but still belong to the same VLAN. Devices in VLAN 1 can connect with other devices in VLAN 1. For more information on VLANs. The communication among devices on a VLAN is independent of the physical network. VLAN overview A VLAN is group of PCs. For example. independent of where they are located.VLAN overview System Network 4 5 Select Apply if you make any configuration changes.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. 92 FortiGate Version 3. the workstations and servers for an accounting department could be scattered throughout an office or city and connected to numerous network segments. you can see the IP address and netmask. but cannot connect with devices in other VLANs. The modem is disconnecting from the ISP. To disconnect the modem Use the following procedure to disconnect the modem from a dialup account.

firewall. Packets passing between devices in the same VLAN can be handled by layer-2 switches. 802.System Network VLANs in NAT/Route mode Figure 42: Basic VLAN topology Internet Untagged packets Router VL AN 1 VL AN 2 VL AN 1 VLAN Switch VL AN 2 VL AN 1 Network VL AN 2 Network FortiGate units and VLANs In a typical VLAN configuration. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch. Packets passing between devices in different VLANs must be handled by a layer-3 device such as router. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains.1Q-compliant switch (or router) and the FortiGate units. and the external interface connects to an upstream Internet router untagged. The FortiGate unit can also apply authentication. The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface.0 MR3 Administration Guide 01-30003-0203-20061124 93 . protection profiles. In NAT/Route mode. or layer-3 switch. the FortiGate unit functions as a layer-3 device to control the flow of packets between VLANs. Using VLANs. the FortiGate units support VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. and other firewall policy features for network and VPN traffic that is allowed to pass between security domains. FortiGate Version 3. a single FortiGate unit can provide security services and control connections between multiple security domains. such as the Internet. The FortiGate unit can also remove VLAN tags from incoming VLAN packets and forward untagged packets to other networks. VLANs in NAT/Route mode Operating in NAT/Route mode. Traffic from each security domain is given a different VLAN ID.

Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap. the FortiGate internal interface connects to a VLAN switch using an 802.0 MR3 Administration Guide 01-30003-0203-20061124 . However. The external interface is not configured with VLAN subinterfaces. That is. This command is recommended for advanced users only. Rules for VLAN IDs In NAT/Route mode.VLANs in NAT/Route mode System Network In this configuration. If you enter this command. two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. The external interface connects to the Internet. In this example. the IP addresses of all interfaces must be on different subnets. The FortiGate unit is configured with policies that allow traffic to flow between the VLANs and from the VLANs to the external network. you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. enter the CLI command config system global and set allow-interface-subnetoverlap enable to allow IP address overlap. it applies VLAN tags and forwards the packets to local ports and across the trunk to the FortiGate unit. The FortiGate unit directs packets with VLAN IDs to subinterfaces with matching VLAN IDs. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add a different VLAN tags to outgoing packets. you add VLAN subinterfaces to the FortiGate internal interface that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. When the VLAN switch receives packets from VLAN 100 and VLAN 200. multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. Note: If you are unable to change your existing configurations to prevent IP overlap. This rule applies to both physical interfaces and to VLAN subinterfaces. 94 FortiGate Version 3.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). Figure 33 shows a simplified NAT/Route mode VLAN configuration. You can also define VLAN subinterfaces on all FortiGate interfaces.

0 Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802. Note: A VLAN must not have the same name as a virtual domain or zone. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets. To add a VLAN subinterface in NAT/Route mode 1 2 3 4 5 6 Go to System > Network > Interface.1.0 VLAN 200 Network 10. Enter a Name to identify the VLAN subinterface.110. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 95 .2. Each VLAN subinterface must also be configured with its own IP address and netmask. Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. The VLAN ID can be any number between 1 and 4096.16. select the virtual domain to add this VLAN subinterface to.1Q trunk Fa 0/24 Fa 0/9 Fa 0/3 VLAN Switch VLAN 100 VLAN 200 VLAN 100 Network 10.1Q-compliant router.1. you can only create VLAN subinterfaces in your own VDOM.2 FortiGate unit Internal 192.168.21.1. See “Using virtual domains” on page 43 for information about virtual domains.System Network VLANs in NAT/Route mode Figure 43: FortiGate unit in NAT/Route mode Internet Untagged packets External 172.126 802. Select Create New to add a VLAN subinterface. If you are the super admin. Otherwise.

For VLAN traffic to be able to pass between the FortiGate Internal and external interface you would add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface. In a virtual domain.1 VLAN trunk. See “About firewall addresses” on page 259. 3 4 VLANs in Transparent mode In Transparent mode.0 MR3 Administration Guide 01-30003-0203-20061124 . a zone can contain one or more VLAN subinterfaces. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk. the FortiGate unit can apply firewall policies and services. 8 1 2 Go to Firewall > Address. and other firewall features. 96 FortiGate Version 3. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router which could be connected to the Internet. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. See “Interface settings” on page 69. or if you add more than two VLAN subinterfaces. the FortiGate unit applies firewall policies to the traffic on this VLAN. The FortiGate unit adds the new VLAN subinterface to the interface that you selected in step 4. such as authentication.VLANs in Transparent mode System Network 7 Configure the VLAN subinterface settings as you would for any FortiGate interface. Create or add firewall policies as required. A virtual domain consists of two or more VLAN subinterfaces or zones.1 VLAN tags to segment your network traffic. you can also use firewall policies to control connections between VLANs. To support VLAN traffic in Transparent mode. protection profiles. If these VLAN subinterfaces have the same VLAN IDs. the FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. Select OK to save your changes. to traffic on an IEEE 802. Go to Firewall > Policy. In a typical configuration. If these VLAN subinterfaces have different VLAN IDs. If the network uses IEEE 802. You can insert the FortiGate unit operating in Transparent mode into the trunk without making changes to your network. you add virtual domains to the FortiGate unit configuration. you can configure a FortiGate unit operating in Transparent mode to provide security for network traffic passing between different VLANs. To add firewall policies for VLAN subinterfaces Once you have added VLAN subinterfaces you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface.

and other services to each VLAN. If the packet is accepted by the firewall. you can configure up to 255 VLANs in that VDOM. web content filtering. the FortiGate unit forwards the packet to the destination VLAN subinterface. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. In this configuration the FortiGate unit could be added to this network to provide virus scanning. If no other interfaces are configured for a VDOM. Figure 44: FortiGate unit with two virtual domains in Transparent mode FortiGate unit VLAN1 Internal VLAN1 VLAN2 VLAN3 VLAN trunk VLAN Switch or router VLAN3 root virtual domain VLAN1 VLAN1 External VLAN1 VLAN2 VLAN3 VLAN trunk VLAN Switch or router Internet VLAN2 New virtual domain VLAN2 VLAN2 VLAN3 VLAN3 Figure 45 shows a FortiGate unit operating in Transparent mode and configured with three VLAN subinterfaces. Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.0 MR3 Administration Guide 01-30003-0203-20061124 97 .System Network VLANs in Transparent mode When the FortiGate unit receives a VLAN tagged packet at an interface. FortiGate Version 3. The destination VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN trunk. This includes VLANs. The firewall policies for this source and destination VLAN subinterface pair are applied to the packet. the packet is directed to the VLAN subinterface with matching VLAN ID.

see “Using virtual domains” on page 43 98 FortiGate Version 3. Their relationship is the same as the relationship between any two FortiGate network interfaces. By default the FortiGate configuration includes one virtual domain.VLANs in Transparent mode System Network Figure 45: FortiGate unit in Transparent mode Internet Router Untagged packets VLAN Switch VLAN 1 VLAN 2 VLAN 3 FortiGate unit in Transparent mode VLAN 1 VLAN Trunk VLAN 2 VLAN 3 VLAN Switch VLAN Trunk VLAN 1 VLAN 2 VLAN 3 VLAN 1 Network VLAN 2 Network VLAN 3 Network Rules for VLAN IDs In Transparent mode two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. For information on adding and configuring virtual domains. named root. You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains. However. There is no internal connection or link between two VLAN subinterfaces with the same VLAN ID. and you can add as many VLAN subinterfaces as you require to this virtual domain. Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode.0 MR3 Administration Guide 01-30003-0203-20061124 . Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains.

0 MR3 Administration Guide 01-30003-0203-20061124 99 . Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 8 9 1 2 Go to Firewall > Address. 1 2 3 4 5 6 7 Go to System > Network > Interface. Configure the administrative access. The FortiGate unit adds the new subinterface to the interface that you selected.1Q-compliant router or switch. See “About firewall addresses” on page 259. See “Interface settings” on page 69 for more descriptions of these settings. and log settings as you would for any FortiGate interface. Go to Firewall > Policy. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. Select which virtual domain to add this VLAN subinterface to. See “Using virtual domains” on page 43 for information about virtual domains. Note: A VLAN must not have the same name as a virtual domain or zone. Enter a Name to identify the VLAN subinterface. 3 4 FortiGate Version 3. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets. Select OK to save your changes. To add firewall policies for VLAN subinterfaces Once you have added VLAN subinterfaces you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface. Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. Select Create New to add a VLAN subinterface. The VLAN ID can be any number between 1 and 4096.System Network VLANs in Transparent mode To add a VLAN subinterface in Transparent mode The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802. Add firewall policies as required. Select Bring up to start the VLAN subinterface.

web content filtering.0 MR3 Administration Guide 01-30003-0203-20061124 . In this configuration the FortiGate unit could be added to this network to provide virus scanning.VLANs in Transparent mode System Network Figure 46: FortiGate unit with two virtual domains in Transparent mode FortiGate unit VLAN1 Internal VLAN1 VLAN2 VLAN3 VLAN trunk VLAN Switch or router VLAN3 root virtual domain VLAN1 VLAN1 External VLAN1 VLAN2 VLAN3 VLAN trunk VLAN Switch or router Internet VLAN2 New virtual domain VLAN2 VLAN2 VLAN3 VLAN3 Figure 47 shows a FortiGate unit operating in Transparent mode and configured with three VLAN subinterfaces. Figure 47: FortiGate unit in Transparent mode Internet Router Untagged packets VLAN Switch VLAN 1 VLAN 2 VLAN 3 FortiGate unit in Transparent mode VLAN 1 VLAN Trunk VLAN 2 VLAN 3 VLAN Switch VLAN Trunk VLAN 1 VLAN 2 VLAN 3 VLAN 1 Network VLAN 2 Network VLAN 3 Network 100 FortiGate Version 3. and other services to each VLAN.

System Network

FortiGate IPv6 support

Troubleshooting ARP Issues
Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router.

Duplicate ARP packets
ARP traffic can cause problems, especially in Transparent mode where ARP packets arriving on one interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network traffic to slow down.

ARP Forwarding
One solution to this problem is to enable ARP forwarding. it can be enabled in the GUI or CLI. In the GUI, go to System > Config > Operation and select ARP Forwarding. For details on the CLI, see the FortiGate CLI Reference. When enabled, the Fortigate unit allows duplicate ARP packets resolving the previous delivery problems. However, this also opens up your network to potential hacking attempts that spoof packets. For more secure solutions, see the FortiGate VLANs and VDOMs Guide.

FortiGate IPv6 support
You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit. The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. FortiGate units support static routing, periodic router advertisements, firewall policies and tunneling of IPv6-addressed traffic over an IPv4-addressed network. All of these features must be configured through the Command Line Interface (CLI). See the FortiGate CLI Reference for information on the following commands:
Table 3: IPv6 CLI commands Feature CLI Command

Interface configuration, including periodic config system interface router advertisements See the keywords beginning with “ip6”. config ip6-prefix-list Static routing IPv6 tunneling Firewall config router static6 config system ipv6_tunnel config firewall address6 config firewall addrgrp6 config firewall policy6 execute ping6

Execute

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

101

FortiGate IPv6 support

System Network

102

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

System Wireless

The FortiWiFi wireless LAN interface

System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi units. The following topics are included in this section: • • • • • • The FortiWiFi wireless LAN interface Channel assignments System wireless settings (FortiWiFi-60) System wireless settings (FortiWiFi-60A and 60AM) Wireless MAC Filter Wireless Monitor

The FortiWiFi wireless LAN interface
You can configure the FortiWiFi Wireless interface to: • or • connect the FortiWiFi unit to another wireless network (Client mode) Access Point mode is the default mode. FortiWiFi-60A and FortiWiFi-60AM units can provide multiple WLANs. FortiWiFi units support the following wireless network standards: • • • • • IEEE 802.11a (5-GHz Band) IEEE 802.11b (2.4-GHz Band) IEEE 802.11g (2.4-GHz Band) Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) using pre-shared key or Radius server (Access Point mode only) provide an access point to which users with wireless network cards can connect (Access Point mode).

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

103

Channel assignments

System Wireless

Channel assignments
The following tables list the channel assignments for wireless LANs.
Table 4: IEEE 802.11a (5-GHz Band) channel numbers Channel number 34 36 38 40 42 44 46 48 52 56 60 64 149 153 157 161 Frequency (MHz) 5170 5180 5190 5200 5210 5220 5230 5240 5260 5280 5300 5320 5745 5765 5785 5805 Regulatory Areas Americas – X – X – X – X X X X X – – – – Europe X X X X X X X X X X X X – – – – Taiwan – – – – – – – – X X X X – – – – Singapore – X – X – X – X – – – – – – – – Japan X – X – X – X – – – – – – – – –

All channels are restricted to indoor usage except the Americas, which allows for indoor and outdoor use on channels 52 through 64 in the United States.

104

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

System Wireless

Channel assignments

Table 5: IEEE 802.11b (2.4-GHz Band) channel numbers Channel number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Frequency (MHz) 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Regulatory Areas Americas X X X X X X X X X X X – – – EMEA X X X X X X X X X X X X X – Israel – – – X X X X X X X – – – – Japan X X X X X X X X X X X X X X

Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.

Table 6: IEEE 802.11g (2.4-GHz Band) channel numbers Regulatory Areas Channel Frequency number (MHz) CCK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 X X X X X X X X X X X – – – Americas X X X X X X X X X X X – – – X X X X X X X X X X X X X – EMEA ODFM X X X X X X X X X X X X X – – – – – X X X X – – – – – – Israel CCK ODFM – – – – X X X X – – – – – – X X X X X X X X X X X X X X Japan CCK ODFM X X X X X X X X X X X X X – ODFM CCK

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

105

System wireless settings (FortiWiFi-60)

System Wireless

System wireless settings (FortiWiFi-60)
Go to System > Wireless > Settings to configure wireless LAN settings.
Figure 48: Configuring wireless parameters

MAC Address

The MAC address of the Wireless interface.

Operation Mode The current operating mode. Select Change to change it. Access Point mode makes the FortiWiFi-60 unit act as a wireless access point to which multiple clients can connect. Client mode configures the unit to connect to another wireless network as a client. Geography Select your country or region. This determines which channels are available. You can select Americas, EMEA, Israel, or Japan. If you are in any other region, select World. Select a channel for your FortiWiFi-60 wireless network. Users of the wireless network must configure their computers to use this channel. The channels that you can select depend on the Geography setting. See “Channel assignments” on page 104 for channel information. Enter the wireless network name that the FortiWiFi-60 unit broadcasts. Users who want to use the wireless network must configure their computers to connect to the network that broadcasts this network name.

Channel

SSID

SSID Broadcast Select Enable if you want the FortiWiFi-60 unit to broadcast its SSID. (Access Point mode only) Security mode To use WEP, select WEP64 or WEP128. To use WPA (available in Access Point mode only), select WPA Pre-shared Key or WPA_Radius. Users of the FortiWiFi-60 wireless network must configure their computers with the same settings. For a 64-bit WEP key, enter 10 hexadecimal digits (0-9 a-f). For a 128-bit WEP key, enter 26 hexadecimal digits (0-9 a-f). Users of the wireless network must configure their computers with the same key.

Key

Pre-shared Key For WPA Pre-shared Key security mode, enter the pre-shared key. Users of the wireless network should configure their computers with the same key. Radius Server Name For WPA Radius security mode, choose the Radius server name from the list. The Radius server must be configured in User > Radius. For more information, see “RADIUS servers” on page 343.

106

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

System Wireless

System wireless settings (FortiWiFi-60A and 60AM)

Advanced

Open or close the Advanced settings section of the Wireless Parameters. Change settings if needed to address performance

problems. Default values should work well for most situations.
Advanced settings are described below. (Access Point mode only) Set the transmitter power level. The default is the maximum power, 31dBm.

Tx Power

Beacon Interval Set the interval between beacon packets. Access Points broadcast Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. In an environment with high interference, decreasing the Beacon Interval might improve network performance. In a location with few wireless nodes, you can increase this value. RTS Threshold The Request to Send (RTS) threshold sets the time the unit waits for Clear to Send (CTS) acknowledgement from another wireless device. Fragmentation Threshold Set the maximum size of a data packet before it is broken into two or more packets. Reducing the threshold can improve performance in environments that have high interference.

System wireless settings (FortiWiFi-60A and 60AM)
Go to System > Wireless > Settings to configure wireless LAN settings.
Figure 49: Wireless parameters - FortiWiFi-60A and FortiWiFi-60AM

Operation Mode The current operating mode. Access Point mode makes the FortiWiFi unit act as a wireless access point to which multiple clients can connect. Client mode configures the unit to connect to another wireless network as a client. Band Geography Select the wireless frequency band you want to use. You can select from: 802.11a, 802.11b, and 802.11g. Select your country or region. This determines which channels are available. You can select Americas, EMEA, Israel, or Japan. If you are in any other region, select World. Select a channel for your FortiWiFi-60 wireless network. Users of the wireless network must configure their computers to use this channel. The channels that you can select depend on the Geography setting. See “Channel assignments” on page 104 for channel information. Set the transmitter power level. The default is the maximum power, 31dBm.

Channel

Tx Power

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

107

Wireless MAC Filter

System Wireless

Beacon Interval Set the interval between beacon packets. Access Points broadcast Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. In an environment with high interference, decreasing the Beacon Interval might improve network performance. In a location with few wireless nodes, you can increase this value. Wireless interface list Interface MAC Address SSID The name of the WLAN interface. Select the name to edit the interface. The MAC address of the Wireless interface. The wireless network name that the unit broadcasts. Users who want to use the wireless network must configure their computers to connect to the network that broadcasts this network name.

SSID Broadcast Green checkmark icon indicates that the unit broadcasts its SSID. (Access Point mode only) Security Mode WEP64, WEP128, WPA Pre-shared Key, WPA_Radius or none. WPA is available in Access Point mode only. Users of the wireless network must configure their computers with the same settings.

Wireless MAC Filter
Go to System > Wireless > MAC Filter to allow or deny wireless access to users based on their MAC address.
Figure 50: Wireless MAC Filter

MAC Filter Enable

Enable the MAC Filter.

Access for PCs not Select whether to allow or deny access to unlisted MAC addresses. listed below MAC Address Allow or Deny Add Allow List Deny List Arrow buttons Enter the MAC address to filter. Select whether to allow or deny the MAC Address. Add the MAC address to the Allow or Deny list, as selected. List of MAC addresses allowed access to the wireless network. List of MAC addresses denied access to the wireless network. Move MAC addresses between lists.

108

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

System Wireless

Wireless Monitor

Remove (below Allow list) Remove (below Deny list)

Remove selected MAC addresses from Allow list. Remove selected MAC addresses from Deny list.

Wireless Monitor
Go to System > Wireless > Monitor to see who is connected to your wireless LAN. This feature is available only if you are operating the wireless interface in WPA security mode.
Figure 51: Wireless Monitor (FortiWiFi-60)

Figure 52: Wireless Monitor (FortiWiFi-60A and 60AM)

Statistics

Statistical information about wireless performance for each WLAN. Available only on the FortiWiFi-60A and FortiWiFi60AM. The SSID of the WLAN interface. The strength of the signal from the client. The received noise level. The signal-to-noise ratio in deciBels calculated from signal strength and noise level. The amount of data in kilobytes received this session. The amount of data in kilobytes sent this session. The number of clients connected to the WLAN and information about each of them. The MAC address of the connected wireless client. The IP address assigned to the connected wireless client. The name of the WLAN to which the client is connected. Available on the FortiWiFi-60A and FortiWiFi-60AM only. The user ID of the connected user using WPA RADIUS security mode. This field is blank if the client uses WPA Pre-Shared Key or WEP security modes. Available on the FortiWiFi-60 only.

AP Name Signal Strength (dBm) Noise (dBm) S/N (dB) Rx (KBytes) Tx (KBytes) Clients MAC Address IP Address AP Name ID

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

109

Wireless Monitor System Wireless 110 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

See the FortiGate CLI Reference for more information. Note: You can configure a Regular DHCP server on an interface only if the interface has a static IP address. FortiGate Version 3. see “Configuring a DHCP server” on page 114. The following topics are included in this section: • • • FortiGate DHCP servers and relays Configuring DHCP services Viewing address leases FortiGate DHCP servers and relays The DHCP protocol enables hosts to automatically obtain their assigned IP address.System DHCP FortiGate DHCP servers and relays System DHCP This section describes how to use DHCP to provide convenient automatic network configuration for your clients. To configure a DHCP server. You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. they can also obtain default gateway and DNS server settings. The host computers must be configured to obtain their IP addresses using DHCP. To configure a DHCP relay see “Configuring an interface as a DHCP relay agent” on page 113. If an interface is connected to multiple networks via routers. The routers must be configured for DHCP relay.0 MR3 Administration Guide 01-30003-0203-20061124 111 . The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the FortiGate unit. A FortiGate interface or VLAN subinterface can provide the following DHCP services: • • • Regular DHCP servers for regular Ethernet connections IPSec DHCP servers for IPSec (VPN) connections DHCP relay for regular Ethernet or IPSec (VPN) connections An interface cannot provide both a server and a relay for connections of the same type (regular or IPSec). Optionally. DHCP services can also be configured through the Command Line Interface (CLI). you can add a DHCP server for each network. You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. You can configure an IPSec DHCP server on an interface that has either a static or a dynamic IP address. The IP range of each DHCP server must match the network address range.

icon Edit Delete Edit DHCP relay or server configuration. Add DHCP Server Configure and add a DHCP server for this interface.99 7 days 192. on the Internal interface. On FortiGate models 50 and 60.Configuring DHCP services System DHCP Configuring DHCP services Go to System > DHCP > Service to configure DHCP services.1.110 to 192.168. you need to change the DHCP server settings to match. Name of FortiGate DHCP server or IP address of DHCP server accessed by relay. Figure 53: DHCP service list .1.168.255. Type of DHCP relay or server: Regular or IPSec.255.99. by default. as follows: IP Range Netmask Default gateway Lease time DNS Server 1 192.99 You can disable or change this default DHCP Server configuration. These settings are appropriate for the default Internal interface IP address of 192. On each FortiGate interface.1. Expand each listed interface to view the Relay and Servers. If you change this address to a different network.1.210 255. Green check mark icon indicates that server or relay is enabled. a DHCP server is configured.168.0 192.168. 112 FortiGate Version 3.168. Delete a DHCP server.FortiGate-200A shown Edit Delete Add DHCP Server Interface Server Name/ Relay IP Type Enable List of FortiGate interfaces. you can configure a DHCP relay and add DHCP servers as needed.1.0 MR3 Administration Guide 01-30003-0203-20061124 .

FortiGate Version 3. Enable the DHCP relay agent on this interface. Configure the interface to be a DHCP relay agent for computers on the network connected to this interface. Select the type of DHCP service required. Configure the interface to be a DHCP relay agent only for remote VPN clients with an IPSec VPN connection to this interface. Enter the IP address of the DHCP server that will answer DHCP requests from computers on the network connected to the interface.System DHCP Configuring DHCP services Configuring an interface as a DHCP relay agent Go to System > DHCP > Service and select an edit icon to view or modify the DHCP relay configuration for an interface. Figure 54: Edit DHCP relay settings for an interface Interface Name Enable Type Regular IPSEC DHCP Server IP The name of the interface.0 MR3 Administration Guide 01-30003-0203-20061124 113 .

Enter the domain that the DHCP server assigns to DHCP clients. Select Unlimited for an unlimited lease time or enter the interval in days. You cannot configure a Regular DHCP server on an interface that has a dynamic IP address. The lease time can range from 5 minutes to 100 days. Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients. Enable the DHCP server. Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients. and minutes after which a DHCP client must ask the DHCP server for new settings. hours. The remaining options in this table are advanced options. Select to configure advanced options. Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients. Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients. Select Regular or IPSEC DHCP server.Configuring DHCP services System DHCP Configuring a DHCP server Go to System > DHCP > Service to configure a DHCP server on an interface. Enter the netmask that the DHCP server assigns to DHCP clients.0 MR3 Administration Guide 01-30003-0203-20061124 . Figure 55: DHCP Server options Name Enable Type Enter a name for the DHCP server. IP Range Network Mask Default Gateway Domain Lease Time Advanced DNS Server 1 DNS Server 2 DNS Server 3 WINS Server 1 WINS Server 2 114 FortiGate Version 3. Select Add a DHCP Server beside the interface or select Edit beside an existing DHCP server to change its settings.

Figure 56: Address leases list Interface Refresh IP MAC Expire Select interface for which to list leases. No range can exceed 65536 IP addresses. Select Refresh to update Address leases list. The MAC address of the device to which the IP address is assigned. Expiry date and time of the DHCP lease. see RFC 2132. For more information. Use the CLI system dhcp reserved-address command. The assigned IP address. Reserving IP addresses for specific clients You can reserve an IP address for a specific client identified by the client device MAC address and the connection type. regular Ethernet or IPSec.System DHCP Viewing address leases Option 1 Option 2 Option 3 Enter up to three custom DHCP options that can be sent by the DHCP server. FortiGate Version 3. Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about DHCP options. You can add up to 16 exclude ranges of IP addresses that the DHCP server cannot assign to DHCP clients. Code is the DHCP option code in the range 1 to 255. Enter the first IP address of the exclude range. You can define up to 50 reserved addresses. Delete the exclude range. Exclude Ranges Add Starting IP End IP Delete icon Viewing address leases Go to System > DHCP > Address Leases to view the IP addresses that the DHCP servers have assigned and the corresponding client MAC addresses. see the FortiGate CLI Reference. Add an IP exclude range. DHCP Options and BOOTP Vendor Extensions.0 MR3 Administration Guide 01-30003-0203-20061124 115 . Enter the last IP address of the exclude range. The DHCP server always assigns the reserved address to that client.

Viewing address leases System DHCP 116 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

SNMP and Replacement messages are part of the global configuration of the FortiGate unit. 50AM and 224B. The following topics are included in this section: • • • • • HA options Cluster members list Viewing HA statistics Changing subordinate unit host name and device priority Disconnecting a cluster unit from a cluster HA options Configure HA options so that a FortiGate unit can join a cluster or to change the configuration of an operating cluster or cluster member. HA is not available on FortiGate models 50A. To configure HA options so that a FortiGate unit can join an HA cluster. Changing operation mode applies to each individual VDOM. such as HA. SNMP and custom replacement messages. The following topics are included in this section: • • • • HA SNMP Replacement messages VDOM operation mode and management access HA. Note: For FortiOS v3. FortiGate Version 3. the HA cluster members list.System Config HA System Config This section describes the configuration of several non-network features. Starting with FortiOS v3. this HA section included extensive detail about HA.0 MR3 Administration Guide 01-30003-0203-20061124 117 . HA FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. This section contains a brief description of HA web-based manager configuration options. the FortiGate HA Guide. and the Fortinet Knowledge Center. the FortiGate HA Guide for the full HA story. go to System > Config > HA.0 MR2 and previous versions. For complete information about how to configure and operate FortiGate HA clusters see the FortiGate HA Overview. the HA statistics page. and the disconnect cluster member page.0 MR3 you should refer to the FortiGate HA Overview.

log in as the admin administrator. Most virtual cluster HA options are the same as normal HA options. 118 FortiGate Version 3. However. virtual clusters include VDOM partitioning options. Other differences between configuration options for regular HA and for virtual clustering HA are described below. select Global Configuration and go to System > Config > HA. you are configuring HA virtual clusters. To configure HA options for a FortiGate unit with virtual domains enabled.0 MR3 Administration Guide 01-30003-0203-20061124 .HA System Config Figure 57: FortiGate-5002FB2 unit HA configuration Note: If your FortiGate cluster uses virtual domains.

Optionally set the device priority of the cluster unit. all sessions are picked up by the cluster unit that becomes the new primary unit.System Config HA Figure 58: FortiGate-5001SX HA virtual cluster configuration Mode Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. When configuring a cluster. After a cluster is operating you can change the group name. The maximum password length is 15 characters. You can select Standalone (to disable HA). Add a name to identify the cluster. Device Priority Group Name Password Enable Session Enable session pickup so that if the primary unit fails. During HA negotiation. active-passive. The group name change is synchronized to all cluster units. The group name must be the same for all cluster units before the cluster units can form a cluster. or active-active.0 MR3 Administration Guide 01-30003-0203-20061124 119 . Add a password to identify the cluster. The maximum group name length is 7 characters. the unit with the highest device priority usually becomes the primary unit. The password must be the same for all cluster units before the cluster units can form a cluster. you must set all members of the HA cluster to the same HA mode. pickup FortiGate Version 3. Each cluster unit can have a different device priority.

you can display the cluster members list to view the status of the operating virtual clusters. select Global Configuration and go to System > Config > HA. If you are configuring virtual clustering you can select the virtual domains to be in virtual cluster 1 and the virtual domains to be in virtual cluster 2. The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster.HA System Config Port Monitor Enable or disable monitoring FortiGate interfaces to verify that the monitored interfaces are functioning properly and connected to their networks. Figure 59: Example FortiGate-5001SX cluster members list Up and Down Arrows Download Debug Log Edit Disconnect from Cluster If virtual domains are enabled. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster unit that still has a connection to the network. Enable or disable HA heartbeat communication for each interface in the cluster. To display the virtual cluster members list for an operating cluster log in as the admin administrator. If heartbeat communication is interrupted the cluster stops processing traffic. 120 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 . If a monitored interface fails or is disconnected from its network the interface leaves the cluster and a link failover occurs. Heartbeat Interface VDOM partitioning Cluster members list Display the cluster members list to view the status of the FortiGate units in an operating cluster. This other cluster unit becomes the new primary unit. The root virtual domain must always be in virtual cluster 1. log into an operating cluster and go to System > Config > HA. You must select at least one heartbeat interface. To display the cluster members list.

All that changes is the order in which cluster units are displayed on the cluster members list. See “Disconnecting a cluster unit from a cluster” on page 124. Up and down arrows Change the order in which cluster members are listed. • Role is MASTER for the primary (or master) unit • Role is SLAVE for all subordinate (or backup) cluster units The device priority of the cluster unit. Cluster member Illustrations of the front panels of the cluster units. the unit with the highest device priority becomes the primary unit. and monitor information for each cluster unit. • To change the primary unit host name. the interface is connected. The list of monitored interfaces is also displayed. The default host name of the FortiGate unit is the FortiGate unit serial number. Each cluster unit can have a different device priority.System Config HA Figure 60: Example FortiGate-5001SX virtual cluster members list Up and Down Arrows Download Debug Log Edit Disconnect from Cluster View HA Statistics Display the serial number.0 MR3 Administration Guide 01-30003-0203-20061124 121 . The operation of the cluster or of the units in the cluster are not affected. go to System > Status and select Change beside the current host name. The device priority range is 0 to 255. If the network jack for an interface is shaded green. from the cluster members list select the edit icon for a subordinate unit. • Role To change a subordinate unit host name. Priority Disconnect from cluster FortiGate Version 3. Hostname The status or role of the cluster unit in the cluster. During HA negotiation. Pause the mouse pointer over each illustration to view the cluster unit host name. serial number. and how long the unit has been operating (up time). The default device priority is 128. See “Viewing HA statistics” on page 122. status. Disconnect the cluster unit from the cluster. The host name of the FortiGate unit.

select Edit to change the subordinate unit host name and device priority. • For a primary unit. A green check mark indicates that the cluster unit is operating normally. status. Indicates the status of each cluster unit. select Edit to change the cluster HA configuration. Figure 61: Example HA statistics (active-passive cluster) Refresh every Select to control how often the web-based manager updates the HA statistics display. To view HA statistics. • For a primary unit in a virtual cluster. select Edit to change the virtual cluster HA configuration. You can send this debug log file to Fortinet Technical Support to help diagnose problems with the cluster or with individual cluster units. See “Changing subordinate unit host name and device priority” on page 123. minutes. In addition you can change the device priority for the subordinate unit for the selected virtual cluster. Back to HA monitor Close the HA statistics list and return to the cluster members list.0 MR3 Administration Guide 01-30003-0203-20061124 . A red X indicates that the cluster unit cannot communicate with the primary unit. and seconds since the cluster unit was last started. Serial No. Status Up Time Monitor 122 FortiGate Version 3. hours. You can also change the device priority of the primary unit. The cluster ID matches the FortiGate unit serial number. Use the serial number ID to identify each FortiGate unit in the cluster. and monitor information for each cluster unit. You can also change the virtual cluster 1 and virtual cluster 2 device priority of this cluster unit. select Edit to change the subordinate unit host name. Displays system status information for each cluster unit. Viewing HA statistics From the cluster members list you can select View HA statistics to display the serial number. • • Download debug log Download an encrypted debug log to a file. For a subordinate unit in a virtual cluster. The time in days. For a subordinate unit.HA System Config Edit Select Edit to change a cluster unit HA configuration. go to System > Config > HA and select View HA Statistics.

Select Edit for any slave (subordinate) unit in the cluster members list. View and optionally change the subordinate unit device priority. The web-based manager displays CPU usage for core processes only. Changing subordinate unit host name and device priority To change the host name and device priority of a subordinate unit in an operating cluster.System Config HA CPU Usage The current CPU status of each cluster unit. The device priority range is 0 to 255. Memory usage for management processes (for example. The next time the cluster negotiates. Total Bytes The number of bytes that have been processed by the cluster unit since it last started up. To change the host name and device priority of a subordinate unit in an operating cluster with virtual domains enabled.0 MR3 Administration Guide 01-30003-0203-20061124 123 . select Global Configuration and go to System > Config > HA to display the cluster members list. In a functioning cluster you can change device priority to change the priority of any unit in the cluster. log in as the admin administrator. for HTTPS connections to the web-based manager) is excluded. The current memory status of each cluster unit. The web-based manager displays memory usage for core processes only. Select Edit for any slave (subordinate) unit in the cluster members list. the cluster unit with the highest device priority becomes the primary unit. The number of packets that have been processed by the cluster unit since it last started up. Figure 62: Changing the subordinate unit host name and device priority Peer Priority View and optionally change the subordinate unit host name. for HTTPS connections to the web-based manager) is excluded. The device priority is not synchronized among cluster members. FortiGate Version 3. These changes only affect the configuration of the subordinate unit. CPU usage for management processes (for example. go to System > Config > HA to display the cluster members list. You can change the host name (Peer) and device priority (Priority) of this subordinate unit. The number of communications sessions being processed by the cluster unit. The default device priority is 128. Intrusion Detected The number of intrusions or attacks detected by Intrusion Protection running on the cluster unit. The number of viruses detected by the cluster unit. Memory Usage Active Sessions Total Packets Virus Detected Network Utilization The total network bandwidth being used by all of the cluster unit interfaces.

Select the interface that you want to configure. to report system information and send traps (alarms or event messages) to SNMP managers. 124 FortiGate Version 3. or FortiGate SNMP agent. such as to act as a standalone firewall. SNMP v1 and v2c compliant SNMP managers have read-only access to FortiGate system information and can receive FortiGate traps. You can disconnect a cluster unit if you need to use the disconnected FortiGate unit for another purpose. To monitor FortiGate system information and receive FortiGate traps you must compile Fortinet proprietary MIBs as well as Fortinetsupported standard MIBs into your SNMP manager. When the FortiGate unit is disconnected. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more information. You can configure the hardware. An SNMP manager is a computer running an application that can read the incoming traps from the agent and track the information. Note: Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. Using an SNMP manager. You also specify the IP address and netmask for this interface.SNMP System Config Disconnecting a cluster unit from a cluster You can go to System > Config > HA and select a Disconnect from cluster icon to disconnect a cluster unit from a functioning cluster without disrupting the operation of the cluster. see “Fortinet MIBs” on page 127. The FortiGate SNMP implementation is read-only.0 MR3 Administration Guide 01-30003-0203-20061124 . or be able to query it. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit. Specify an IP address and netmask for the interface. Figure 63: Disconnect a cluster member Serial Number Interface Displays the serial number of the cluster unit to be disconnected from the cluster. all management access options are enabled for this interface. you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access. You can use this IP address to connect to this interface to configure the disconnected FortiGate unit. IP/Netmask SNMP Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network.

You can add up to 3 communities. The status of SNMP traps for each SNMP community. Enter descriptive information about the FortiGate unit. Configuring an SNMP community An SNMP community is a grouping of equipment for network administration purposes. Select Enable to activate an SNMP community. Each community can be configured to monitor the FortiGate unit for a different set of events. Each community can have a different configuration for SNMP queries and traps. Enter the contact information for the person responsible for this FortiGate unit.System Config SNMP Configuring SNMP Go to System > Config > SNMP v1/v2c to configure the SNMP agent. and contact information. FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 125 . Save changes made to the description. You can also add the IP addresses of up to 8 SNMP managers to each community. The name of the SNMP community. The system location description can be up to 35 characters long. See “Configuring an SNMP community” on page 125. Select Delete to remove an SNMP community. The list of SNMP communities added to the FortiGate configuration. Select to view or modify an SNMP community. The query status can be enabled or disabled. Figure 64: Configuring SNMP SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete icon Edit/View icon Enable the FortiGate SNMP agent. The contact information can be up to 35 characters. The description can be up to 35 characters long. Select Create New to add a new SNMP community. Add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps. Enter the physical location of the FortiGate unit. The trap status can be enabled or disabled. You can add up to three SNMP communities. location. The status of SNMP queries for each SNMP community.

Select a Delete icon to remove an SNMP manager.0. This can occur if the SNMP manager is on the Internet or behind a router. Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 . The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit.SNMP System Config Figure 65: SNMP community options (part 1) Figure 66: SNMP community options (part 2) Community Name Hosts IP Address Enter a name to identify the SNMP community. Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. Interface Delete 126 FortiGate Version 3. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit. You can also set the IP address to 0.0 to so that any SNMP manager can use this SNMP community.0.

you must configure one or more FortiGate interfaces to accept SNMP connections. You can obtain these MIB files from Fortinet technical support. Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. You must add the Fortinet proprietary MIB to this database. FortiGate Version 3. The FortiGate MIB is listed in Table 7 along with the two RFC MIBs. Traps SNMP Event To configure an interface for SNMP access Before a remote SNMP manager can connect to the FortiGate agent. In Administrative Access. Choose an interface that an SNMP manager connects to and select Edit. You can add up to 8 SNMP managers to a single community.0 MR3 Administration Guide 01-30003-0203-20061124 127 . To configure SNMP access in Transparent mode 1 2 3 Go to System > Config > Operation Mode. 1 2 3 4 Go to System > Network > Interface. Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. Select the Enable check box to activate traps for each SNMP version. To be able to communicate with the SNMP agent. Select Apply. Enter the Local and Remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Fortinet MIBs The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. Select OK. select SNMP.System Config SNMP Add Queries Add a blank line to the Hosts list. Select the Enable check box to activate queries for each SNMP version. you must compile all of these MIBs into your SNMP manager. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again. Enter the IP address that you want to use for management access and the netmask in the Management IP/Netmask field. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration. Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community. “Temperature too high” and “Voltage out of range” event traps are available only on FortiGate 5001.

00.0 MIB into the SNMP manager.SNMP System Config Table 7: Fortinet MIBs MIB file name or RFC fortinet. • Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc. Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate SNMP agent. All traps include the trap message as well as the FortiGate unit serial number and hostname. • No support for the EGP group from MIB II (RFC 1213.11 and 6. The FortiGate SNMP agent supports MIB II groups with the following exceptions.10).3. Table 8: Generic FortiGate traps Trap message ColdStart WarmStart LinkUp LinkDown Description Standard traps as described in RFC 1215.) do not accurately capture all FortiGate traffic activity. No support for the dot3Tests and dot3Errors groups. To receive traps.0 MR3 Administration Guide 01-30003-0203-20061124 . you must load and compile the Fortinet 3. More accurate information can be obtained from the information reported by the Fortinet MIB.mib Description The proprietary Fortinet MIB includes detailed FortiGate system configuration information and trap information. 128 FortiGate Version 3. FortiGate traps The FortiGate agent can send traps to SNMP managers that you have added to SNMP communities. section 3. See “FortiGate traps” on page 128 and “Fortinet MIB fields” on page 130. RFC-1213 (MIB II) RFC-2665 (Ethernetlike MIB) The FortiGate SNMP agent supports Ethernet-like MIB information with the following exception.

Only sent to monitoring FortiManager.0 MR3 Administration Guide 01-30003-0203-20061124 129 . (fnFMTrapIfChange) (fnFMTrapConfChange) No message. This threshold can be set in the CLI using config system global. This threshold can be set in the CLI using config system global. Table 11: FortiGate IPS traps Trap message IPS Anomaly fnTrapIpsAnomaly IPS Signature fnTrapIpsSignature) Description IPS anomaly detected. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE. Table 10: FortiGate VPN traps Trap message VPN tunnel is up (fnTrapVpnTunUp) VPN tunnel down (fnTrapVpnTunDown) Description An IPSec VPN tunnel started. (fnTrapVoltageOutOfRange) This is available only for FortiGate 5001. The trap message includes the name of the interface. FortiGate Version 3. Any configuration changes made to FortiGate unit. This is available only for FortiGate 5001. the new IP address and the serial number of the FortiGate unit. An IPSec VPN tunnel shuts down. Hardware sensor detects high temperature. Interface changes IP. excluding any changes made by a connected FortiManager unit. Temperature too high (fnTrapTempHigh) Voltage out of range Hardware sensor detects abnormal power levels. IPS signature detected.System Config SNMP Table 9: FortiGate system traps Trap message CPU usage high (fnTrapCpuHigh) Memory low (fnTrapMemLow) Interface IP change (fnTrapIfChange) Description CPU usage exceeds 90%. Change of IP address on a FortiGate interface. Memory usage exceeds 90%.

3. This threshold can be set in the CLI using config system global. (fnTrapAvOversize) Filename block detected (fnTrapAvPattern) The FortiGate unit antivirus scanner blocks a file matching a pattern. Table 15: FortiBridge traps Trap message FortiBridge detects fail (fnTrapBridge) Description A FortiBridge unit detects a FortiGate unit failure. HA monitored interface fails heartbeat.mib file into your SNMP manager and browsing the Fortinet MIB fields. hard drive usage exceeds 90%.SNMP System Config Table 12: FortiGate antivirus traps Trap message Virus detected (fnTrapAvEvent) Description The FortiGate unit detects a virus and removes the infected file from an HTTP or FTP download or from an email message. On a FortiGate unit without a hard drive. log to memory usage exceeds 90%. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet. Table 14: FortiGate HA traps Trap message HA switch (fnTrapHaSwitch) HA Heartbeat Failure (fnTrapHaHBFail) Description The primary unit in an HA cluster fails and is replaced with a new primary unit.00. Fragmented email detected The FortiGate unit antivirus scanner detects a fragmented file or attachment. The tables below list the names of the MIB fields and describe the status information available for each one.0 MR3 Administration Guide 01-30003-0203-20061124 . Fortinet MIB fields The Fortinet MIB contains fields reporting current FortiGate unit status information. (fnTrapAvFragmented) Table 13: FortiGate logging traps Trap message Log full (fnTrapLogFull) Description On a FortiGate unit with a hard drive. 130 FortiGate Version 3. Oversize file/email detected The FortiGate unit antivirus scanner detects an oversized file.

FortiGate unit serial number. Statistics for the individual FortiGate unit in the HA cluster. The current hard disk usage (MB) The current IP session count. The number of packets processed. The current unit network utilization (Kbps). The current memory utilization (in MB). The number of viruses that the antivirus system detected in the last 20 hours.0 MR3 Administration Guide 01-30003-0203-20061124 131 . for example. 400 for the FortiGate-400. The current unit memory usage (MB). A-P) The FortiGate unit operation mode (NAT or Transparent). The firmware version currently running on the FortiGate unit. The attack definition version installed on the FortiGate unit. FortiGate Version 3. The current CPU usage (as a percent). A-A. The antivirus definition version installed on the FortiGate unit. The number of bytes processed by the FortiGate unit The number of attacks that the IPS detected in the last 20 hours. The current High-Availability (HA) mode (standalone. The FortiGate unit serial number. The number of active sessions. fnSysDiskCapacity The hard disk capacity (MB) Table 17: HA MIB fields MIB field fnHaSchedule fnHaStatsTable Description Load balancing schedule for A-A mode. The current FortiGate unit CPU usage (%).System Config SNMP Table 16: System MIB fields MIB field fnSysModel fnSysSerial fnSysVersion fnSysVersionAv fnSysVersionNids fnSysHaMode fnSysOpMode fnSysCpuUsage fnSysMemUsage fnSysDiskUsage fnSysSesCount Description FortiGate model number. fnHaStatsIndex fnHaStatsSerial fnHaStatsCpuUsage fnHaStatsMemUsage fnHaStatsNetUsage fnHaStatsSesCount fnHaStatsPktCount fnHaStatsByteCount fnHaStatsIdsCount fnHaStatsAvCount The index number of the unit in the cluster.

Table 21: Logging MIB field fnLogOption Description Logging preferences. The idle period in minutes after which a user must re-authenticate with the firewall.SNMP System Config Table 18: Administrator accounts MIB field fnAdminNumber fnAdminTable Description The number of administrators on the FortiGate unit.any user who can authenticate on the RADIUS server can log on ldap . The user name of the local user account. The user name of the administrator account.a password stored on the FortiGate unit radius-single .a password stored on a RADIUS server radius-multiple . 132 FortiGate Version 3. fnUserState Table 20: Options MIB field fnOptIdleTimeout fnOptAuthTimeout fnOptLanguage fnOptLcdProtection Description The idle period in minutes after which the administrator must reauthenticate. The netmask for fnAdminAddr. Table 22: Custom messages MIB field fnMessages Description The number of custom messages on the FortiGate unit. An address of a trusted host or subnet from which this administrator account can be used. Table of administrators.a password stored on an LDAP server Whether the local user is enabled or disabled. The web-based manager language. Whether an LCD PIN has been set. fnUserIndex fnUserName fnUserAuth Local user account index number. The authentication type for the local user: local . fnAdminIndex fnAdminName fnAdminAddr fnAdminMask Administrator account index number. Table of local users.0 MR3 Administration Guide 01-30003-0203-20061124 . Table 19: Local users MIB field fnUserNumber fnUserTable Description The number of local user accounts on the FortiGate unit.

The source port of the active IP session. UDP. fnVdIndex fnVdName Internal virtual domain index number on the FortiGate unit. etc. The destination IP address of the active IP session. Table 24: Active IP sessions MIB field fnIpSessIndex fnIpSessProto fnIpSessFromAddr fnIpSessFromPort fnIpSessToPort fnIpSessToAddr fnIpSessExp Description The index number of the active IP session.0 MR3 Administration Guide 01-30003-0203-20061124 133 . Local subnet address. Remote subnet mask. The expiry time or time-to-live in seconds for the session. Time remaining until the next key exchange (seconds). The name of the virtual domain. Table 25: Dialup VPNs MIB field fnVpnDialupIndex fnVpnDialupGateway fnVpnDialupLifetime fnVpnDialupTimeout fnVpnDialupSrcBegin fnVpnDialupSrcEnd fnVpnDialupDstAddr Description The index of the dialup VPN peer. ICMP. The remote gateway IP address. VPN tunnel lifetime in seconds.System Config SNMP Table 23: Virtual domains MIB field fnVdNumber fnVdTable Description The number of virtual domains on the FortiGate unit.) of the session. The IP protocol (TCP. Table of virtual domains. FortiGate Version 3. The source IP address of the active IP session. Remote subnet address. The destination port of the active IP session.

Number of bytes received on the tunnel. Lifetime of the tunnel in seconds. Destination selector port. The port of the remote gateway. Number of bytes sent out on the tunnel. Timeout of the tunnel in seconds. Current status of the tunnel . Protocol number for the selector. Ending of the address range of a source selector. Beginning of the address range of a source selector.SNMP System Config Table 26: VPN Tunnels MIB field fnVpnTunEntIndex fnVpnTunEntPhase1Name fnVpnTunEntPhase2Name fnVpnTunEntRemGwyIp fnVpnTunEntRemGwyPort fnVpnTunEntLocGwyIp fnVpnTunEntLocGwyPort fnVpnTunEntSelectorSrcBeginIp fnVpnTunEntSelectorSrcEndIp fnVpnTunEntSelectorSrcPort fnVpnTunEntSelectorDstBeginIp fnVpnTunEntSelectorDstEndIp fnVpnTunEntSelectorDstPort fnVpnTunEntSelectorProto fnVpnTunEntSelectorLifeSecs fnVpnTunEntSelectorLifeBytes fnVpnTunEntTimeout fnVpnTunEntInOctets fnVpnTunEntOutOctets fnVpnTunEntStatus Description The unique index of the VPN tunnel. The descriptive name of the Phase1 configuration. Source selector port Beginning of the address range of a destination selector Ending of the address range of a destination selector. 134 FortiGate Version 3. The port of the local gateway. The descriptive name of the Phase2 configuration. The IP of the local gateway.0 MR3 Administration Guide 01-30003-0203-20061124 . Lifetime of the tunnel in bytes. The IP of the remote gateway.either up or down.

The same applies to pages blocked by web filtering and email blocked by spam filtering. Replacement messages list Figure 67: Replacement messages list FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 135 . if a virus is found in an email message. The FortiGate unit adds replacement messages to a variety of content streams. the file is removed from the email and replaced with a replacement message. For example. Note: Disclaimer replacement messages provided by Fortinet are examples only. web pages.System Config Replacement messages Replacement messages Go to System > Config > Replacement Messages to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages. and FTP sessions.

0 MR3 Administration Guide 01-30003-0203-20061124 . Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. the user can send whatever traffic is allowed by the firewall policy. Allowed Formats shows you which format to use in the replacement message. Therefore.Replacement messages System Config Name The type of replacement message. you can modify • the login page and rejected login page for user authentication • • • • Description Edit or view icon disclaimer messages for user authentication (some models) keep alive page for authentication the FortiGuard web filtering block override page the login page for the SSL-VPN Description of the replacement message type. Once the Disclaimer is accepted. You can change messages added to • email with virus-infected attachments • • • • • web pages (http) ftp sessions alert mail messages smtp email blocked as spam web pages blocked by web filter category blocking • instant messaging and peer-to-peer sessions Also. The web-based manager describes where each replacement message is used by the FortiGate unit. Changing replacement messages Figure 68: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. Table 27 lists the replacement message tags that you can add. There is a limitation of 8192 characters for each replacement message. replacement messages can include replacement message tags. 136 FortiGate Version 3. Select to edit or view a replacement message. When users receive the replacement message. the replacement message tag is replaced with content relevant to the message. Select the blue triangle to expand or collapse the category. You can add HTML code to HTML messages. the user must initiate an HTTP traffic first in order to trigger the Authentication Disclaimer page. In addition.

The protocol (http. For email this is the IP address of the email server that sent the email containing the virus. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FORTIGUARD_WF%% %%FORTINET%% %%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%% %%KEEPALIVEURL%% %%NIDSEVENT%% %%OVERRIDE%% %%OVRD_FORM%% %%PROTOCOL%% %%QUARFILENAME%% %%QUESTION%% %%SERVICE%% FortiGate Version 3. The name of a file that has been removed from a content stream and added to the quarantine. The FortiGuard . The link to the FortiGuard Web Filtering override form. %%FILE%% The name of a file that has been removed from a content stream. imap. Authentication challenge question on auth-challenge page. For HTTP this is the IP address of web page that sent the virus. The FortiGuard web filter block override form. This could be a file that contained a virus or was blocked by antivirus file blocking.Web Filtering logo. ftp. This is visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides. The Fortinet logo. pop3. The HTTP error description. The IP address of the request destination from which a virus was received. %%EMAIL_FROM%% %%EMAIL_TO%% %%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page. %%CATEGORY%% %%DEST_IP%% The name of the content category of the web site.0 MR3 Administration Guide 01-30003-0203-20061124 137 . The email address of the sender of the message from which the file was removed.System Config Replacement messages Table 27: Replacement message tags Tag %%AUTH_LOGOUT%% Description The URL that will immediately delete the current policy and close the session. %%QUARFILENAME%% can be used in virus and file block messages. The name of the web filtering service. The IPS attack message. The email address of the intended receiver of the message from which the file was removed. %%NIDSEVENT%% is added to alert email intrusion messages. or smtp) in which a virus was detected. %%FILE%% can be used in virus and file block messages. Quarantining is only available on FortiGate units with a local disk. “404” for example. %%PROTOCOL%% is added to alert email virus messages. auth-keepalive-page automatically connects to this URL every %%TIMEOUT%% seconds to renew the connection policy. %%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window which links to this tag. This tag must be present in the FortiGuard Web Filtering override form and should not be used in other replacement messages. Prompt to enter username and password on auth-login page. Used on the auth-keepalive page. The HTTP error code.

This can be a web page that is blocked by web filter content or URL blocking. %%VIRUS%% can be used in virus messages %%TIMEOUT%% %%URL%% %%VIRUS%% Changing the authentication login page Users see the authentication login page when they use a VPN or a firewall policy that requires authentication. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.</H4> <FORM ACTION="/" method="post"> <INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden"> <TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0" CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY> <TR><TH>Username:</TH> <TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR> <TR><TH>Password:</TH> <TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password"> </TD></TR> 138 FortiGate Version 3. The URL of a web page. but there are some unique requirements: • • The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST" The form must contain the following hidden controls: • <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%"> • <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%"> • <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%"> • The form must contain the following visible controls: • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25> • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25> Example The following is an example of a simple authentication page that meets the requirements listed above. The name of a virus that was found in a file by the antivirus system. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.Replacement messages System Config Table 27: Replacement message tags (Continued) Tag %%SOURCE_IP%% Description The IP address of the request originator who would have received the blocked file. You can customize this page in the same way as you modify other replacement messages.0 MR3 Administration Guide 01-30003-0203-20061124 . Configured number of seconds between authentication keepalive connections. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service. Used on the auth-keepalive page.

Changing the authentication disclaimer page The Authentication Disclaimer page. FortiGate Version 3. You should change only the disclaimer text itself. See User Authentication Disclaimer in “Firewall policy options” on page 243. This allows any combination of NAT/Route and Transparent operating modes on the FortiGate unit VDOMs. Do not remove this tag from the replacement message. The page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work.0 MR3 Administration Guide 01-30003-0203-20061124 139 . not the HTML form code.Web Filtering blocks access to a web page. Changing operation mode You can set the operating mode for your VDOM and perform sufficient network configuration to ensure that you can connect to the web-based manager in the new mode.System Config VDOM operation mode and management access <TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc"> <INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden"> <INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden"> <INPUT VALUE="Continue" TYPE="submit"> </TD></TR> </TBODY></TABLE></FORM></BODY></HTML> Changing the FortiGuard web filtering block override page The %%OVRD_FORM%% tag provides the form used to initiate an override if FortiGuard . available on some models. The form must contain the %%SSL_HIDDEN%% tag. makes a statement about usage policy to which the user must agree before the FortiGate unit permits access. Management access to a VDOM can be restricted based on which interfaces and protocols can be used to connect to the FortiGate unit. • • • The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%" and METHOD="%%SSL_METHOD%%" The form must contain the %%SSL_LOGIN%% tag to provide the login form. You enable the disclaimer in the firewall policy. Note: The FortiGate-224B unit does not support multiple virtual domains in this release. VDOM operation mode and management access You can change the operation mode of each VDOM independently of other VDOMs. Changing the SSL-VPN login message The SSL VPN login message presents a web page through which users log in to the SSL-VPN web portal. To switch from NAT/Route to Transparent mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain.

Interface IP/Netmask Device Default Gateway Gateway Device Asymmetric Routing Enter a valid IP address and netmask for the network from which you want to manage the FortiGate unit.VDOM operation mode and management access System Config 2 From the Operation Mode list. From the Operation Mode list. Default Gateway Asymmetric Routing Enter the default gateway required to reach other networks from the FortiGate unit. Select to allow asymmetric routing. This must be a valid IP address for the network from which you want to manage the FortiGate unit. Select to allow asymmetric routing. select Transparent. Select the interface to which the default gateway is connected. 3 Enter the following information and select Apply. 3 Enter the following information and select Apply. Select the interface to which the Interface IP/Netmask settings apply. 140 FortiGate Version 3. To switch from Transparent to NAT/Route mode 1 2 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain. select NAT. Management IP/Netmask Enter the management IP address and netmask. Enter the default gateway required to reach other networks from the FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 .

The super administrator (admin) can access all VDOMs. telnet. You should avoid this unless it is required for your configuration. See “To control administrative access to an interface” on page 82. In NAT/Route mode. Management access can be via HTTP. A regular administrator account can access only the VDOM to which it belongs. However. You can allow remote administration of the FortiGate unit. The management computer must connect to an interface in that VDOM. Change these passwords regularly. In Transparent mode. the management computer must connect to an interface that permits management access and its IP address must be on the same network. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see “FortiGuard Center” on page 159). allowing remote administration from the Internet could compromise the security of the FortiGate unit.System Config VDOM operation mode and management access Management access You can configure management access on any interface in your VDOM. HTTPS and SSH are preferred as they are more secure. FortiGate Version 3. the interface IP address is used for management access.0 MR3 Administration Guide 01-30003-0203-20061124 141 . Use Trusted Hosts to limit where the remote access can originate from. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • • • • Use secure administrative user passwords. Enable secure administrative access to this interface using only HTTPS or SSH. It does not matter to which VDOM the interface belongs. you configure a single management IP address that applies to all interfaces in your VDOM that permit management access. HTTPS. In both cases. and create regular administrator accounts. Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 152). or SSH sessions if those services are enabled on the interface.

VDOM operation mode and management access System Config 142 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

By default. in the CLI or the GUI. In its factory default configuration. You cannot delete the ‘admin’ account.System Admin Administrators System Admin This section describes how to configure administrator accounts on your FortiGate unit. Any administrator assigned to the super_admin access profile. you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration. If you do not. ‘admin’ has no password.0 MR3 Administration Guide 01-30003-0203-20061124 143 . FortiGate Version 3.includes the original system administrator ‘admin’. the regular administrator is assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. and change its password. define trusted hosts for it. the session remains open. If virtual domains are enabled.an administrator with any access profile other than super_admin system administrator . admin. see “VDOM configuration settings” on page 44 and “Global configuration settings” on page 45. Administrators access the FortiGate unit to configure its operation. This section includes the following topics: • • • • • Administrators Access profiles FortiManager Settings Monitoring administrators Administrators There are two levels of administrator accounts: • • regular administrator . In addition. and any other administrators assigned to the super_admin profile A regular administrator account has access to configuration options as determined by its access profile. For information about which options are global and which are per-VDOM. After connecting to the web-based manager or the CLI. Note: Always end your FortiGate session by logging out. they can: • • • • • enable VDOM configuration create VDOMs configure VDOMs assign regular administrators to VDOMs configure global options You cannot restrict or modify the privileges of the original ‘admin’ administrator. the unit has one administrator. has full access to the FortiGate unit configuration. as well as the default administrator account ‘admin’. but you can rename it.

To create the administrator user group 1 2 3 4 5 6 7 Go to User > User Group. Optionally. RADIUS-based accounts on the same RADIUS server share the same access profile. type a name for the administrator group. the Administrators list shows only the administrators for the current virtual domain. In the Group Name field. Server Name/IP The domain name or IP address of the RADIUS server. In the Available Users list. 144 FortiGate Version 3. or an administrator with Access Control Read Write to add new administrator accounts and control their permission levels. For information on how to set up a RADIUS server. Viewing the administrators list Use the default ‘admin’ account. you can store all administrator accounts on a RADIUS server. You use this name when you create the user group. Select Create New. except for the default ‘admin’ account. Select the green right arrow to move the name to the Members list. Unless your administrator account has the super_admin access profile. To do this you need to: • • configure the FortiGate unit to access the RADIUS server create a user group with the RADIUS server as its only member The following procedures assume that there is a RADIUS server on your network populated with the names and passwords of your administrators. Go to System > Admin > Administrators. Enter the following information: Name A name for the RADIUS server. The RADIUS server administrator can provide this information. select the RADIUS server name. Select OK. Select any protection profile. Server Secret The RADIUS server secret. you must configure the authentication before you create the administrator accounts.Administrators System Admin You can authenticate an administrator using a password stored on the FortiGate unit or on a RADIUS server. 4 Select OK. see the documentation for your RADIUS server. Configuring RADIUS authentication for administrators If you want to use a RADIUS server to authenticate administrators in your VDOM. To configure the FortiGate unit to access the RADIUS server 1 2 3 Go to User > RADIUS. Select Create New. an account with the super_admin access profile.0 MR3 Administration Guide 01-30003-0203-20061124 .

local authentication FortiGate Version 3. Delete the administrator account. Select the Change Password icon next to the administrator account you want to change the password for. Enter and confirm the new password. Figure 70: Administrator account configuration . The login name for an administrator account. Edit or view the administrator account. You cannot delete the original ‘admin’ administrator account. see “Using trusted hosts” on page 147. For more information. an account with the super_admin access profile. or an administrator with Access Control Read Write to create a new administrator.System Admin Administrators Figure 69: Administrators list Create New Name Trusted hosts Add an administrator account. Go to System > Admin > Administrators and select Create New. Select OK.authentication of a specific account on a RADIUS server RADIUS+Wildcard .0 MR3 Administration Guide 01-30003-0203-20061124 145 . one of: Local . The access profile for the administrator.authentication of any account on a RADIUS server. icon To change an administrator password 1 2 3 4 Go to System > Admin > Administrators. Profile Type Delete icon Edit or View icon Change Password Change the password for the administrator account.a local password RADIUS . The type of authentication for this administrator. The IP address and netmask of trusted hosts from which the administrator can log in. Configuring an administrator account Use the default ‘admin’ account.

See “Configuring RADIUS authentication for administrators” on page 144.Administrators System Admin Figure 71: Administrator account configuration . This is available only if RADIUS is selected. Setting trusted hosts for all of your administrators can enhance the security of your system. Select to authenticate the administrator using a RADIUS server. For more information on access profiles. Access Profile Select the access profile for the administrator.1/32 respectively. This is not available if Wildcard is selected. 127. To configure an administrator account 1 2 Go to System > Admin > Administrators. Wildcard User group Password Confirm Password Trusted Host #1 Optionally. the password should be at least 6 characters long.0. Select to allow all accounts on the RADIUS server to be administrators.0. You can also select Create New to create a new access profile. This field is available only if you have the access profile super_admin and virtual domain configuration is enabled. see “Using trusted hosts” on page 147. For improved security. The pre-configured super_admin profile provides full access to the FortiGate unit. If RADIUS is enabled.0/0. select the administrator user group that has the appropriate RADIUS server as a member.0. You can specify Trusted Host #3 up to three trusted hosts. RADIUS authentication for administrators must be configured first. This is not available if Wildcard is selected. These addresses default to 0. the FortiGate unit attempts RADIUS authentication first. type the trusted host IP address and netmask that Trusted Host #2 administrator login is restricted to on the FortiGate unit. and if that fails. it attempts password authentication. Virtual Domain Select the virtual domain that this administrator can configure. see “Configuring an access profile” on page 150. If you are using RADIUS authentication.0 MR3 Administration Guide 01-30003-0203-20061124 . For more information.0.0. Enter a password for the administrator account. 0. Select Create New to add an administrator account or select the Edit icon to make changes to an existing administrator account. 146 FortiGate Version 3. Type the password for the administrator account a second time to confirm that you have typed it correctly.0.0/0.RADIUS authentication Administrator RADIUS Enter the login name for the administrator account.

CLI access through the console connector is not affected. The trusted host addresses default to 0.0.0 MR3 Administration Guide 01-30003-0203-20061124 147 .0/0.255. this is an unsecure configuration. 5 6 7 8 Type and confirm the password for the administrator account.1/32 respectively.255. When you set trusted hosts for all administrators.0.0.255. If you leave even one administrator unrestricted.0. and 127.0.0/0. 0.0/0. Select Wildcard if you want all accounts on the RADIUS server to be administrators of this FortiGateunit. the other 0. an administrator must connect only through the subnet or subnets you specify. The only way to use a wildcard entry is to leave both trusted hosts at 0. Optionally.0. In addition to knowing the password. The access profile separates FortiGate features into access control categories for which you can enable read and/or write access. Select OK.0. If you set one of the 0. The trusted hosts you define apply both to the web-based manager and to the CLI when accessed through telnet or SSH.0. the administrator name must match an account on the RADIUS server.System Admin Access profiles 3 In the Administrator field. the unit accepts administrative access attempts on any interface that has administrative access enabled.0/0 will be ignored.0. However. This provides the highest security. 4 If you are using RADIUS authentication for this administrator: • • • Select RADIUS.0/0 addresses to a non-zero address. type a Trusted Host IP address and netmask from which the administrator can log into the web-based manager. Select the access profile for the administrator.0. the FortiGate unit does not respond to administrative access attempts from any other hosts. This step does not apply if you are using RADIUS Wildcard authentication. Using trusted hosts Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access.0. potentially exposing the unit to attempts to gain unauthorized access. If you are using RADIUS authentication for this administrator but not using the wildcard option. Select the administrators user group from the User Group list. The following table lists the web-based manager pages to which each category provides access: FortiGate Version 3.0. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255. type a login name for the administrator account. Access profiles Each administrator account belongs to an access profile.

Access to “config” commands requires write access. Note: When Virtual Domain Configuration is enabled (see “Settings” on page 152).Access profiles System Admin Table 28: Access profile control of access to Web-based manager pages Access control Admin Users Antivirus Configuration Auth Users Firewall Configuration FortiGuard Update IPS Configuration Log & Report Maintenance Network Configuration Affected web-based manager pages System > Admin AntiVirus User Firewall System > Maintenance > FortiGuard Center Intrusion Protection Log & Report System > Maintenance System > Network > Interface System > Network > Zone System > DHCP Router AntiSpam System > Status. only the administrators with the access profile super_admin have access to global settings. The access profile has a similar effect on administrator access to CLI commands.0 MR3 Administration Guide 01-30003-0203-20061124 . The following table shows which command types are available in each access control category. When Virtual Domain Configuration is enabled. For information about which settings are global. The administrator needs write access to change the settings on the page. You can access “get” and “show” commands with read access. other administrator accounts are assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. including Session info System > Config System > Maintenance > Backup System > Maintenance > Support VPN Web Filter Router Configuration Spamfilter Configuration System Configuration VPN Configuration Webfilter Configuration Read access enables the administrator to view the web-based manager page. see “VDOM configuration settings” on page 44. 148 FortiGate Version 3.

System Admin Access profiles Table 29: Access profile control of access to CLI commands Access control Admin Users (admingrp) Antivirus Configuration (avgrp) Auth Users (authgrp) Firewall Configuration (fwgrp) FortiProtect Update (updategrp) Available CLI commands system admin system accprofile antivirus user firewall system autoupdate execute backup execute update_now ips alertemail log execute execute execute execute execute factoryreset formatlogdisk reboot restore shutdown IPS Configuration (ipsgrp) Log & Report (loggrp) Maintenance (mntgrp) Network Configuration (netgrp) system arp system dhcp reserved-address system dhcp server system interface system status system zone execute dhcp lease-clear execute dhcp lease-list router execute router spamfilter system except accprofile.0 MR3 Administration Guide 01-30003-0203-20061124 149 . admin and autoupdate execute date execute dhcpclear execute enter execute ha execute ping execute ping-options execute ping6 execute restore execute time execute traceroute vpn execute vpn webfilter Router Configuration (routegrp) Spamfilter Configuration (spamgrp) System Configuration (sysgrp) VPN Configuration (vpngrp) Webfilter Configuration (webgrp) FortiGate Version 3.

Select to modify the access profile. Select to delete the access profile. Go to System > Admin > Access Profile and select Create New. Figure 73: Access profile option 150 FortiGate Version 3. You cannot delete an access profile that has administrators assigned to it. Go to System > Admin > Access Profile.0 MR3 Administration Guide 01-30003-0203-20061124 . There are no Create or Apply buttons and lists display only the View ( ) icon instead of icons for Edit. Figure 72: Access profile list Create New Profile Name Delete icon Edit icon Add a new access profile. Each administrator account belongs to an access profile. or both read and write access to FortiGate features. Delete or other modification commands.Access profiles System Admin Go to System > Admin > Access Profile to add access profiles for FortiGate administrators. write only. Configuring an access profile Use the admin account or an account with Admin Users read and write access to edit an access profile. When an administrator has only read access to a feature. You can create access profiles that deny access to or allow read only. Viewing the access profiles list Use the admin account or an account with Admin Users read and write access to create or edit access profiles. the administrator can access the web-based manager page for that feature but cannot make changes to the configuration. The name of the access profile.

Otherwise. Access Control lists the items to which the access profile controls access. For detailed information about the access control categories. Select None to disable access to all Access Control categories. Select Read to select Read access in all Access Control categories. Enter the serial number of the FortiManager Server. communication is nonsecured. Select Read Write to select Read and Write access in all Access Control categories. ID IP FortiGate Version 3. Enter the IP Address of the FortiManager Server. Select Read and/or Read/Write access for Access Control categories as required.System Admin FortiManager Profile Name Access Control None Read Read Write Access Control categories Enter the name of the access profile. see “Access profiles” on page 147.0 MR3 Administration Guide 01-30003-0203-20061124 151 . FortiManager Go to System > Admin > FortiManager to configure the FortiGate unit to be managed through a FortiManager server. Communication between the FortiGate unit and the FortiManager server is via an IPSec VPN that is invisibly pre-configured on the FortiGate unit. Figure 74: FortiManager configuration FortiManager Settings Enable Enable secure IPSec VPN communication between the FortiGate unit and a FortiManager Server.

Enter the telnet port to be used for administrative access. The default is 22. The default is 80. To improve security. The default is 443. Enter the TCP port to be used for administrative HTTPS access. Enter the TCP port to be used for administrative HTTP access.0 MR3 Administration Guide 01-30003-0203-20061124 .Settings System Admin Settings Go to System > Admin > Settings to set the following options: • • • • Ports for HTTP and HTTPS administrative access Timeout settings including the idle timeout and authentication timeout The language of the web-based manager PIN protection for LCD and control buttons (LCD-equipped models only) Figure 75: Administrators Settings Web Administration Ports HTTP HTTPS Telnet Port SSH Port Enable v1 compatibility Timeout Settings Idle Timeout Enter the number of minutes that an administrative connection can be idle before the administrator must log in again. keep the idle timeout at the default value of 5 minutes. The default is 23. Select to enable compatibility with SSH v1 in addition to v2. Enter the SSH port to be used for administrative access. The maximum is 480 minutes (8 hours). (Optional) 152 FortiGate Version 3.

Simplified Chinese. This enables VDOM creation and configuration privileges for the administrators with the access profile super_admin.System Admin Monitoring administrators Auth Timeout Enter the number of minutes that an authenticated connection can be idle before the user must authenticate again. For more information. go to System > Status. For more information on VDOM creation and management.0 MR3 Administration Guide 01-30003-0203-20061124 153 . VDOM operation is not available on model 224B in this release. Monitoring administrators To see the number of logged-in administrators. Language Web Administration LCD Panel (LCD-equipped models only) PIN Protection Virtual Domain Configuration Enable if you want to operate multiple VDOMs. Administrators must enter the PIN to use the control buttons and LCD. The default is 15 minutes. Select the PIN Protection check box and type a 6-digit PIN. or French. Note: You should select the language that the management computer operating system uses. Japanese. Under System Information. Select a language for the web-based manager to use. Enable SCP Enable if you want users logged in through the SSH to be able to use the SCP to copy the configuration file. you will see Current Administrators. see “Virtual domains” on page 43. Choose from English. Korean. The maximum is 480 minutes (8 hours). Figure 76: System Information > Current Administrators Figure 77: Administrators logged in monitor window FortiGate Version 3. see “Setting authentication timeout” on page 341. Click on Details to view information about the administrators currently logged in to the FortiGate unit. Traditional Chinese.

Select to close the window.Monitoring administrators System Admin Disconnect Refresh Close check box Select to disconnect the selected administrators. the value in From is the administrator’s IP address. User Name Type From Time 154 FortiGate Version 3. Select and then select Disconnect to log off this administrator. If Type is CLI. Select to update the list. The administrator account name. Note: You cannot log off the default ‘admin’ user. This is available only if your access profile gives you System Configuration write access. If Type is WEB.0 MR3 Administration Guide 01-30003-0203-20061124 . This is available only if your access profile gives you System Configuration write permission. The type of access: WEB or CLI. The date and time that the administrator logged on. the value in From is “ssh” or “telnet” and either the administrator’s IP address or “console”.

including web content files and spam filtering files. the Firmware section of the Maintenance screen will not be displayed. You can also restore the system configuration from previously downloaded backup files. Some FortiGate models support FortiClient by storing a FortiClient image that users can download. This section includes the following topics: • • • Backup and restore FortiGuard Center License Backup and restore Go to System > Maintenance > Backup & Restore to back up and restore the system configuration and to manage firmware. In this situation you can change your firmware version by going to System > Status and selecting Update for Firmware Version. you must enable encryption of the backup file. the content of the backup file depends on the administrator account that created it. You can back up the system configuration. the backup file contains the global settings and the settings for the VDOM to which the regular administrator belongs. Only a regular administrator account can restore the configuration from this file. A backup of the system configuration from the super admin account contains global settings and the settings for each VDOM. to the management computer or to a USB disk on models that support the USB disk. Note: If you have a FortiGate model numbered less than 100. When you back up the system configuration from a regular administrator account. FortiGate Version 3. When virtual domain configuration is enabled. Only the super admin can restore the configuration from this file.System Maintenance Backup and restore System Maintenance This section describes how to back up and restore your system configuration and how to configure automatic updates from the FortiGuard Distribution Network. The FortiClient section of Backup and Restore is available only if your FortiGate model supports FortiClient. If you want the backup file to include VPN certificates.0 MR3 Administration Guide 01-30003-0203-20061124 155 .

0 MR3 Administration Guide 01-30003-0203-20061124 . If you selected USB Disk. You can select USB Disk only if the disk is connected to the FortiGate unit. Backing up to USB does not save the time of backup. Select Local PC or USB Disk to store the configuration file. Back up the current configuration.Backup and restore System Maintenance Figure 78: Backup and restore options Figure 79: Backup and Restore Last Backup Backup Backup configuration to: Filename The date and time of the last backup to local PC. 156 FortiGate Version 3. enter a name for the backup file.

You can select USB Disk only if the disk is connected to the FortiGate unit. encryption must be enabled on the backup file. computer. You will need this password to restore the file. FortiGate models numbered 100 and higher have two partitions. see “Configuring the FortiGate unit for FDN and FortiGuard services” on page 160. FortiGate Version 3. This is available only on FortiGate models numbered 100 or higher. For more details.System Maintenance Backup and restore Encrypt Select to encrypt the backup file.0 MR3 Administration Guide 01-30003-0203-20061124 157 . A green check mark indicates which partition contains the firmware and configuration currently in use. Password Restore Figure 80: Firmware Partition A partition can contain one version of the firmware and the system configuration. Enter the password if the backup file is encrypted. One partition is active and the other is a backup. Figure 81: FortiClient Software Image The current FortiClient image on this FortiGate unit. Antivirus Database The current version of FortiGuard antivirus database on this FortiGate unit. The date and time of the last update to this partition. On the backup partition. Select the configuration file name from the list if you are restoring the configuration from a USB disk. The version and build number of the FortiGate firmware. Backup Restore Restore configuration from: Filename Back up the configuration. Restore the configuration from the selected file. you can: • Select Upload to replace with firmware from the management computer or a USB disk. Enter the configuration file name or use the Browse button if you are restoring the configuration from a file on the management. Enter a password in the configuration file Password field and enter it again in the Confirm field. Restore the configuration from a file. • Select Upload and Reboot to replace the firmware and make this the active partition. Select Upload to upload a new FortiClient image from your management computer. To backup VPN certificates. Select Local PC or USB Disk as the location of the configuration file. Active Last Upgrade Firmware Version Boot alternate firmware Restart the FortiGate unit using the backup firmware.

Enter the file name and path or use the Browse button and locate the file. On system restart. both occur on the same reboot. The port number should only be changed if there is a conflict. Select the options as required and restart the FortiGate unit. Import URL filter and Spam filter definitions from a text file on the management computer to the FortiGate unit. Download Debug Log 158 FortiGate Version 3. Automatically update the configuration on restart. Web Portal Port Figure 82: Advanced Advanced (USB Auto-Install) This section is available only if a USB disk is connected to the FortiGate unit. On system restart. Ensure that the Default configuration file name matches the automatically update FortiGate configuration configuration file name on the USB disk. Download an encrypted debug log to a file. The FortiGate unit will not reload a firmware or configuration file that is already loaded. You can create the text file by excerpting the appropriate section of a FortiGate configuration backup file or by typing the appropriate CLI commands. Select the port for the web portal where users will be redirected if they are denied access due to FortiClient check options in the firewall policy. Ensure that the Default image name matches the firmware file name on the USB disk. If you select both configuration and firmware update. automatically update FortiGate firmware Import Bulk CLI Commands Automatically update the firmware on restart.Backup and restore System Maintenance Antivirus Engine The current version of FortiGuard antivirus engine on this FortiGate unit. Select Save after changing the port number to commit your change.0 MR3 Administration Guide 01-30003-0203-20061124 . For more details. see “Configuring the FortiGate unit for FDN and FortiGuard services” on page 160. The default port number is 8009. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit.

FortiGuard Services Worldwide coverage of FortiGuard services are provided by FortiGuard Service Points. The FDN provides updates to antivirus and attack definitions. and update dates and times. daily. You cannot change the FortiGuard Service Point name using the web-based manager. You must register the FortiGate unit on the Fortinet support web page. the UDP port used for Service Point communication can be switched to port 8888 by going to System > Maintenance > FortiGuard Center. By default. When the FortiGate unit connects to the FDN. When your FortiGateunit connects to the FDN. the FortiGate unit contacts another Service Point and information is available within seconds. By default. the FortiGate unit communicates with the Service Point via UDP on port 53. see “To enable scheduled updates” on page 165. the FortiGate unit communicates with the closest Service Point. it connects to the nearest FDS based on the current time zone setting. Update status including version numbers. Hourly. Fortinet adds new Service Points as required. the FDN must be able to route packets to the FortiGate unit using UDP port 9443. Push updates through a NAT device. FortiGuard Services provides online IP address black list. Push updates from the FDN. use the hostname keyword in the system fortiguard CLI command. URL black list. The FortiGate unit supports the following update features: • • • • • User-initiated updates from the FDN. You can also configure the FortiGate unit to receive push updates. it is connecting to the closest FortiGuard Service Point. For information about configuring scheduled updates.System Maintenance FortiGuard Center FortiGuard Center The FortiGuard Center configures your FortiGate unit for the FortiGuard Distribution Network (FDN) and FortiGuard Services. FortiGate Version 3. Alternately. or weekly scheduled antivirus and attack definition updates from the FDN. If the Service Point becomes unreachable for any reason. FortiGuard Distribution Network The FortiGuard Distribution Network (FDN) is a world-wide network of FortiGuard Distribution Servers (FDSs). For detailed information about FortiGuard services. To receive scheduled updates. and other spam filtering tools. To register your FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 159 . The FDN provides updates to antivirus (including grayware) and IPS attack definitions. see “To enable push updates” on page 166. go to Product Registration and follow the instructions. For this to succeed. For information about configuring push updates. see the FortiGuard Center web page. expiry dates. If you need to change the default FortiGuard Service Point host name. the FortiGate unit must be able to connect to the FDN using HTTPS on port 443.

See “Viewing system status” on page 51. FortiGuard license management is performed by Fortinet servers. a URL black list. contact Fortinet Technical Support. For more information. block. The FortiGate unit automatically contacts a FortiGuard-Antispam Service Point when enabling FortiGuard-Antispam. The URL black list contains URLs of websites found in spam email. FortiGuard-Antispam license management is performed by Fortinet servers.FortiGuard Center System Maintenance FortiGuard-Antispam Service FortiGuard-Antispam is an antispam system from Fortinet that includes an IP address black list. there is no need to enter a license number. The IP address black list contains IP addresses of email servers known to be used to generate spam. FortiGuard-Web sorts hundreds of millions of web pages into a wide range of categories users can allow. FortiGuard-Web Service FortiGuard-Web is a managed web filtering solution provided by Fortinet. 160 FortiGate Version 3. FortiGuard-Antispam is always current. see “Spam filtering options” on page 303. To renew a FortiGuard license after the free trial. The FortiGate unit accesses the nearest FortiGuard-Web Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface. Enable or disable FortiGuard-Antispam in firewall protection profiles. Every FortiGate unit comes with a free 30-day FortiGuard-Web Filter trial license. With constant monitoring and dynamic updates. To renew the FortiGuard-Antispam license after the free trial. Configuring the FortiGate unit for FDN and FortiGuard services Go to System > Maintenance > FortiGuard Center to configure access to FDN updates and FortiGuard services on the update center page. See “Spam filtering options” on page 303. Enable FortiGuard-Web globally in System > Maintenance > FortiGuard Center and then configure the FortiGuard Web Filtering options in each firewall protection profile.0 MR3 Administration Guide 01-30003-0203-20061124 . or monitor. Every FortiGate unit comes with a free 30-day FortiGuard-Antispam trial license. The FortiGate unit automatically contacts a FortiGuard Service Point when enabling FortiGuard category blocking. The three sections of the update center are: • • • Support Contract and FortiGuard Subscription Services AntiVirus and IPS Downloads Web Filtering and AntiSpam Options Support Contract and FortiGuard Subscription Services The Support Contract and FortiGuard Subscription Services sections are displayed in abbreviated form on the System Status page. There is no need to enter a license number. FortiGuard-Antispam processes are completely automated and configured by Fortinet. and spam filtering tools. Enable FortiGuard-Antispam globally in System > Maintenance > FortiGuard Center and then configure the Spam Filtering options in each firewall protection profile. See “FortiGuard-Web filtering options” on page 302. contact Fortinet Technical Support.

the expiry date is displayed. The option to Subscribe will be displayed if Availability is Not Registered. The option to Renew will be displayed if Availability is Expired. the FortiOS version. and Support Level are also displayed.FortiGate unit can connect to FDN and has a registered support contract If the Status Icon is green.FortiGate unit can connect. To download updates from FDN directly.Expired .Unreachable . This will prompt you to download the update file from your local computer. expiry date of contract.Not Registered . use the Update Now control.FortiGate unit had a valid license that expired Status Icon green . Round icon shown indicates the status of the subscription service. but has no support registered for this service yellow . Only displayed when Support Contract is Not Registered. • grey .Valid license . Version The version number of the definition file currently installed on the FortiGate unit for this service. [Register] FortiGuard Availability and status information for each of the FortiGuard Subscription Services subscription services including: • AntiVirus AV Definitions • • • Availability Intrusion Protection IPS Definitions Web Filtering AntiSpam The availability of this service on this FortiGate unit. The status displayed can be one of: Unreachable. Dependent on your service subscription. FortiGate Version 3. Not Registered or Valid Contract. (Last update date The date of the last update and method used for last attempt to and method) download definition updates for this service. Select to register your FortiGate unit support contract.FortiGate unit is not able to connect to service • • • yellow . See the descriptions for Status Icon.System Maintenance FortiGuard Center Figure 83: Support Contract and FortiGuard Subscription Services section Support Contract The availability or status of your FortiGate unit support contract. The icon shown corresponds to the availability description.0 MR3 Administration Guide 01-30003-0203-20061124 161 . If Valid Contract is shown. [Update] Select to update this service on your FortiGate unit.

see “Troubleshooting FDN connectivity” on page 164. Allow Push Update Push Update The status of the FortiGate unit for receiving push updates: Status Icon • grey . See “To enable push updates” on page 166. Select this check box to enable scheduled updates. Enter a new IP address to connect to the FDN push server.0 MR3 Administration Guide 01-30003-0203-20061124 . Select the blue arrow to display or hide this section. Use override push IP port Scheduled Update Every Daily Select to enable custom IP address and port to be used to connect to the push update server. Push Update Status Icon shows the status of the push update service. Select a new port to use to connect to the FDN push server.available . Select the blue arrow to display or hide this section.push update service is allowed. If the icon is either grey or yellow. You can specify the hour of the day to check for updates. Select to allow push updates. Attempt to update once every 1 to 23 hours. Available only if Allow Push Update is selected. See “Web Filtering and AntiSpam Options” on page 163. The update attempt occurs at a randomly determined time within the selected hour. Figure 84: AntiVirus and IPS Downloads section Use override server address Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. see “Troubleshooting FDN connectivity” on page 164. Available only if Use override push and IP address are set. AntiVirus and IPS Downloads Select the blue arrow next to AntiVirus and IPS Downloads to access this section. 162 FortiGate Version 3.FortiGuard Center System Maintenance (Date) AntiVirus and IPS Downloads Web Filtering and AntiSpam Options Local system date when the FortiGate unit last checked for updates for this service.not available . See “AntiVirus and IPS Downloads” on page 162. Attempt to update once a day. Available only if Allow Push Update and Use override push are enabled. Select the number of hours between each update request.push update service is not available with current support license green . enter the IP address or domain name of a FortiGuard server and select Apply.FortiGate unit is not able to connect to push update service • • yellow .unreachable . If the FDN Status still indicates no connection to the FDN. When selected.

You can specify the day of the week and the hour of the day to check for updates.0 MR3 Administration Guide 01-30003-0203-20061124 163 . FortiGate Version 3. Figure 85: Web Filtering and AntiSpam Options section Enable Web Filter Enable Cache Select to enable FortiGuard Web Filter service.System Maintenance FortiGuard Center Weekly Attempt to update once a week. Update Now Web Filtering and AntiSpam Options Select the blue arrow next to Web Filtering and AntiSpam Options to access this section. TTL Enable Anti Spam Enable cache TTL Use Default Port (53) Use Alternate Port Select to use port 8888 to communicate with FortiGuard-Antispam servers. The cache uses 6% of the FortiGate memory. (8888) Test Availability please click here Select to test the connection to the FortiGuard-Antispam server. Select to use port 53 to communicate with FortiGuard-Antispam servers. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again. Available only if Enable Anti Spam is selected. Results are shown below the button and on the Status indicators. The update attempt occurs at a randomly determined time within the selected hour. Available only if Enable Web Filter is selected. This improves performance by reducing FortiGate unit requests to the FortiGuard server. Available only if both Enable Web Filter and Enable Cache are selected. When the cache is full. the least recently used IP address or URL is deleted. When the cache is full. Select to enable caching FortiGuard Services information. Time to live. Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service. This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6% of the FortiGate memory. Time to live. Select Update Now to manually initiate an FDN update. Select to enable FortiGuard AnitSpam service. the least recently used IP address or URL is deleted. Select to enable caching FortiGuard Services information. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.

The FortiGate unit tests its connection to the FDN. check your configuration. check your configuration to make sure you can connect to the override FortiGuard server from the FortiGate unit. Select Update Now to update the antivirus and attack definitions. Messages are recorded to the event log indicating whether the update was successful or not.) there is a NAT device installed between the FortiGate unit and the FDN (see “Enabling push updates through a NAT device” on page 166) your FortiGate unit connects to the Internet using a proxy server (see “To enable scheduled updates through a proxy server” on page 165).FortiGuard Center System Maintenance Troubleshooting FDN connectivity If your FortiGate unit is unable to connect to the FDN. If this is not successful. Updating antivirus and attack definitions Use the following procedures to configure the FortiGate unit to connect to the FortiGuard Distribution Network (FDN) to update the antivirus (including grayware) definitions and attack definitions. After a few minutes. See “To add an override server” on page 165. Go to System > Maintenance > FortiGuard Center. To make sure the FortiGate unit can connect to the FDN 1 2 3 4 Go to System > Status and select Change on the System Time line in the System Information section. the System Update Center page lists new version information for antivirus definitions and attack definitions. The System Status page also displays new dates and version numbers for antivirus. Make sure that the time zone is set correctly for the region in which your FortiGate unit is located. 164 FortiGate Version 3. Your database will be updated in a few minutes. Select Refresh. To update antivirus and attack definitions 1 2 Go to System > Maintenance > FortiGuard Center. if an update is available. Push updates might be unavailable if: • • • you have not registered the FortiGate unit (To register your FortiGate unit. go to Product Registration and follow the instructions. The test results are displayed at the top of the System Update page. You might have to connect to an override FortiGuard server to receive updates. If the connection to the FDN or override server is successful. attack and IPS definitions. you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet. For example.0 MR3 Administration Guide 01-30003-0203-20061124 . the web-based manager displays a message similar to the following: Your update request has been sent. Please check your update page for the status of the update.

Select the Use override server address check box.0 MR3 Administration Guide 01-30003-0203-20061124 165 . You must register the FortiGate unit before it can receive push updates. Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. Select the Scheduled Update check box. Select the number of hours and minutes between each update request. Once a week. you can use the following procedure to add the IP address of an override FortiGuard server. Select Apply. the FortiGate unit cannot connect to the override server. The FortiGate unit tests the connection to the override server. The FortiGate unit starts the next scheduled update according to the new update schedule. see the FortiGate CLI Reference. or if your organization provides antivirus and attack updates using their own FortiGuard server. Type the fully qualified domain name or IP address of a FortiGuard server.System Maintenance FortiGuard Center Note: Updating antivirus and attack definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database. schedule updates for times of light traffic. you can use the config system autoupdate tunneling command to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. You can specify the day of the week and the time of day to check for updates. For more information. go to Product Registration and follow the instructions. To minimize this possibility. To add an override server If you cannot connect to the FDN. If the FortiGuard Distribution Network availability icon stays gray. Once a day. the FortiGate unit has successfully connected to the override server. the event is recorded in the FortiGate event log. 1 2 3 4 Go to System > Maintenance > FortiGuard Center. To enable scheduled updates 1 2 3 Go to System > Maintenance > FortiGuard Center. Whenever the FortiGate unit runs a scheduled update. To enable scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server. You can specify the time of day to check for updates. FortiGate Version 3. 4 Select Apply. To register your FortiGate unit. Check the FortiGate configuration and network configuration for settings that would prevent the FortiGate unit from connecting to the override FortiGuard server. Select one of the following to check for and download updates. Every Daily Weekly Once every 1 to 23 hours. If the FortiGuard Distribution Network availability icon changes from grey.

Enabling push updates through a NAT device If the FDN can only connect to the FortiGate unit through a NAT device. you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. see “To enable scheduled updates through a proxy server” on page 165. For more information. The next time new antivirus or attack definitions are released. The interface used for push updates is the interface configured in the default route of the static routing table. Also. Enabling push updates is not recommended as the only method for obtaining updates. the FDN connects to the FortiGate unit using UDP on either port 9443 or an override push port that you specify. the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to the other Internet connection. when the FortiGate unit receives a push notification it makes only one attempt to connect to the FDN and download updates. the FortiGate unit also sends the SETUP message to notify the FDN of the address change. However. Using port forwarding. Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. the FDN notifies all FortiGate units that are configured for push updates that a new update is available. On average the FortiGate unit receives new updates sooner through push updates than if the FortiGate unit receives only scheduled updates. If you have redundant connections to the Internet. To enable push updates 1 2 3 Go to System > Maintenance > FortiGuard Center. Push updates when FortiGate IP addresses change The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface to which the FDN connects.FortiGuard Center System Maintenance When you configure a FortiGate unit to allow push updates. scheduled updates make sure that the FortiGate unit receives the latest updates. Within 60 seconds of receiving a push notification. The FDN must be able to connect to this IP address for your FortiGate unit to be able to receive push update messages. Select Apply. the FortiGate unit sends a SETUP message to the FDN. see “Enabling push updates through a NAT device” on page 166. the FortiGate unit requests an update from the FDN. If your FortiGate unit is behind a NAT device. configuring push updates is recommended in addition to configuring scheduled updates. When the network configuration permits.0 MR3 Administration Guide 01-30003-0203-20061124 . 166 FortiGate Version 3. Select Allow Push Update. The FortiGate unit might not receive the push notification. In Transparent mode if you change the management IP address. The FortiGate unit sends the SETUP message if you change the IP address of this interface manually or if you have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address.

• • • 3 • Allow push updates Add an override push update IP. FortiGate Version 3. Figure 86: Example network: Push updates through a NAT device FDN Server Internet NAT Device Push Updates Internal Network General procedure Use the following steps to configure the FortiGate unit on the internal network and the NAT device so that the FortiGate unit on the internal network can receive push updates: 1 2 Register and license the FortiGate unit on the internal network so that it can receive push updates. Usually this would be the IP address of the external interface of the NAT device If required. Add a port forwarding virtual IP to the NAT device. set using PPPoE or DHCP). Usually this would be the IP address of the external interface of the NAT device.0 MR3 Administration Guide 01-30003-0203-20061124 167 .System Maintenance FortiGuard Center Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example. Configure the FortiGuard Center of the FortiGate unit on the internal network. 4 Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP. change the override push update port Set the external IP address of the virtual IP to match the override push update IP.

The FortiGate unit sends the override push IP address and port to the FDN. External Interface The interface on the NAT device that connects to the Internet. 3 Select OK. UDP External Service The external service port that the FDN connects to. The external service port for push updates is usually 9443. If you changed the push Port update port in the FortiGuard Center configuration of the FortiGate unit on the internal network.0 MR3 Administration Guide 01-30003-0203-20061124 168 . Name Type External IP Address/Range Add a name for the Virtual IP. Mapped IP Address/Range Protocol Port Forwarding Select Port Forwarding. Select Use override push IP and enter the IP address of the external interface of the NAT device. 1 2 Go to Firewall > Virtual IP and select Create New. To add a firewall policy to the FortiGate NAT device 1 2 Add a new external to internal firewall policy. Configure the policy with the following settings: FortiGate Version 3. Note: If the external IP address or external service port changes. Select Apply. Add a port forwarding virtual IP that maps the external interface of the NAT device to the IP address of the FortiGate unit on the internal network using the push update UDP port. This would usually be the IP address of the external interface of the NAT device. This IP address must be the same as the FortiGuard Center push update override IP of the FortiGate unit on the internal network. you must set the external service port to the changed push update port. Do not change the push update port unless UDP port 9443 is blocked or used by other services on your network. Select Allow Push Update. Map to Port The map to port must be the same as the external service port. To add a port forwarding virtual IP to the FortiGate NAT device Configure the NAT device to use port forwarding to forward push update connections from the FDN to the FortiGate unit on the internal network. Push updates will not actually work until you add a virtual IP to the NAT device so that the NAT device accepts push update packets and forwards them to the FortiGate unit on the internal network. add the changes to the Use override push configuration and select Apply to update the push information on the FDN. The FDN now uses this IP address and port for push updates to the FortiGate unit on the internal network.FortiGuard Center System Maintenance To configure the FortiGuard Center of the FortiGate unit on the internal network 1 2 3 4 5 Go to System > Maintenance > FortiGuard Center. The IP address of the FortiGate unit on the Internal network. Static NAT. The IP address that the FDN connects to send push updates to the FortiGate unit on the Internal network.

50. FortiGate units support a maximum of 10 VDOMs. Fortinet requires your unit serial number to generate the license key. Go to System > Maintenance > License to enter your license key. Select Refresh.System Maintenance License 3 Select OK. To confirm that push updates to the FortiGate unit on the internal network are working 1 2 Go to System > Maintenance > FortiGuard Center. By default. FortiGate Version 3. Figure 87: License key for additional VDOMs Current License Input License Key The current maximum number of Virtual Domains. 100 or 250. License If your FortiGate unit is model 3000 or higher. Enter the license key supplied by Fortinet and select Apply. The license key is a 32-character string supplied by Fortinet. you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25. The Push Update indicator should change to solid green.0 MR3 Administration Guide 01-30003-0203-20061124 169 .

License System Maintenance 170 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

FortiGate Version 3. The system chassis pages only display information if at least one shelf manager is functioning in the chassis and only if the FortiGate-5000 module that you have connected to can communicate with a shelf manager. Shelf managers can operate in active or standby mode. The SMC list is the same for the FortiGate-5140 chassis and the FortiGate-5050 chassis. You can use the get chassis status command to display similar chassis information from the FortiGate CLI. Current status of the shelf manager card in each chassis slot. So from the system chassis pages you can view information about all of the hardware components in the chassis.System Chassis (FortiGate-5000 series) SMC System Chassis (FortiGate-5000 series) For FortiGate-5000 series modules installed in a FortiGate-5050 or FortiGate5140 chassis. Refresh SMC # Status Manually refresh the information displayed on the SMC list. Shelf manager card slot number: SMC 1 or SCM 2. In active mode the shelf manager is operating the chassis. Information displayed by the system chassis pages depends on the FortiGate5000 series chassis and not on the FortiGate-5000 series module that you are connecting to.0 MR3 Administration Guide 01-30003-0203-20061124 171 . • • • SMC Blades Chassis monitoring event log messages SMC Go to System > Chassis > SMC to view the status of the shelf manager cards (SMCs) installed in the FortiGate-5000 series chassis. Figure 88: Shelf manager card (SMC) list Refresh interval Set how often the web-based manager refreshes the information displayed on the SMC list. The SMC list shows basic status information about the shelf manager cards in the chassis. The status can be Present if a shelf manager card is installed in the slot and Empty if a shelf manager card is not installed. Active/Standby The mode of the shelf manager card in each chassis slot. In standby mode the shelf manager is waiting to switch to active mode if it detects that the active shelf manager is not operating. The system chassis pages display information received from the chassis shelf manager. you can go to System > Chassis to view real-time operating status information about the hardware components installed in the chassis.

the display shows the type of module in the slot.Blades System Chassis (FortiGate-5000 series) Blades Go to System > Chassis > Blades to display a list of the slots in the FortiGate-5000 chassis that the FortiGate-5000 series module is installed in. Blade Type 172 FortiGate Version 3. the blades list indicates if the monitored temperatures and voltages for the module in that slot are within acceptable ranges.0 MR3 Administration Guide 01-30003-0203-20061124 . Indicates whether the slot contains a node card (a FortiGate-5000 series module) or a switch card (a FortiSwitch-5000 series module). If you have SNMP enabled and have selected the Temperature too high and Voltage out of range SNMP events. Slots 1 to 5 are listed for the FortiGate-5050 chassis and slots 1 to 14 are listed for the FortiGate-5140 chassis. Manually refresh the information displayed on the blades list. If a slot contains a module. The slot number in the chassis. when the shelf manager registers a temperature or voltage alarm. The slot containing the FortiGate-5000 series module that you are connecting to is highlighted in yellow. Slots can contain node cards such as FortiGate-5000 series modules and switch cards such as the FortiSwitch-5003 module. the blades list contains 5 rows. indicated by Good or if the shelf manager has registered an alarm because a temperature or voltage is outside of the acceptable range. the FortiGate-5000 module SNMP agent sends an SNMP trap. For each slot that contains a module. For a FortiGate-5140 chassis the blades list contains 14 rows. If the FortiGate-5000 series module that you are connecting to is installed in a FortiGate-5050 chassis. Figure 89: Example FortiGate-5050 blades list Refresh interval Refresh Slot # Set how often the web-based manager refreshes the information displayed on the blades list. The list of slots shows whether the slot is empty or the type of module installed in the slot.

for the FortiGate-5001SX and FortiGate-5001FA2 modules: • 5V: 5. The mouse over display includes the name of the temperature sensor and the temperature reading.5V: 2. for the FortiGate-5001SX and FortiGate-5001FA2 modules: • TEMP1: 37°C • TEMP2: 30°C And for the FortiSwitch-5003 module: • Baseboard Temp: 35°C • • • Board (BRD) Top Temp: 33°C BRD Bottom Temp: 33°C BRD Center Temp: 38°C Voltage Indicates if the voltage sensors for the module in each slot are detecting a voltage within an acceptable range. Good indicates that all monitored voltages are within acceptable ranges.3024V +3.096V +12V: 12.0764V • • • 3.3V: 3.4921V +3.989V +2.3VSB: 3.5V: 1.521V • • • • • • +2V: 1.3V: 3.3V) and the action voltage (for example.System Chassis (FortiGate-5000 series) Blades Temperature Indicates if the temperature sensors for the module in each slot are detecting a temperature within an acceptable range. 3.0 MR3 Administration Guide 01-30003-0203-20061124 173 . Good indicates that all monitored temperatures are within acceptable ranges.488V).5326V And for the FortiSwitch-5003 module: • +1. You can mouse over the temperature indicator to view the temperatures being read by each sensor on the module. The information displayed for each sensor includes the design voltage (for example 3.8V: 1. Alarm indicates that a monitored voltage is too high or too low. The voltages that are displayed are different for different FortiGate or FortiSwitch modules.3712V +5VSB: 5. You can mouse over the voltage indicator to view the voltages being read by each sensor.5V: 1. The acceptable voltage range depends on the sensor.4884V 2. For example. For example.5V: 2.8236V • 1.096V FortiGate Version 3. Alarm indicates that a monitored temperature is too high (usually about 75°C) or too low (below 10°C). The temperatures that are displayed depend on the FortiGate or FortiSwitch modules.534V 1.

A typical operating range is between 10 and 75 degrees Celsius. <rpm_integer> is the RPM at which the fan is operating. 99503 Chassis fan anomaly: Fan <fan_integer>. <design_voltage> could be 3. The FortiGate-5050 only has one fan tray. <design_voltage> could be 3. <rpm_integer> is the RPM at which the fan is operating. <monitored_voltage> V 174 FortiGate Version 3. or 2. and so on. <fan_integer> identifies the fan. For the FortiGate-5140 <fan_integer> can be 0. <rpm_integer> RPM Chassis fan anomaly 99504 Chassis temperature anomaly: A temperature sensor has reported a T <sensor_integer>. A typical operating range is between 10 and 75 degrees Celsius. <design_voltage> is the voltage the circuit should have at the sensor location during normal operation. <temp_integer> identifies the temperature sensor. The messages in Table 30 all have the chassis log type and a severity of warning or critical. <monitored_voltage> is the actual voltage measure by the sensor. A temperature sensor on a FortiGate-5000 or FortiSwitch-5000 series module has reported a temperature outside of the normal operating range for this sensor. 5. Table 30: Chassis monitoring warning and critical event log messages ID Message Meaning A chassis fan is operating at an RPM value outside of the normal operating range. Critical messages are recorded when critical thresholds are reached. and so on. Warning messages are recorded when non-critical thresholds are reached. <rpm_integer> RPM 99507 Blade temperature anomaly: Blade <temp_integer>. 99505 Chassis voltage anomaly: V<design_voltage>. A blade fan is operating at an RPM value outside of the normal operating range. <temp_integer> identifies the module temperature sensor. voltages. <monitored_voltage> is the actual voltage measure by the sensor. <temp_integer> Celsius 99508 Blade voltage anomaly: Blade <design_voltage>. <fan_integer> is the number of the fan tray. For example. For example. 1.3.Chassis monitoring event log messages System Chassis (FortiGate-5000 series) Chassis monitoring event log messages FortiGate-5000 series modules can send the log messages shown in Table 30 when chassis monitoring detects temperatures.3.0 MR3 Administration Guide 01-30003-0203-20061124 . <design_voltage> is the voltage the circuit should have at the sensor location during normal operation. <temp_integer> is the temperature being reported by the sensor. A voltage sensor on a FortiGate-5000 or FortiSwitch-5000 series module has detected a voltage level outside of the operating range for the sensor. <monitored_voltage> V A chassis voltage sensor has detected a voltage level outside of the operating range for the sensor. <temp_integer> is the temperature being reported by the sensor. or fan speeds that are outside of normal operating parameters. 5. 99506 Blade fan anomaly: Fan <fan_integer>. temperature outside of the normal operating <temp_integer> Celsius range for this sensor.

There are several options. The following topics are included in this section: • • • • • • • • • • • • Overview Viewing WAN ports and WAN VLAN interfaces Viewing switch-LAN ports Viewing switch VLANs Configuring port monitoring Using Spanning-Tree Protocol Configuring IGMP snooping Configuring QoS Configuring port quarantine Configuring dynamic policies Configuring 802.1X authentication Viewing switch status Overview The FortiGate-224B unit contains all of the functionality of the Fortinet FortiGate product family plus it offers security and enhanced functionality for your local switched LAN. applying antivirus and IPS scanning as needed. Configure firewall policies to control and protect traffic between switch ports. Create secure ports on native and its switch VLANs. Use access control to enforce security requirements on host computers that connect to switch LAN ports. you have several options: • • • Create switch VLANs. For security within the native network. to address hosts that do not meet the requirements.0 MR3 Administration Guide 01-30003-0203-20061124 175 . Use IEEE 802.Switch (FortiGate-224B) Overview Switch (FortiGate-224B) This section describes how to configure the switch portion of your FortiGate-224B unit. The switch portion of the FortiGate-224B unit is by default a single FortiGate interface. You can configure firewall policies to permit communication with other interfaces. Spanning-Tree Protocol prevents network loops and provides reliable operation through path redundancy IGMP snooping improves the efficiency of multicasting Quality of Service (QoS) controls use of network bandwidth • • • • • There are also features to improve the operation of your network: FortiGate Version 3. You can require hosts to run antivirus or firewall software and ensure that their operating system is up-to-date. native. Create quarantine policies to isolate ports that trigger AV or IPS alerts. including quarantine. Configure firewall policies from each switch VLAN to other switch VLANs and other interfaces to control and protect traffic.1X authentication on your network.

Edit icons Configuring a WAN port VLAN interface Go to System > Network > Interface and select Create New to create a new WAN port VLAN interface. The administrative status for the interface. Figure 91: Configuring a WAN port VLAN 176 FortiGate Version 3. below the physical interface to which they have been added. To reconfigure an existing interface. If the administrative status is a red arrow.Viewing WAN ports and WAN VLAN interfaces Switch (FortiGate-224B) Viewing WAN ports and WAN VLAN interfaces Go to System > Network > Interface to view and configure the WAN ports and WAN VLAN interfaces. IP/Netmask Access Status Delete.0 MR3 Administration Guide 01-30003-0203-20061124 . If the administrative status is a green arrow. they also appear in the name list. Delete. Figure 90: Viewing WAN ports and VLAN interfaces Create New Name Create a new VLAN interface. The name of the physical interface. To change the administrative status. The IP address and netmask of this interface. select Bring Down or Bring Up. edit. or view an entry. If you have added VLAN interfaces. See “Configuring a WAN port VLAN interface” on page 176. the interface is up and can accept network traffic. select the Edit icon for that interface. The administrative access configuration for the interface. the interface is administratively down and cannot accept traffic.

You cannot change the name of an existing interface. Allow Telnet connections to the CLI through this interface. To configure a static IP address for the interface. To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower. Optionally. Allow secure HTTPS connections to the web-based manager through this interface. Go to Log & Report > Log Config to configure logging locations and types.0 MR3 Administration Guide 01-30003-0203-20061124 177 .Switch (FortiGate-224B) Viewing WAN ports and WAN VLAN interfaces Name Interface Enter a name for the interface. The IP address must be on the same subnet as the network to which the interface connects. Telnet connections are not secure and can be intercepted by a third party. Interface responds to pings. Select Log to record logs for any traffic to or from the interface. enter the IP address of the next hop router on the network connected to the interface and select Enable. VLAN ID Addressing mode DDNS Ping Server Administrative Access HTTPS PING HTTP SSH SNMP TELNET Log Description FortiGate Version 3. Additional fields are displayed. Allow a remote SNMP manager to request SNMP information by connecting to this interface. To enable dead gateway detection. You can also configure the interface for dynamic IP address assignment using DHCP or PPPoE. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. Allow SSH connections to the CLI through this interface. HTTP connections are not secure and can be intercepted by a third party. Two interfaces cannot have IP addresses on the same subnet. Select DDNS to configure a Dynamic DNS service for this interface. For information about logging see “Log&Report” on page 427. Select the name of the physical interface on which to create the VLAN subinterface. You cannot change the VLAN ID of an existing VLAN subinterface. select Manual and enter the IP address/subnet mask in the IP/Netmask field. See “SNMP” on page 124. Use this setting to verify your installation and for testing. You cannot change the interface of an existing VLAN subinterface. Once created. enter a description up to 63 characters long. the VLAN is listed below its physical interface in the Interface list. The VLAN ID can be any number between 1 and 4096 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. Select the types of administrative access permitted on this interface. Allow HTTP connections to the web-based manager through this interface.

You can also view and configure WAN ports from this page. Edit the settings for this port.g. not an access port PVID-Inconsistent . Access or Trunk Green upwards arrow .the port is a trunk.Viewing switch-LAN ports Switch (FortiGate-224B) Viewing switch-LAN ports Go to Switch > Port > Interface to view and configure the Switch LAN ports. Figure 92: Viewing the switch-LAN ports Port Type Status The switch port. Update displayed Switch-LAN port information. 100Full.port disabled S . fe01-fe24 or ge25-ge26. full or half duplex. VLAN Membership (VID) The VLAN to which this port belongs.native VLAN different at other end of trunk 10 or 100 Mb/s. e. identified by VLAN ID..port is a secure port Type-inconsistent .0 MR3 Administration Guide 01-30003-0203-20061124 .port is up Red downwards arrow . Speed Edit icon Refresh 178 FortiGate Version 3.

Select the Native VLAN for this port. For complete 802.a point-to-point link Auto . For information about intra-VLAN firewall policies. Link Type 802. Figure 93: Switch-LAN interface settings Name Status Mode Native VLAN Speed Spanning Tree Protocol Edge Port The name of the switch port: fe01-fe24. 10 or 100 Mb/s..type of link is determined automatically Enable or disable 802. full or half duplex. ge25-26. Select Access or Trunk mode. Enable or disable this switch port.1X authentication on this port. Select one of the following: Shared LAN . It can enter the Forwarding state without delay. see “Configuring intra-VLAN firewall policies” on page 246.0 MR3 Administration Guide 01-30003-0203-20061124 179 . see “Configuring 802. 100Full Select Enable if the port connects to a single device and thus cannot create a loop.1X authentication” on page 195. e.1X configuration.a typical LAN with multiple devices Point-to-Point LAN . Enable Secure Port if you want to create firewall policies to govern the intra-VLAN traffic to and from this port.Switch (FortiGate-224B) Viewing switch-LAN ports Configuring a switch-LAN interface To configure a switch-LAN interface go Go to Switch > Port > Interface and select the Edit icon for the Switch-LAN interface you want to reconfigure. Set to Auto.1X Secure Port FortiGate Version 3.g.

SVI IP/Mask Root Port STP Delete icon Edit icon 180 FortiGate Version 3. The current root port for the VLAN when Spanning Tree Protocol is in effect. Edit the settings for a VLAN. This is available only when STP mode is PVST+. Figure 94: Viewing list of switch VLANs Create New VLAN ID Name Member Ports Create a new switch VLAN interface. You cannot delete VLAN 1. “(t)” indicates the tagged VLAN.Viewing switch VLANs Switch (FortiGate-224B) Viewing switch VLANs A switch VLAN is similar to a VLAN on any other interface. but applies only to selected ports on the native interface.0 MR3 Administration Guide 01-30003-0203-20061124 . The Switch Virtual Interface used for routing. To configure STP settings. Enable Spanning Tree Protocol on this VLAN. A list of the ports that belong to this VLAN. “(N)” indicates the native VLAN. See “Configuring a switch VLAN” on page 181. Delete the VLAN. see “Configuring Spanning-Tree settings” on page 183. Go to Switch > Port > VLAN to view a list of the current switch VLANs and to create new switch VLANs. The name of this VLAN. For trunk ports. The VLAN identifier. See “Configuring a switch VLAN” on page 181.

Select the types of administrative access permitted on this port. Member Ports Administrative Access FortiGate Version 3. Enter the VLAN ID for this switch VLAN. You select the type of STP in Switch > Protocols > Spanning-Tree. A list of the switch ports. Figure 95: Creating a new VLAN Name VLAN ID Enter a name for this VLAN. Enable Spanning Tree Protocol Enable Spanning Tree Protocol (STP). To remove a port from the list. VLAN IDs 4020 through 4044 are reserved. Do not use any of the reserved VLAN IDs. By default. Ping access enables response to ping requests for testing. To add a port to the Member Ports list. enter the Virtual IP address and netmask. If you enable Virtual Interface. select it and then select the right-pointing arrow button. select it and then select the left-pointing arrow button. Virtual Interface Virtual IP/Netmask Available Access Ports Enable or disable having a virtual address for this port.0 MR3 Administration Guide 01-30003-0203-20061124 181 .Switch (FortiGate-224B) Viewing switch VLANs Configuring a switch VLAN Go to Switch > Port > VLAN and select Create New to create a new switch VLAN. A list of the switch ports that belong to this VLAN. You can also modify an existing VLAN by selecting its Edit icon.

Select Log to record logs for any traffic to or from the interface.0 MR3 Administration Guide 01-30003-0203-20061124 . and 576 to 1492 bytes for PPPoE mode. Experiment by lowering the MTU to find an MTU size for best network performance. or not to monitor them at all. Go to Switch > Port > SPAN to configure port monitoring. If the packets that the FortiGate unit sends are larger. FortiGate-224B supports two Span sessions: Ingress (traffic to the port) and Egress (traffic from the port). ge26. you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits. 576 to 1500 bytes for DHCP mode. select Override default MTU value (1500) and enter the maximum packet size. Select None or one of fe01-fe24. ge26. Ideally. they are broken up or fragmented. Figure 96: Monitoring ports Monitoring Ports Ingress Destination Egress Destination For each port select None or one of the other ports. You configure ports to receive the Ingress and Egress SPAN session data. the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. Note: Egress traffic is stripped of its VLAN ID tag if the Egress port has a different VLAN ID than the monitored traffic.Configuring port monitoring Switch (FortiGate-224B) MTU This field is available only on a physical interfaces. 182 FortiGate Version 3. Enable to limit flooding of multicast packets to those ports where clients have joined the relevant groups. To record logs you must also enable traffic log for a logging location and set the logging severity level to Notification or lower. Go to Log & Report > Log Config to configure logging locations and types. To change the MTU. For the remaining ports. Select None or one of fe01-fe24. you choose whether to monitor them in the Ingress or Egress session or both. The MTU size range is 68 to 1500 bytes for manual mode. Log IGMP snooping Configuring port monitoring Switch Port Analysis (SPAN) enables you to analyze network traffic passing through switch ports by sending a copy of the traffic to a port connected to remote monitoring equipment. To improve network performance. ge25. which slows down transmission. You can use one port for both sessions or use two different ports. ge25.

1Q trunks. Egress or Both. but if there are multiple paths. Ingress. This prevents loops. This is also referred to as Common Spanning Tree (CSTP). Using Spanning-Tree Protocol Spanning Tree Protocol (STP) is a Layer-2 protocol that ensures that only one active path exists between any two network interfaces.1D-1998. FortiGate-224B can interoperate with other switches running either RSTP or traditional STP on a port-by-port basis. When two interfaces on a switch are part of a loop. Using information exchanged amongst switches. FortiGate-224B creates a single STP network that spans all VLANs. RSTP is the default STP mode for FortiGate-224B. the spanning-tree algorithm activates the standby path. In this mode. FortiGate-224B can interoperate with other switches running traditional STP. PVST+ Configuring Spanning-Tree settings Go to Switch > Protocols > Spanning-Tree to configure Spanning Tree settings.1D-2004. Per-VLAN STP.0 MR3 Administration Guide 01-30003-0203-20061124 183 . FortiGate-224B supports three STP modes: STP RSTP This is the traditional STP protocol defined in IEEE 802. spanning tree protocol defines a root switch and a loop-free path from the root to each switch in the network. spanning tree protocol uses port priority and path cost settings to determine which interface is used and which is blocked. FortiGate-224B creates a CSTP network that covers all VLANs plus an STP network for each VLAN. Figure 97: Spanning Tree Protocol settings .STP or RSTP FortiGate Version 3. FortiGate-224B can interoperate with other switches running PVST+ that are connected by access links and 802. Select None. Select to add the port to the list.Switch (FortiGate-224B) Using Spanning-Tree Protocol Monitored Ports Port Mode Add/Edit Select port and type of monitoring and then select Add/Edit. In this mode. Redundant data paths are blocked. Select the port to monitor. it can provide redundancy to protect against link failures. In this mode. Rapid STP as defined in IEEE 802. The network topology is continuously recalculated and updated. If a network segment fails and a redundant path exists.

This field is blank if the FortiGate-224B is the root switch. This is used for spanning tree calculations. The interval in seconds that a switch waits without receiving spanning-tree configuration messages before it attempts a reconfiguration. it shows the switch port through which the root switch can be reached. The duration in seconds of the listening and learning states before the interface begins forwarding. the table lists the per-VLAN STP instances.Using Spanning-Tree Protocol Switch (FortiGate-224B) Figure 98: Spanning Tree Protocol settings PVST+ Enable Spanning-Tree Spanning Tree Mode Enable STP operation.0 MR3 Administration Guide 01-30003-0203-20061124 . View information about the spanning-tree configuration. the MAC address is that of the SWLAN. Otherwise. there is only one row in the table to describe the Common Spanning Tree (CST). including bridge identifier and priority. CST in STP and RSTP mode. the higher the priority. In PVST+ mode. Edit the switch port STP parameters. Bridge priority of the root switch. The MAC address of the root switch. The lower the value. See “Configuring Spanning-Tree VLAN settings” on page 185. VLAN ID Root Port Root Path Cost Priority Root Max Age Hello Time Forward Delay Edit icon View icon 184 FortiGate Version 3. In PVST+ mode. otherwise the VLAN ID. If the FortiGate-224B unit is the root switch. A value based on the speed of the interface. Select one of: STP RSTP PVST+ Basic Spanning Tree Protocol Rapid Spanning Tree Protocol (default) Per-VLAN Spanning Tree Protocol Table of STP Instances In STP and RSTP mode. This field is blank if the FortiGate-224B is the root switch. The interval in seconds between hello message broadcasts to other switches. you can view information for each VLAN.

This applies only to STP mode. ge25-26 One of: Disabled Not operational.0 MR3 Administration Guide 01-30003-0203-20061124 185 . Default 36864. The duration in seconds of the listening and learning states before the interface begins forwarding. The default is 2 seconds. otherwise the VLAN ID. The interval in seconds that the FortiGate-224B unit waits without receiving spanning-tree configuration messages before it attempts a reconfiguration. The range is 4 to 30 seconds. The range is 1 to 10 seconds. This is used for spanning tree calculations. The range is 6 t o 40 seconds. The interval in seconds between hello message broadcasts to other switches. The bridge priority of the root switch. The default is 15 seconds. The default is 20. fe01-24. Range 0 to 61440.Switch (FortiGate-224B) Using Spanning-Tree Protocol Configuring Spanning-Tree VLAN settings Go to Switch > Protocols > Spanning-Tree and select the Edit icon for a VLAN to configure Spanning Tree settings. Figure 99: Spanning Tree Protocol VLAN settings VLAN ID Hello Time CST in STP and RSTP mode. the higher the priority. The lower the value. Forward Delay Max Age Priority Port State FortiGate Version 3.

Path Cost Point-to-Point Edge Port Edit icon View icon Configuring Spanning-Tree VLAN port settings Go to Switch > Protocols > Spanning-Tree. Range 0 to 240 in steps of 16. You can modify this value.Using Spanning-Tree Protocol Switch (FortiGate-224B) Blocking The port does not forward packets. This occurs in RSTP mode when a switch has two or more connections to a shared LAN segment or when a point-to-point link creates a loop. ge25-26. A point-to-point port cannot create a loop. Enter the path cost or 0 to derive cost from port speed. It can enter the Forwarding state without delay. 186 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 . The port does not forward packets. select the Edit icon for a VLAN. This applies in RSTP mode only. It can enter the Forwarding state without delay. The port is the lowest cost path from the LAN to the root switch. An edge port connects to a single device and thus cannot create a loop. The port is preparing to enter the Forwarding state. The port provides the best (lowest cost) path when the switch forwards packets to the root switch. The port is on an alternate path to the root switch. Discarding Learning Listening Fowarding Role One of: Alternate Backup Designated Disabled Root Priority A priority value from 0 to 240 in steps of 16. A lower number is a higher priority. This applies in RSTP mode only. This applies only to STP mode. A value based on the speed of the interface. The port forwards packets. You can modify this value. and then select the Edit icon for a port to configure Spanning Tree port settings. Edit the STP settings for the port. The port has no role in the STP network. The port is a backup for the designated port path toward the leaves of the spanning tree. See “Configuring Spanning-Tree VLAN port settings” on page 186. Figure 100:Spanning Tree VLAN port settings Port Priority Path Cost The switch port: fe01-24. but responds to management messages. View the STP status of the port. See “Configuring Spanning-Tree VLAN port settings” on page 186. A transitional state between Blocking and Learning. Lower number is higher priority. This applies only to STP mode.

Configuring QoS Quality of Service (QoS) settings enable you to prioritize network traffic by type. Configuring QoS settings Go to Switch > Qos > Config to configure QoS settings.1P Class of Service (CoS) information. the FortiGate-224B unit monitors multicast traffic and dynamically configures ports so that multicast packets are sent only to ports with clients interested in this traffic. Go to Switch > Protocols > IGMP Snooping to configure IGMP settings. Select the scheduling method. IGMP snooping version Select the IGMP snooping protocol version to use: v1 or v2.0 MR3 Administration Guide 01-30003-0203-20061124 187 . You can use this to set priorities and rate limiting for traffic by type. FortiGate-224B also supports the use of Layer-3 Differentiated Services Code Point (DSCP) values to prioritize traffic. This can help control traffic through the switch. Inter-Switch Link (ISL) trunk frames carry IEEE 802. Figure 101:IGMP settings Enable IGMP snooping Enable IGMP snooping.Switch (FortiGate-224B) Configuring IGMP snooping Configuring IGMP snooping When IGMP snooping is enabled. See “Configuring a switch VLAN” on page 181. Enable DSCP mapping. one of: • weighted round robin • strict priority FortiGate Version 3. You must also enable IGMP Snooping on switch-VLANs. Figure 102:QoS queue settings Enable CoS-Map Enable DSCP-Map Scheduling Enable COS mapping.

The configured egress rate limit. Figure 103:CoS-Map settings For each 802. Port number: fe01-fe24. select the queue and then select Add to create a new entry in the table. you can select CoS Queue-1 through Queue-4. The configured ingress rate limit. Edit QoS limit.0 MR3 Administration Guide 01-30003-0203-20061124 . ge25-26.1p priority. you can remove an entry by selecting the Delete icon. Viewing QoS rate limits Go to Switch > QoS > Rate Limiting to configure rate limits. Figure 104:DSCP settings Enter the DSCP value. Delete QoS limit. Ingress rate limit mode. See “Adding a QoS rate limit” on page 189.Configuring QoS Switch (FortiGate-224B) Configuring CoS-Map settings Go to Switch > QoS > CoS-Map to configure CoS-Map settings. Configuring DSCP-Map settings Differentiated Services Code Point (DSCP) Go to Switch > QoS > DSCP to configure DSCP-Map settings. Figure 105:Configuring QoS rate limits Create New Port Ingress Mode Ingress Limit Egress Limit Delete icon Edit icon Add a rate limit entry. In the table. 188 FortiGate Version 3.

Figure 106:Adding a QoS rate limit Port Ingress Mode fe01-fe24. Allow a re-check of the computer after installing or activating the required software. the computer is granted access to the network. Ignore. Provide access to the network using a specified protection profile.0 MR3 Administration Guide 01-30003-0203-20061124 189 . The FortiGate-224B unit applies antivirus scanning. there are several optional actions: • • Deny access. see “Configuring dynamic policies” on page 193. Optionally. If the client fails the host check. IPS and content filtering as specified in the protection profile. Dynamic policy. • • FortiGate Version 3. ge25-26 Select one of: Broadcast + Multicast + Flooded Unicast Broadcast + Multicast Broadcast All Ingress Limit Egress Limit Select desired maximum rate Configuring port quarantine Access control pre-screens clients to determine the security of their computers. this host check can check for • • • antivirus software firewall software up-to-date operating system software If the client passes the host check. FortiGate-224B downloads an ActiveX control to perform security checks on the computer. For information about dynamic policies. Permit network access in spite of failed host check. Depending on the client profile that applies to this port.Switch (FortiGate-224B) Configuring port quarantine Adding a QoS rate limit Go to Switch > QoS > Rate Limiting and select Create New to configure rate limits. When the client connects to the switch port using a web browser. see “Viewing access policies” on page 191. For information about quarantine. Quarantine the switch port to which the user is connected. this can include making the client’s port a secure port.

The name of the client profile. When the user connects to the port with a web browser. The types of host check this profile includes: Antivirus (AV). Enable detection of antivirus software. any version is acceptable.0 MR3 Administration Guide 01-30003-0203-20061124 . Go to Switch > Port Quarantine > Client Profile to configure access control host checks. Version + Enter a name for the detection rule. Select a vendor or “Any Vendor” from the list. depending on the detection settings. Delete the rule. Edit the rule. Add another row to the list. OS check. Figure 108:Configuring a client profile Name Enable AV Check Vendor Min. Figure 107:Client profile list Create New Name Detect Items Delete icon Edit icon Create a new client profile. See “Configuring a client profile” on page 190. Configuring a client profile Go to Switch > Port Quarantine > Client Profile and select Create New to create a client profile or select the Edit icon of an existing profile to modify it.Configuring port quarantine Switch (FortiGate-224B) Viewing client profiles The FortiGate-224B host check uses an ActiveX control to determine the security of the client computer. 190 FortiGate Version 3. Enter the minimum acceptable version of the vendor’s software. Firewall. If you leave this field blank. the ActiveX control is downloaded and checks the client system’s AV software. firewall software and operating system. See “Configuring a client profile” on page 190.

any version is acceptable. Figure 109:Viewing and editing access policies Name Client Profile Action The name of this strict policy. The client profile (a set of host checks) that applies to this strict policy. If you leave this field blank. Select Any OS or select one or more of the listed operating systems. Version + Enable OS Check Remove the bottom row from the list. Add another row to the list. Enter the minimum acceptable version of the vendor’s software. • Ignore .apply dynamic policy (see below) Ports The ports to which this strict policy applies.do not allow further access Quarantine .quarantine the port Dynamic-Policy . Select what to do if the client fails access host check.Switch (FortiGate-224B) Configuring port quarantine Enable Firewall Check Vendor Min. Enable detection of firewall software. For Windows XP and Windows 2000. Remove the bottom row from the list. These policies perform host checking according to the selected profile and apply the selected action if the client fails the host check. Viewing access policies Go to Switch > Port Quarantine > Strict Policy to view.0 MR3 Administration Guide 01-30003-0203-20061124 191 . modify or create new access policies for switch ports. FortiGate Version 3.allow access anyway • • • Deny . Check for operating system version. select the minimum acceptable service pack (SP). Select a vendor or “Any” from the list.

quarantine the port Dynamic-Policy . One of: • Ignore . select the ports and then select the left-pointing arrow button.0 MR3 Administration Guide 01-30003-0203-20061124 .apply dynamic policy (see below) Protection profile Secure port Available Ports If Action is Dynamic-Policy.do not allow further access Quarantine .Configuring port quarantine Switch (FortiGate-224B) Configuring an access policy Go to Switch > Port Quarantine > Strict Policy and select Create New to configure an access policy for selected switch ports.allow access anyway • • • Deny . Member Ports 192 FortiGate Version 3. select the protection profile to apply. To remove ports from the list. Figure 110:Configuring a strict access policy Name Client Profile Action Enter a name for this policy. select the ports and then select the right-pointing arrow button. To add ports to the Member Ports list for this policy. Select the client profile to apply with this policy. A list of the switch ports that belong to this policy. Select the action to take if a client fails the host check. A list of the switch ports that do not already have an access policy. Enable Secure Port on the interface automatically when the dynamic policy is in effect.

For more information.Switch (FortiGate-224B) Configuring dynamic policies Configuring dynamic policies The FortiGate-224B unit can protect the network from a potential security threat by moving the affected switch port to the quarantine VLAN. For more information. Note: A dynamic policy is effective only if there is a firewall policy for the port. For more information. see “Configuring port quarantine” on page 189. Ports Quarantine Portal Client Profile Delete icon Edit icon Configuring a dynamic policy Go to Switch > Port Quarantine > Dynamic Policy and select Create New to configure a dynamic policy. The name of the client profile. the port is removed from the quarantine VLAN. You can configure dynamic web portal page settings for selected switch ports. Lists the Quarantine web portal settings for this policy. Shows whether antivirus (AV) and/or IPS protection are enabled in this dynamic policy. see “Configuring a dynamic policy” on page 193. The ports to which this policy applies. This isolates devices on that switch port from the rest of the network. Edit this dynamic policy. FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 193 . The administrator assigned the port to the quarantine VLAN From the quarantine VLAN. the user can request a new host-check. The web portal provides downloadable FortiClient Host Security or other security software. The FortiGate-224B unit can quarantine a port for several different reasons: • • • The host computer failed access host-check. Figure 111:Viewing Dynamic policies Name AV/IPS Alert The name of the dynamic policy. See “Configuring a dynamic policy” on page 193. See “Configuring a dynamic policy” on page 193. If the hostcheck passes. The antivirus or IPS system triggered an alert based on the activity on the port. see “Configuring a client profile” on page 190. Viewing quarantine policies Go to Switch > Port Quarantine > Dynamic Policy to configure dynamic policies for the switch ports. only the quarantine web portal and selected thirdparty URLs are accessible. Optionally. Delete this dynamic policy. All other URL requests are redirected to the web portal.

Configuring dynamic policies Switch (FortiGate-224B) Figure 112:Creating a dynamic policy Name IPS Min. Enter the URL for the link.. Select to add link to list. Select to trigger quarantine if there is an antivirus alert. Select to remove link.. To remove a port from the list. Select to view the settings listed below. select it and then select the right-pointing arrow button. A list of the switch ports that belong to this policy. Member Ports Portal. You must go to System > Maintenance > Backup & Restore to upload a FortiClient image file. Alert Antivirus Available Access Ports Enter a name for this dynamic policy. Select the minimum IPS alert level that will trigger quarantine. A list of the switch ports that do not already have a dynamic policy. 194 FortiGate Version 3. select it and then select the left-pointing arrow button. Select to show a “Download FortiClient” link on the web portal page. To add a port to the Member Ports list. Enable FortiClient Image Download Allow to access third-party URLs Allowed URLs Name URL Delete icon Add button Add links for external URLs to the web portal page. Enter the text for the link. or None if IPS protection is not required.0 MR3 Administration Guide 01-30003-0203-20061124 .

the FortiGate-224B permits the host device to access the network. Enter the maximum time in seconds that the FortiGate-224B unit waits for a response from the client.1X standard. You must configure the FortiGate-224B unit to access a RADIUS server to perform authentication before you configure 802. refer to the documentation for the RADIUS server.1X is enabled. When 802. If the device is moved to a different port. The default is 15 seconds. is permitted until authentication is successful. select Create New or go to User > RADIUS to set up a RADIUS server.0 MR3 Administration Guide 01-30003-0203-20061124 195 . even ARP or DHCP. no communication.) Server Timeout (sec.1X client. refer to the documentation for the supplicant. See “Configuring a client profile” on page 190. When the RADIUS server replies with an authentication success message.Switch (FortiGate-224B) Configuring 802. called a supplicant. The default is 2. The default is 30 seconds. The user selects this link to re-run the host check specified in the Client Profile. Figure 113:802.1X supplicant.) Max Re-Authentication FortiGate Version 3.1X authentication FortiGate-224B supports device authentication using the IEEE 802. Enter the maximum number of incomplete authentication attempts the FortiGate-224B unit permits from one client. it must reauthenticate. Client Profile Select the access client profile to apply with this policy.1X authentication Host check and Auto-Recover Select to show a “Check my computer” link on the web portal page. After this number of attempts. the client’s status is unauthorized. Supplicant Timeout (sec. FortiGate-224B unit acts as a proxy between the host 802. See “Configuring a RADIUS server” on page 343. and the RADIUS server. For information about configuring the RADIUS server. If needed. Go to Switch > 802. For information about configuring the 802. Configuring 802. Authentication is valid only on one port.1X.1X settings Radius Server Select the RADIUS authentication server.1X authentication. Enter the maximum time in seconds that the FortiGate-224B unit waits for a response from the RADIUS server.

) Enter the time period in seconds after which the client must reauthenticate. 196 FortiGate Version 3. You can: • • View access activity. • • Monitoring access results Go to Switch > Status > Strict Quarantine Result to see the results of access policies.operating system The result can be either Pass or Fail. Remedy Action Clear The remedy that was applied. View the status of quarantined ports. See “Viewing the MAC table” on page 197. Port Access Entity authentication status Back End state Port status: Authorized or Unauthorized The table shows the authenticated clients. Port MAC Address PAE State BE State Status Viewing switch status You can monitor the operation of the FortiGate-224B unit switch functionality. there are some limited actions you can take. The default is 3600 seconds. You can remove a port from quarantine or manually quarantine a port. The tests are: • AV . You can clear the results of the host check to force a retest of the host computer. See “Viewing statistics” on page 198. You can add MAC table entries. The list of checks performed and the results.firewall software • OS . See “Monitoring access results” on page 196. While doing this. Clear the result for this port. The client’s MAC address. View the MAC table. You can reset the statistical counters for any port.Viewing switch status Switch (FortiGate-224B) Re-Authentication Period (sec. See “Viewing quarantine port information” on page 197. The switch port to which the client is connected.0 MR3 Administration Guide 01-30003-0203-20061124 . Figure 114:Access results Port Detected Result The switch port. View traffic statistics.antivirus software • FW .

0 MR3 Administration Guide 01-30003-0203-20061124 197 . The reason for the port being quarantined: The time when the port was quarantined. Action Viewing the MAC table Go to Switch > Status > MAC-Table to view the switch MAC table. this field lists the virus name. Figure 116:Viewing the switch MAC table Create New ID MAC Port VLAN/DBNUM Status Create a MAC table entry. Figure 115:Dynamic quarantine info Manually Quarantine Ports VLAN ID Trigger Time Details Host-check To quarantine a switch port. If the trigger is AV. Entry number MAC address Switch VLAN port VLAN ID Dynamic or Static. FW (firewall) and OS (Operating System). One of: AV (antivirus). The host checks that were performed and the results.Switch (FortiGate-224B) Viewing switch status Viewing quarantine port information Go to Switch > Status > Dynamic Quarantine Result to view information about quarantined switch ports. click on its link. FortiGate Version 3. If the trigger is IPS. OS (Operating System). or Manual (administrator action). The VLAN from which the port was removed. Result is Pass or Fail. this field lists the IPS anomaly. Select the Delete icon to remove the port from quarantine. FW (firewall). Host checks are one or more of: AV (antivirus).

Number of inbound multicast bytes. Number of inbound broadcast bytes.0 MR3 Administration Guide 01-30003-0203-20061124 . Number of inbound unicast bytes. OutGood(B) Collision OutUnicast Switch port fe01-24. 198 FortiGate Version 3. Number of outbound unicast bytes. VLAN-ID and switch port for the MAC table entry and then select OK. Viewing statistics Go to Switch > Status > Statistics to view information about switch traffic. Number of bad bytes inbound. Figure 118:Viewing switch statistics Port InGood(B) InBad(B) InUnicast InMulti InBroad. Number of good bytes outbound. Figure 117:Adding a MAC table entry Enter the MAC address.Viewing switch status Switch (FortiGate-224B) Creating a MAC table entry Go to Switch > Status > MAC-Table and select Create New to add an entry to the switch MAC table. Number of collisions. ge25-26 Number of good bytes inbound.

Delete icon Number of outbound multicast bytes. Reset the statistical counts for this port. Number of outbound broadcast bytes. FortiGate Version 3. OutBroad.Switch (FortiGate-224B) Viewing switch status OutMulti.0 MR3 Administration Guide 01-30003-0203-20061124 199 .

0 MR3 Administration Guide 01-30003-0203-20061124 .Viewing switch status Switch (FortiGate-224B) 200 FortiGate Version 3.

See “Default route and default gateway” on page 205. As an option. you need to understand a number of basic routing concepts in order to configure the FortiGate unit appropriately. how to define static routes and route policies. you can define route policies. The factory configured static default route provides you with a starting point to configure the default gateway. Static routes control traffic exiting the FortiGate unit—you can specify through which interface the packet will leave and to which device the packet should be routed. or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. this module will help you understand how the FortiGate unit performs routing functions. The following topics are covered in this section: • • • • • How the routing table is built How routing decisions are made Multipath routing and determining the best routeHow route sequence affects route priority How route sequence affects route priority Equal Cost Multipath (ECMP) Routes FortiGate Version 3. Route policies specify additional criteria for examining the properties of incoming packets. The following topics are included in this section: • • • Routing concepts Static Route Policy Route Routing concepts Routing is a complex topic. you can configure the FortiGate unit to route packets based on the IP source and/or destination addresses in packet headers and other criteria such as on which interface the packet was received and which protocol (service) and/or port is being used to transport the packet. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network. Using route policies. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.0 MR3 Administration Guide 01-30003-0203-20061124 201 . Because the FortiGate unit works as a security device on a network and packets must pass through the FortiGate unit. You must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit. Whether you administer a small or large network. You define static routes manually.Router Static Routing concepts Router Static This section explains some general routing concepts.

The best route to a destination is typically associated with the shortest distance between the FortiGate unit and the closest next-hop router. Lower priorities are preferred. the FortiGate unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. 202 FortiGate Version 3. Two methods to manually resolve multiple routes to the same destination are to lower the administrative distance of one route or to set the priority of both routes. When multipath routing happens. The table may include several different routes to the same destination—the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary. You can add routing information to the routing table by defining additional static routes. In some cases. The FortiGate unit selects the “best” route for a packet by evaluating the information in the routing table. the FortiGate routing table contains a single static default route. the FortiGate unit drops the packet as it is likely an hacking attempt. the FortiGate unit forwards the packet to a next-hop router according to a route policy and/or the information stored in the FortiGate forwarding table. How routing decisions are made Whenever a packet arrives at one of the FortiGate unit’s interfaces. Packets are forwarded according to the information in the forwarding table. For the FortiGate unit to select a primary (preferred) route. Multipath routing and determining the best route Multipath routing occurs when more than one entry to the same destination is present in the routing table. If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received. which is a subset of the FortiGate routing table. the FortiGate unit delivers the packet to the local network.Routing concepts Router Static How the routing table is built In the factory default configuration. If the packet is destined for another network. the FortiGate unit may have several possible destinations for an incoming packet. manually lower the administrative distance associated with one of the possible routes. See “Policy Route” on page 208. The best routes are installed in the FortiGate forwarding table. the next best route may be selected if the best route is unavailable for some reason.0 MR3 Administration Guide 01-30003-0203-20061124 . Configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. If the destination address can be matched to a local address (and the local configuration permits delivery). Another method is to manually change the priority of both of the routes. The administrative distance can be from 1 to 255. The priority for a route can only be set from the CLI. forcing the FortiGate unit to decide which next-hop is the best one. If the nexthop administrative distances of two routes on the FortiGate unit are equal it may not be clear which route the packet will take.

the sequence numbers of those routes determines routing priority. the packet would leave the FortiGate unit through the interface named “port1”. and in the second case. When the priority value is a tie or is not used. Because entry number 2 has the lowest sequence number. and installs them as routes in the FortiGate forwarding table. When two routes to the same destination exist in the forwarding table. so their sequence numbers in the routing table are 2 and 3 respectively.1. When the FortiGate unit evaluates these two routes to the same destination. As of FortiOS v3. it is the preferred route. the FortiGate unit assigns the next unassigned sequence number to the new entry automatically. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations). Figure 119:Static routes created through the web-based manager Entry number 2 was created first and entry number 3 was created second. a priority field has been added for routes that are configured using the CLI. selects the entries having the lowest distances.0 MR3 Administration Guide 01-30003-0203-20061124 203 . two static routes to the same destination (1. For information about how to change the administrative distance associated with a static route. in Figure 119. the packet would leave the FortiGate unit through the interface named “port2”. the best route is the route with the lowest sequence number in the routing table.1. The command to set the priority field is: set priority <integer> under the config route static command. both will be added to the forwarding table because they have low administrative distances. but in one case. For example.Router Static Routing concepts All entries in the routing table are associated with an administrative distance. see “Adding a static route to the routing table” on page 208. FortiGate Version 3. For more information see the FortiGate CLI Reference.0/24) were created to illustrate how entry numbers and sequence numbers are assigned through the web-based manager. When you add a static route to the Static Route list through the web-based manager. The best route is also the primary route. its sequence number determines the priority of the route unless its priority was set in the CLI with the set priority command. The two routes specify the same gateway. After a route has been added to the forwarding table. the route having the lowest sequence number is the best choice. As a result. The route with the lowest value in the priority field is considered the best route. How route sequence affects route priority After the FortiGate unit selects static routes for the forwarding table based on their administrative distances.0. The priority field overrides route sequence for resolving two routes with the same administrative distance. the FortiGate forwarding table only contains routes having the lowest distances to every possible destination. the FortiGate unit compares the administrative distances of those entries.

Because you can use the CLI to specify which sequence numbers or priority field settings to use when defining static routes. If you have load balancing enabled with ECMP routes. it can be confusing which route or routes will be installed and used. the sequence number of a route may not always match its entry number in the Static Route list. see the “router” chapter of the FortiGate CLI Reference. For more information.Static Route Router Static Note: You can display the sequence numbers of static routes in the routing table through the CLI: type config router static. The sequence number of a route is equivalent to the edit <ID_integer> value that one enters when defining a static route through the CLI. Equal Cost Multipath (ECMP) Routes When there is more than one route to the same destination. The order of entries in the Static Route list typically mirrors the sequence of static routes in the routing table when all static routes are configured through the webbased manager. However. you must create the route using the config router static CLI command and specify a low sequence number or low priority for the route. then different sessions will use different routes to the same address to load balance traffic. and then type get. or delete static routes for IPv6 traffic. routes to the same destination can be prioritized according to their sequence numbers and priority field settings. edit. Sequence numbers can be specified for static routes through the CLI only. the list contains the factory configured static default route. See “Default route and default gateway” on page 205. Note: You can use the config router static6 CLI command to add. For a static route to be the preferred route. see config router static in the FortiGate CLI Reference. For more information. because you can specify the sequence number of a static route when you add the route through the CLI. Initially. Working with static routes The Static Route list displays information that the FortiGate unit compares to packet headers in order to route packets.0 MR3 Administration Guide 01-30003-0203-20061124 . If the distance of both routes is the same and both priorities are the same. the FortiGate unit will choose the route with the lower sequence number before choosing the other route. In summary. then they are an Equal Cost Multipath (ECMP) route. if a route in the routing table has a lower sequence number than another route to the same destination. 204 FortiGate Version 3. Static Route You configure static routes by defining the destination IP address and netmask of packets that the FortiGate unit is intended to intercept. as explained earlier. This is based on distance and priority. and specifying a (gateway) IP address for those packets. Additional entries can be added manually. The gateway address specifies the next-hop router to which traffic will be routed.

0/0. which shows a FortiGate unit connected to a router.0. The names of the FortiGate interfaces through which intercepted packets are received and sent. Figure 120 shows the static route list belonging to a FortiGate unit that has interfaces named “external” and “internal”. you must edit the factory default configuration and make the router the default gateway for the FortiGate unit. The destination IP addresses of packets that the FortiGate unit intercepts. The administrative distances associated with each route. The names of the interfaces on your FortiGate unit may be different. which means any/all destinations.0.0 MR3 Administration Guide 01-30003-0203-20061124 205 . To view the list of static routes. This route is called the “static default route”. FortiGate Version 3. The network masks associated with the IP addresses. To ensure that all outbound packets destined to any network beyond the router are routed to the correct destination. consider Figure 121.Router Static Static Route When you add a static route to the Static Route list.0. Delete or edit an entry in the list. go to Router > Static > Static Route and select the Edit icon beside the entry that you want to edit. go to Router > Static > Static Route.0. Figure 120:Static Route list Delete Edit Create New IP Mask Gateway Device Distance Delete and Edit icons Add a static route to the Static Route list. To prevent this you must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit. the factory configured static default route causes the FortiGate unit to forward the packet to the default gateway. See “Adding a static route to the routing table” on page 208. The values represent distances to next-hop routers. entry number 1 in the Static Route list is associated with a destination address of 0.0. For example. If no route having the same destination exists in the routing table. or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. The IP addresses of the next-hop routers to which intercepted packets are forwarded. the FortiGate unit evaluates the information to determine if it represents a different route compared to any other route already present in the FortiGate routing table. the FortiGate unit adds the route to the routing table. To edit an existing static route entry. Default route and default gateway In the factory default configuration. If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiGate unit.

0/24 (for example.0. external). there may be routers behind the FortiGate unit. For example.168.0. The interface behind the router (192. Distance: 10 The Gateway setting specifies the IP address of the next hop router interface to the FortiGate external interface.168. In some cases.Static Route Router Static Figure 121:Making a router the default gateway Internet Router 192.10.0/0.11.0 MR3 Administration Guide 01-30003-0203-20061124 .0.1 external FortiGate_1 Internal network 192.10.1 in order to forward packets to Network_1 and Network_2 respectively.20. 206 FortiGate Version 3.168.1 and 192. the FortiGate routing table must include a static route to that network.10. you would edit the default route and include the following settings: • • • • Destination IP/mask: 0. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers.0. the FortiGate unit must be configured with static routes to interfaces 192.168.168.0/24 To route outbound packets from the internal network to destinations that are not on network 192.0/24.1 Device: Name of the interface connected to network 192.168.0 Gateway: 192.168.20.10.168. in Figure 122.10.1) is the default gateway for FortiGate_1.

0/24 Gateway: 192. you would create a new static route with these settings: Destination IP/mask: 192. To change the gateway for the default route 1 2 3 Go to Router > Static > Static Route.20.1 Device: internal Distance: 10 Changing the gateway for the default route The default gateway determines where packets matching the default route will be forwarded.168.11. Select the Edit icon in row 1.168. On the FortiGate unit.1 dmz 192.0 MR3 Administration Guide 01-30003-0203-20061124 207 .Router Static Static Route Figure 122:Destinations on networks behind internal routers Internet FortiGate_1 internal 192. Router_2 must be configured to use the FortiGate dmz interface as its default gateway.168.0/24 To route packets from Network_1 to Network_2.0/24 Gateway: 192.10.30.168.168. type the IP address of the next-hop router to which outbound traffic may be directed.168.10.30.168.1 Router_1 Router_2 Network_1 192.168.0/24 Network_2 192. In the Gateway field. Router_1 must be configured to use the FortiGate internal interface as its default gateway.1 Device: dmz Distance: 10 To route packets from Network_2 to Network_1. On the FortiGate unit. FortiGate Version 3. you would create a new static route with these settings: Destination IP/mask: 192.20.11.

The names of the interfaces on your FortiGate unit may be different.0. select the name of the interface from the Device field.0. Select the name of the FortiGate interface through which the intercepted packets may be routed to the next-hop router. To add a static route entry. optionally adjust the administrative distance value. the FortiGate unit drops the packet. FortiGate Version 3. 5 6 Adding a static route to the routing table A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination.0 MR3 Administration Guide 01-30003-0203-20061124 208 .0. A static route causes packets to be forwarded to a destination other than the default gateway. Figure 123:Edit Static Route Destination IP/Mask Gateway Device Distance Type the destination IP address and network mask of packets that the FortiGate unit has to intercept. Figure 123 shows the Edit Static Route dialog box belonging to a FortiGate unit that has an interface named “internal”. A lower value indicates a more preferred route. Select OK. go to Router > Static > Static Route and select Create New. The value can be an integer from 1 to 255. Type an administrative distance for the route. Static routes control traffic exiting the FortiGate unit—you can specify through which interface the packet will leave and to which device the packet should be routed. the FortiGate unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. You define static routes manually.Policy Route Router Static 4 If the FortiGate unit reaches the next-hop router through a different interface (compared to the interface that is currently selected in the Device field). If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received. Policy Route Whenever a packet arrives at a FortiGate unit interface. the FortiGate unit assigns the next unassigned sequence number to the route automatically and adds the entry to the Static Route list. Type the IP address of the next-hop router to which the FortiGate unit will forward intercepted packets. The value 0. In the Distance field.0.0/0. When you add a static route through the web-based manager.0 is reserved for the default route. The distance value is arbitrary and should reflect the distance to the next-hop router.

If no route policy matches the packet. the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy.Router Static Policy Route If the destination address can be matched to a local address (and the local configuration permits delivery). The names of the interfaces on your FortiGate unit may be different. Figure 124 shows the policy route list belonging to a FortiGate unit that has interfaces named “external” and “internal”. The interfaces on which packets subjected to route policies are received. the FortiGate unit looks up the IP address of the next-hop router in the routing table. The interfaces through which policy routed packets are routed. The IP source addresses and network masks that cause policy routing to occur. the FortiGate unit forwards the packet to a next-hop router according to a route policy and/or the information stored in the FortiGate forwarding table (see “Routing concepts” on page 201). For example. The FortiGate unit may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. the FortiGate unit routes the packet using the information in the policy. FortiGate Version 3. # Incoming Outgoing Source The ID numbers of configured route policies. To view the list of route policies. if the outgoing interface is the only item given in the policy. Destination The IP destination addresses and network masks that cause policy routing to occur. To edit an existing route policy. This situation could happen when the FortiGate interfaces are dynamic (the interface receives an IP address through DHCP or PPPoE) and you do not want or are unable to specify the IP address of the next-hop router because the IP address changes dynamically. Note: Because most policy settings are optional. Delete icon Select to delete a policy route. a matching policy alone might not provide enough information for the FortiGate unit to forward the packet. the FortiGate unit routes the packet using the routing table. When routing policies exist and a packet arrives at the FortiGate unit. If a match is found and the policy contains enough information to route the packet (the IP address of the next-hop router must be specified as well as the FortiGate interface for forwarding packets to the next-hop router). go to Router > Static > Policy Route and select the Edit icon beside the policy that you want to edit. If the packet is destined for another network. See “Adding a route policy” on page 210. the FortiGate unit delivers the packet to the local network. Figure 124:Policy Route list Delete Edit Move Create New Add a route policy.0 MR3 Administration Guide 01-30003-0203-20061124 209 . go to Router > Static > Policy Route. These numbers are sequential unless policies have been moved within the table.

If you want policy routing to apply to a range of ports. Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. Zero values disable this feature. type the source address and network mask to match.Policy Route Router Static Edit icon Move To icon Select to edit a policy route. type the starting port number in the From field and the ending port number in the To field. A value of 0. type the protocol number to match. To perform policy routing based on the port on which the packet is received. To add a route policy. Incoming Interface Select the name of the interface through which incoming packets subjected to the policy are received. If the attributes of a packet match all the specified conditions.0.0. A value of 0.0 MR3 Administration Guide 01-30003-0203-20061124 . Select to move policy route up or down in the policy route table.0 disables the feature.0. type the destination address and network mask to match. type the same port number in the From and To fields. go to Router > Static > Policy Route and select Create New.0 is not valid.0. the FortiGate unit routes the packet through the specified interface to the specified gateway. Outgoing Interface Select the name of the interface through which packets affected by the policy will be routed. Figure 125 shows the New Routing Policy dialog box belonging to a FortiGate unit that has interfaces named “external” and “internal”.0/0.0.0. Figure 125:New Routing Policy Protocol To perform policy routing based on the value in the protocol field of the packet. 210 FortiGate Version 3. The range is from 0 to 255. Source Address / Mask Destination Address / Mask Destination Ports To perform policy routing based on the IP source address of the packet. To perform policy routing based on the IP destination address of the packet. See “Moving a route policy”.0 disables the feature.0. A value of 0 disables the feature.0. The names of the interfaces on your FortiGate unit may be different.0.0. A value of 0. Adding a route policy Route policy options define which attributes of a incoming packet cause policy routing to occur. Selecting this icon will bring up the Move Policy Route screen where you can specify the new location in the Policy Route table.0/0.

120.120.20. Using the CLI.0. Select After to place it following the indicated route. In the case of two matches in the routing table. Enter the Policy route ID of the route in the Policy route table to move the selected route before or after. If you want one policy to be used in preference to another.0 MR3 Administration Guide 01-30003-0203-20061124 211 . Figure 126:Move Policy Route Before / After Select before to place the selected Policy Route before the indicated route. The option to use one of two routes happens when both routes are a match.0.255. If both of these routes are in the policy table. you may want to move it to a different location in the routing policy table. the priority will determine which route is used.Router Static Policy Route Moving a route policy A routing policy is added to the bottom of the routing table when it is created.0 and 172.0. you can assign priorities to routes.0/255.0/255.112 but the second one is a better match. This feature is only available through the CLI. say 172. Policy route ID FortiGate Version 3.20.255. In that case the best match route should be positioned before the other route in the policy table.20.255. both can match a route to 172.

Policy Route Router Static 212 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

and BGP routing options can be configured through the web-based manager. The FortiGate unit supports these dynamic routing protocols: • • • Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) Note: Basic RIP.0 MR3 Administration Guide 01-30003-0203-20061124 213 . Given a set of rules. For complete descriptions and examples of how to use CLI commands to configure RIP. relatively homogeneous. OSPF. The FortiGate implementation of RIP supports both RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453). For complete descriptions and examples of how to use CLI commands to configure RIP settings. OSPF. The FortiGate unit selects routes and updates its routing table dynamically based on the rules you specify. networks. or BGP to forward multicast packets to their destinations. Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. the FortiGate unit can determine the best route or path for sending packets to a destination. You can also define rules to suppress the advertising of routes to neighboring routers and/or change FortiGate routing information before it is advertised. The following topics are included in this section: • • • • RIP OSPF BGP Multicast RIP RIP is a distance-vector routing protocol intended for small. Many additional options may be configured through CLI commands only. RIP. Note: Basic routing options can be configured through the web-based manager. PIM can use static routes. Many additional options may be configured through CLI commands only. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by neighboring routers. and BGP settings. OSPF. see the “router” chapter of FortiGate CLI Reference. FortiGate units support PIM sparse mode and dense mode and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected.Router Dynamic RIP Router Dynamic This section explains how to configure dynamic protocols to route traffic through large or complex networks. see the “router” chapter of the FortiGate CLI Reference. FortiGate Version 3.

go to Router > Dynamic > RIP and select the Edit icon in the row that corresponds to the RIP-enabled interface. A hop count of 1 represents a network that is connected directly to the FortiGate unit. you have to specify the networks that are running RIP and specify any additional settings needed to adjust RIP operation on the FortiGate interfaces that are connected to the RIP-enabled network. To configure basic settings for a FortiGate unit connected to a RIP network. The updates provide information about the routes in the FortiGate routing table. Viewing and editing basic RIP settings When you configure RIP settings. the FortiGate unit compares the advertised route to the recorded route and chooses the shortest route for the routing table. how long a route can be kept in the FortiGate routing table without being updated. Figure 127 shows the basic RIP settings on a FortiGate unit that has interfaces named “dmz” and “external”. the route having the lowest hop count is added to the routing table. The names of the interfaces on your FortiGate unit may be different. how long the FortiGate unit advertises the route as unreachable before it is removed from the FortiGate routing table. Each network that a packet travels through to reach its destination usually counts as one hop. RIP uses hop count as the metric for choosing the best route.0 MR3 Administration Guide 01-30003-0203-20061124 . When the FortiGate unit compares two routes to the same destination. You can specify how often the FortiGate unit sends updates. Similarly. the FortiGate unit sends RIP responses to neighboring routers on a regular basis. 214 FortiGate Version 3. The FortiGate unit adds routes from neighbors to its own routing table only if those routes are not already recorded in the routing table. subject to the rules that you specify for advertising those routes. and for routes that are not updated regularly. To edit the operating parameters of a RIP-enabled interface. Neighboring routers respond with information from their routing tables. when RIP is enabled on an interface. When a route already exists in the routing table. go to Router > Dynamic > RIP. the FortiGate unit broadcasts requests for RIP updates from each of its RIP-enabled interfaces. while a hop count of 16 represents a network that the FortiGate unit cannot reach.RIP Router Dynamic How RIP works When RIP is enabled.

Interface Send Version Receive Version Select the versions of RIP used to listen for updates on each interface: 1. Select to add the network information to the Networks list. the FortiGate interfaces that are part of the network are advertised in RIP updates. 2 or both. See “Overriding the RIP operating parameters on an interface” on page 217. These parameters will override the global RIP settings for that interface. Select advanced RIP options.0 MR3 Administration Guide 01-30003-0203-20061124 215 .Router Dynamic RIP Figure 127:Basic RIP settings Delete Delete Edit RIP Version Select the level of RIP compatibility needed at the FortiGate unit. • Select 2 to send and receive RIP version 2 packets. IP/Netmask Add Interfaces Enter the IP address and netmask that defines the RIPenabled network. Text or MD5. FortiGate Version 3. Select the interface to configure RIP operating parameters for. Create New Select to configure RIP operating parameters for an interface. The IP addresses and network masks of major networks (connected to the FortiGate unit) that run RIP. When you add a network to the Networks list. Authentication Passive Delete and Edit icons Select the type of authentication used on this interface: None. Advanced Options Networks Any additional settings needed to adjust RIP operation on a FortiGate interface. You can override the global settings for a specific FortiGate interface if required (see “Overriding the RIP operating parameters on an interface” on page 217). You can enable RIP on all FortiGate interfaces whose IP addresses match the RIP network address space. See “Selecting advanced RIP options” on page 216. You can enable global RIP settings on all FortiGate interfaces connected to RIPenabled networks: • Select 1 to send and receive RIP version 1 packets. • Select Both to send and receive RIP version 1 and 2 packets. 2 or both. Select the version of RIP used to send updates through each interface: 1. Select to block RIP broadcasts on this interface Delete or edit a RIP network entry or a RIP interface definition.

routes in the routing table or both. This is the maximum time the FortiGate unit will keep a reachable route in the routing table while no updates for that route are received. you can filter incoming or outgoing updates using a route map. if the FortiGate unit is connected to an OSPF or BGP network or you add a static route to the FortiGate routing table manually. For more information. The Timeout period should be at least three times longer than the Update period. select Apply. For example.RIP Router Dynamic Selecting advanced RIP options Advanced RIP options let you specify settings for RIP timers and define metrics for redistributing routes that the FortiGate unit learns through some means other than RIP updates. Update Enter the amount of time (in seconds) that the FortiGate unit will wait between sending RIP updates. The FortiGate unit also supports offset lists. For example. The generated route may be based on routes learned through a dynamic routing protocol. After you select the options. Note: Additional advanced options can be configured through the CLI. which add the specified offset to the metric of a route. or a prefix list. To select advanced RIP options.0 MR3 Administration Guide 01-30003-0203-20061124 . This value also applies to Redistribute unless otherwise specified. the timer is restarted. an access list. The default settings are effective in most configurations — if you change these settings. Figure 128:Advanced Options (RIP) Default Metric Enter the default hop count that the FortiGate unit should assign to routes that are added to the Fortinet routing table. If the FortiGate unit receives an update for the route before the timeout period expires. Timeout 216 FortiGate Version 3. you can configure the FortiGate unit to advertise those routes on RIP-enabled interfaces. take care to ensure that the new settings are compatible with local routers and access servers. go to Router > Dynamic > RIP and expand Advanced Options. RIP Timers Override the default RIP timer settings. Enable DefaultSelect to generate and unconditionally advertise a default route information-originate into the FortiGate unit’s RIP-enabled networks. see the “router” chapter of the FortiGate CLI Reference. Enter the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. The range is from 1 to 16.

If you want to specify a hop count for those routes. enter the hop count. The names of the interfaces on your FortiGate unit may be different. Redistribute Enable or disable RIP updates about routes that were not learned through RIP. Note: Additional options such as split-horizon and key-chain settings can be configured per interface through the CLI. and in the Metric field. Passive interfaces listen for RIP updates but do not respond to RIP requests. The FortiGate unit can use RIP to redistribute routes learned from directly connected networks. select Metric. Select to redistribute routes learned through OSPF. enter the hop count. see the “router” chapter of the FortiGate CLI Reference. For example. static routes. For more information. enter the hop count. The range is from 1 to 16. The range is from 1 to 16. and in the Metric field.0 MR3 Administration Guide 01-30003-0203-20061124 217 . If you want to specify a hop count for those routes. select Metric. The FortiGate unit and the neighboring router must both be configured with the same password. If RIP version 2 is enabled on the interface. go to Router > Dynamic > RIP and select Create New. you can enable the interface to operate passively. Authentication guarantees the authenticity of the update packet. and/or BGP. not the confidentiality of the routing information in the packet. If you want to specify a hop count for those routes. select Metric. you can optionally choose password authentication to ensure that the FortiGate unit authenticates a neighboring router before accepting updates from that router. and in the Metric field. Select to redistribute routes learned through BGP. OSPF BGP Overriding the RIP operating parameters on an interface RIP interface options enable you to override the global RIP settings that apply to all Fortinet interfaces connected to RIP-enabled networks. Figure 129 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that has an interface named “internal”. The range is from 1 to 16. and in the Metric field. Connected Select to redistribute routes learned from directly connected networks. if you want to suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled network. select Metric. Static Select to redistribute routes learned from static routes. To set specific RIP operating parameters for a RIP-enabled interface. FortiGate Version 3. The range is from 1 to 16. enter the hop count. If you want to specify a hop count for those routes. OSPF. The value determines how long an unreachable route is kept in the routing table.Router Dynamic RIP Garbage Enter the amount of time (in seconds) that the FortiGate unit will advertise a route as being unreachable before deleting the route from the routing table.

0 MR3 Administration Guide 01-30003-0203-20061124 218 . clear Passive Interface. • Select MD5 to authenticate the exchange using MD5. Many additional options may be configured through CLI commands only. The password is sent in clear text over the network. • If the interface is connected to a network that runs RIP version 2. FortiGate units support OSPF version 2 (see RFC 2328). To specify the characteristics of an OSPF AS. When the FortiGate unit has an interface to an OSPF area. Note: Basic OSPF routing options can be configured through the web-based manager. Select to override the default RIP-compatibility setting for sending and receiving updates through the interface: RIP version 1. Select an authentication method for RIP exchanges on the specified interface: • Select None to disable authentication. optionally select Text and type a password (up to 35 characters) in the Password field. the FortiGate unit exchanges Hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached. An area comprises a group of contiguous networks. it can participate in OSPF communications. The FortiGate unit and the RIP updates router must both be configured with the same password. version 2 or Both. Receive Version Authentication Passive Interface OSPF Open shortest path first (OSPF) is a link-state routing protocol that is most often used in large heterogeneous networks to share routing information among routers in the same Autonomous System (AS). see “Defining an OSPF AS” on page 219. OSPF autonomous systems An OSPF AS is typically divided into logical areas linked by area border routers. Select to suppress the advertising of FortiGate routing information through the specified interface. For the interface to respond to RIP requests. For complete descriptions and examples of how to use CLI commands to configure OSPF settings. FortiGate Version 3.OSPF Router Dynamic Figure 129:New/Edit RIP Interface Interface Select the name of the FortiGate interface to which these settings apply. A neighbor is any router that has an interface to the same area as the FortiGate unit. Send Version. An area border router links one or more areas to the OSPF network backbone (area ID 0). The FortiGate unit uses the OSPF Hello protocol to acquire neighbors in an area. see the “router” chapter of the FortiGate CLI Reference. After initial contact. The interface must be connected to a RIP-enabled network. The interface can be a virtual IPSec or GRE interface.

Create associations between the OSPF areas that you defined and the local networks to include in the OSPF AS. If required. To calculate the best route (shortest path) to a destination. All LSA exchanges between OSPF-enabled routers are authenticated. As long as the OSPF network is stable. Cost imposes a penalty on the outgoing direction of a FortiGate interface. The FortiGate unit maintains a database of link-state information based on the advertisements that it receives from OSPF-enabled routers. adjusting the settings of OSPF-enabled interfaces. Depending on the network topology. routes to AS boundary routers. FortiGate Version 3. and provides information that enables OSPF-enabled routers to select the shortest path to a destination. follow the procedure given below. Under Networks. Defining an OSPF AS Defining an OSPF AS. A Link-State Advertisement (LSA) identifies the interfaces of all OSPF-enabled routers in an area. For more information about how to perform these tasks using the web-based manager. The cost of a route is calculated by adding together all of the costs associated with the outgoing interfaces along the path to a destination. See “Specifying OSPF networks” on page 224. The FortiGate unit updates its routing table dynamically based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. To define an OSPF AS 1 2 3 4 5 Go to Router > Dynamic > OSPF. select Create New. select Create New.0 MR3 Administration Guide 01-30003-0203-20061124 219 .Router Dynamic OSPF OSPF-enabled routers generate link-state advertisements and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. A single FortiGate unit can support tens of thousands of routes if the OSPF network is configured properly. the FortiGate unit applies the Shortest Path First (SPF) algorithm to the accumulated link-state information. The lowest overall cost indicates the best route. which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS The number of routes that a FortiGate unit can learn through OSPF depends on the network topology. the entries in the FortiGate routing table may include: • • • the addresses of networks in the local OSPF area (to which packets are sent directly) routes to OSPF area border routers (to which packets destined for another area are sent) if the network contains OSPF areas and non-OSPF domains. OSPF uses relative cost as a basic metric for choosing the best route. Creating associations between the OSPF areas that you defined and the local networks to include in the OSPF AS. Define the characteristics of one or more OSPF areas. Under Areas. involves: • • • Defining the characteristics of one or more OSPF areas. See “Defining OSPF areas” on page 223. link-state advertisements between OSPF neighbors do not occur.

select Create New under Interfaces. Viewing and editing basic OSPF settings When you configure OSPF settings. The names of the interfaces on your FortiGate unit may be different. You may optionally adjust the settings associated with OSPF operation on the FortiGate interfaces. go to Router > Dynamic > OSPF. Select Apply. Optionally select advanced OSPF options for the OSPF AS. As part of the AS definition. Do not change the router ID while OSPF is running. Advanced Options Areas 220 FortiGate Version 3. Figure 130 shows the basic OSPF settings on a FortiGate unit that has an interface named “port1”. Repeat Steps 6 and 7 if required for additional OSPF-enabled interfaces. See “Selecting advanced OSPF options” on page 222. which helps to identify the origination of a packet inside the AS. Create New Select to define an OSPF area and add the new area to the Areas list. See “Selecting operating parameters for an OSPF interface” on page 225.0 MR3 Administration Guide 01-30003-0203-20061124 . To view and edit OSPF settings. you specify the AS areas and specify which networks to include those areas. you have to define the AS in which OSPF is enabled and specify which of the FortiGate interfaces participate in the AS. The header of an OSPF packet contains an area ID. Select advanced OSPF settings. Select the OSPF operating parameters for the interface. By convention. Figure 130:Basic OSPF settings Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers. See “Defining OSPF areas” on page 223.OSPF Router Dynamic 6 7 8 9 10 If you need to adjust the default settings of an OSPF-enabled interface. Information about the areas making up an OSPF AS. See “Selecting advanced OSPF options” on page 222. the router ID is the numerically highest IP address assigned to any of the FortiGate interfaces in the OSPF AS.

• If an area is a stub. The names of FortiGate physical or VLAN interfaces having OSPF settings that differ from the default values assigned to all other interfaces in the same area. Network Area Interfaces Any additional settings needed to adjust OSPF operation on a FortiGate interface.0. in dotted decimal notation. The area IDs that have been assigned to the OSPF network address space. or interface Edit icons definition. you can configure a different password for one or more of the networks in that area. See “Specifying OSPF networks” on page 224. “NSSA” is displayed. if an area employs simple passwords for authentication. as displayed under Interfaces. Create New Select to add additional/different OSPF operating parameters for a FortiGate interface and add the configuration to the Interfaces list. A different authentication setting may apply to some of the interfaces in an area. See “Selecting operating parameters for an OSPF interface” on page 225. • If an area is not so stubby. “None” is displayed. “Regular” is displayed. The types of areas in the AS: • If an area is a normal OSPF area. specify its area ID. When MD5 authentication is enabled. For example. The IP addresses and network masks of networks in the AS on which OSPF runs. Area ID 0. “Stub” is displayed. Create New Select to add a network to the AS. and add the definition to the Networks list.Router Dynamic OSPF Area The unique 32-bit identifiers of areas in the AS. These settings override the area Authentication settings. “Text” is displayed. Delete and Select to delete or edit an OSPF area entry. Type Authentication The methods for authenticating OSPF packets sent and received through all FortiGate interfaces linked to each area: • When authentication is disabled. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF network address space. network entry.0 MR3 Administration Guide 01-30003-0203-20061124 221 . • • When text-based password authentication is enabled.0. all FortiGate interfaces that are part of the network are advertised in OSPF link-state advertisements. see “Defining OSPF areas” on page 223.0 references the backbone of the AS and cannot be changed or deleted. FortiGate Version 3. The IP addresses of the OSPF-enabled interfaces having additional/different settings. Name Interface IP Authentication The methods for authenticating LSA exchanges sent and received on specific OSPF-enabled interfaces. Networks The networks in the OSPF AS and their area IDs. For more information. The FortiGate unit may have physical or VLAN interfaces connected to the network. The names of OSPF interface definitions. “MD5” is displayed. When you add a network to the Networks list.

see the “router” chapter of the FortiGate CLI Reference. enter the cost in the Metric field. if the FortiGate unit is connected to a RIP or BGP network or you add a static route to the FortiGate routing table manually. If you want to specify a cost for those routes. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems unconditionally. static routes. enter the cost in the Metric field. Static Select to redistribute routes learned from static routes. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing table. For details. or routes in the routing table. Connected Select to redistribute routes learned from directly connected networks. enter the cost in the Metric field. The range is from 1 to 16 777 214. If you want to specify a cost for those routes. Figure 131:Advanced Options (OSPF) Default Information Generate and advertise a default (external) route to the OSPF AS. RIP. Select to redistribute routes learned through RIP. and/or BGP. you can configure the FortiGate unit to advertise those routes on OSPF-enabled interfaces.0 MR3 Administration Guide 01-30003-0203-20061124 . or both. Always Redistribute Enable or disable OSPF link-state advertisements about routes that were not learned through OSPF. Select to redistribute routes learned through BGP. For example. 222 FortiGate Version 3. RIP BGP Note: Many additional advanced OSPF options can be configured through the CLI. After you select the options. The range is from 1 to 16 777 214. None Regular Disable the generation of a default route. even if the route is not stored in the FortiGate routing table. The generated route may be based on routes learned through a dynamic routing protocol. enter the cost in the Metric field. To select advanced RIP options. The range is from 1 to 16 777 214. The FortiGate unit can use OSPF to redistribute routes learned from directly connected networks.OSPF Router Dynamic Selecting advanced OSPF options Advanced OSPF options let you specify metrics for redistributing routes that the FortiGate unit learns through some means other than OSPF link-state advertisements. go to Router > Dynamic > RIP and expand Advanced Options. The range is from 1 to 16 777 214. If you want to specify a cost for those routes. select Apply. If you want to specify a cost for those routes.

the routers in a stub area must send packets to an area border router. The area border router advertises to the OSPF AS a single default route (destination 0. To edit the attributes of an OSPF area. go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the area. you can define a virtual link to an area that has lost its physical connection to the OSPF backbone.0. In a Not-So-Stubby Area (NSSA). the area itself continues to be treated like a stub area by the rest of the AS. routes that lead out of the area into a nonOSPF domain are made known to OSPF AS. each having at least one OSPFenabled interface to the area.0.0 is reserved for the OSPF network backbone. You can classify the remaining areas of an AS in one of three ways: • • • Regular Stub NSSA A regular area contains more than one router.Router Dynamic OSPF Defining OSPF areas An area logically defines part of the OSPF AS.0) into the stub area.0. go to Router > Dynamic > OSPF. see “config virtual-link” under the OSPF “config area” subcommand in the FortiGate CLI Reference. which ensures that any OSPF packet that cannot be matched to a specific route will match the default route. To define an OSPF area. However. Figure 132:New/Edit OSPF Area FortiGate Version 3. To reach the OSPF backbone. Note: If required. Regular areas and stub areas (including not-so-stubby areas) are connected to the OSPF backbone through area border routers.0 MR3 Administration Guide 01-30003-0203-20061124 223 .0. select Create New. Routes leading to non-OSPF domains are not advertised to the routers in stub areas. Area ID 0. Any router connected to a stub area is considered part of the stub area. Each area is identified by a 32-bit area ID expressed in decimal dot notation. Virtual links can only be set up between two FortiGate units that act as area border routers. and then under Areas. For more information.

To assign an OSPF area ID to a network. To change the OSPF area ID assigned to a network. Type • Authentication Select the method for authenticating OSPF packets sent and received through all interfaces in the area: • Select None to disable authentication. Select an area type to classify the characteristics of the network that will be assigned to the area: • Select Regular if the area contains more than one router. The attributes of the area must match the characteristics and topology of the specified network. see “Specifying OSPF networks” on page 224. go to Router > Dynamic > OSPF.OSPF Router Dynamic Area Type a 32-bit identifier for the area.0 MR3 Administration Guide 01-30003-0203-20061124 . you can override this setting for one or more of the interfaces in the area (see “Selecting operating parameters for an OSPF interface” on page 225). Note: To assign a network to the area. to authenticate LSA exchanges using a plain-text password. Select STUB if the routers in the area must send packets to an area border router in order to reach the backbone and you do not want routes to non-OSPF domains to be advertised to the routers in the area. See “Defining OSPF areas” on page 223. Figure 133:New/Edit OSPF Network IP/Netmask Area Enter the IP address and network mask of the local network that you want to assign to an OSPF area. The value must resemble an IP address in decimal-dot notation. • Select NSSA if you want routes to external non-OSPF domains made known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS. Select an area ID for the network. You must define the area before you can select the area ID. select Create New. If required. • Select Text to enable text-based password authentication. each having at least one OSPF-enabled interface to the area. 224 FortiGate Version 3. the area IP value cannot be changed. and then under Networks. • Select MD5 to enable MD5 authentication using an MD5 hash. Once the OSPF area has been created. the attributes of the area are associated with the network. When you assign an area ID to a network address space. go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the network. Specifying OSPF networks OSPF areas group a number of contiguous networks together. The password is sent in clear text over the network.

You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF-enabled network space. go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the OSPF-enabled interface. The FortiGate unit can have physical.0.1/24. Figure 134:New/Edit OSPF Interface Add Name Interface Enter a name to identify the OSPF interface definition.0.0. and then under Interfaces. and timer settings for sending and receiving OSPF Hello and dead-interval packets.1/24.0 and the OSPF network is defined as 10. you would create OSPF network 0.0. You could configure an OSPF interface definition containing one set of Hello and dead-interval parameters for compatibility with one neighbor’s settings.0. the name could indicate to which OSPF area the interface will be linked. the method for authenticating LSA exchanges through the interface. For example.0. To select OSPF operating parameters for a FortiGate interface. external or VLAN_1). and a second OSPF interface definition for the same interface to ensure compatibility with the second neighbor’s settings. the same FortiGate interface could be connected to two neighbors through different subnets.0/0 having an area that matches a specific IP address.0/16.3.0. To enable all interfaces.0. go to Router > Dynamic > OSPF.0 MR3 Administration Guide 01-30003-0203-20061124 225 .1.1/24 and vlan3 as 10.2. To edit the operating parameters of an OSPF-enabled interface. VLAN.Router Dynamic OSPF Selecting operating parameters for an OSPF interface An OSPF interface definition contains specific operating parameters for a FortiGate OSPF-enabled interface. For example.0. FortiGate Version 3. Figure 134 shows the New/Edit OSPF Interface dialog box belonging to a FortiGate unit that has an interface named “port1”. virtual IPSec or GRE interfaces connected to the OSPF-enabled network. define an area of 0. Then define vlan1 as 10. The interface names on your FortiGate unit may differ. external. For example. Select the name of the FortiGate interface to associate with this OSPF interface definition (for example.0.0. select Create New. The definition includes the name of the interface (for example. or VLAN_1). the IP address assigned to the interface. vlan2 as 10.0. port1. All three VLANs will run OSPF in area 0. You can configure different OSPF parameters for the same FortiGate interface when more than one IP address has been assigned to the interface.

The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical MD5 key. if you defined an OSPF network of 172.140. Authentication Select an authentication method for LSA exchanges on the specified interface: • Select None to disable authentication.140. The password can be up to 35 characters. This field is available only if you selected MD5 authentication. type 172. BGP enables the sharing of network paths between the ISP network and an autonomous system (AS) that uses RIP and/or OSPF to route packets within the AS. Optionally. Optionally. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space. This setting defines the period of time (in seconds) that the FortiGate unit waits between sending Hello packets through the interface. the FortiGate unit declares the neighbor inaccessible. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical password. Each AS. By convention. For example.0 MR3 Administration Guide 01-30003-0203-20061124 . Password Enter the plain-text password. the Dead Interval value is usually four times greater than the Hello Interval value.20. Enter the key identifier for the (first) password in the ID field (the range is from 1 to 255) and then type the associated password in the Key field. For example. set the Dead interval to be compatible with Dead Interval settings on all OSPF neighbors. 226 FortiGate Version 3.20. The password is an alphanumeric string of up to 16 characters.120. the FortiGate unit sends routing table updates to neighboring autonomous systems whenever any part of the FortiGate routing table changes.0/24 and port1 has been assigned the IP address 172. This setting defines the period of time (in seconds) that the FortiGate unit waits to receive a Hello packet from an OSPF neighbor through the interface.120. How BGP works When BGP is enabled. This setting overrides the area Authentication setting. The AS number references a particular destination network. select the Add icon to add additional MD5 keys to the list. If the OSPF neighbor uses more than one password to generate MD5 hash. and is sent in clear text over the network. Enter an alphanumeric value of up to 15 characters. set the Hello Interval to be compatible with Hello Interval settings on all OSPF neighbors.20.120. This field is available only if you selected plain-text authentication. is associated with an AS number. If the FortiGate unit does not receive a Hello packet within the specified amount of time. including the local AS of which the FortiGate unit is a member. • Select Text to authenticate LSA exchanges using a plain-text password. The FortiGate implementation of BGP supports BGP-4 and complies with RFC 1771.BGP Router Dynamic IP Enter the IP address that has been assigned to the OSPF-enabled interface. • Select MD5 to use one or more keys to generate an MD5 hash. MD5 Keys Hello Interval Dead Interval BGP Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to exchange routing information between different ISP networks.

Router Dynamic BGP BGP updates advertise the best path to a destination network. It also reduces routing flaps by stabilizing the network. go to Router > Dynamic > BGP.0 MR3 Administration Guide 01-30003-0203-20061124 227 . The router ID is an IP address written in dotted-decimal format. You must also identify the FortiGate unit’s BGP neighbors and specify which of the networks local to the FortiGate unit should be advertised to BGP neighbors. BGP has the capability to gracefully restart. If you change the router ID while BGP is running. Viewing and editing BGP settings When you configure BGP settings. Enter a unique router ID to identify the FortiGate unit to other BGP routers. Add/Edit Neighbor Remote AS The numbers of the autonomous systems associated with the BGP peers. or edit an entry in the list. FortiGate Version 3. The IP addresses of BGP peers. For more information. This capability limits the effects of software problems by allowing forwarding to continue when the control plane of the router fails. IP Enter the IP address of the neighbor interface to the BGPenabled network. The web-based manager offers a simplified user interface to configure basic BGP options. all connections to BGP peers will be broken temporarily until they are re-established. To view and edit BGP settings. A large number of advanced BGP options can be configured through the CLI. the FortiGate unit examines the Multi-Exit Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate routing table. Figure 135:Basic BGP options Local AS Router ID Enter the number of the local AS that the FortiGate unit is a member of. only through CLI commands. see the “router” chapter of the FortiGate CLI Reference. When the FortiGate unit receives a BGP update. specify the AS that includes the FortiGate unit as a member and enter a router ID to identify the FortiGate unit to other BGP routers. The IP addresses and AS numbers of BGP peers in neighboring autonomous systems. Select to add the neighbor information to the Neighbors list. For complete descriptions and examples of how to use CLI commands to configure BGP settings. Note: Graceful restarting and other advanced settings cannot be configured through the web-based manager. Neighbors Remote AS Enter the number of the AS that the neighbor belongs to. see the “router” chapter of the FortiGate CLI Reference.

PIM can use static routes. RIP. The PIM routers throughout the network ensure that only one copy of the packet is forwarded through the network until it reaches an end-point destination. In addition. The FortiGate unit may have a physical or VLAN interface connected to those networks. Multicast A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. If required for sparse mode operation. Multicast server applications use a (Class D) multicast address to send one copy of a packet to a group of receivers. Note: Basic options can be configured through the web-based manager. you can define static RPs. two PIM routers. To enable source-to-destination packet delivery. Many additional options may be configured through CLI commands only. Note: To support PIM communications. At the end-point destination. you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination. Add Network Select to add the network information to the Networks list. For complete descriptions and examples of how to use CLI commands to configure PIM settings. or is connected directly to a receiver. copies of the packet are made only when required to deliver the information to multicast client applications that request traffic destined for the multicast address.Multicast Router Dynamic Networks The IP addresses and network masks of networks to advertise to BGP peers. you can configure sparse mode or dense mode operation on any FortiGate interface. 228 FortiGate Version 3. A PIM domain is a logical area comprising a number of contiguous networks. Sparse mode routers cannot send multicast messages to dense mode routers. or BGP to forward multicast packets to their destinations. When PIM is enabled on a FortiGate unit. FortiGate units support PIM sparse mode (RFC 2362) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. The IP addresses and network masks of major networks that are advertised to BGP peers. Viewing and editing multicast settings When multicast (PIM) routing is enabled.0 MR3 Administration Guide 01-30003-0203-20061124 . see “multicast” in the “router” chapter of the FortiGate CLI Reference. OSPF. the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. the domain also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs). if a FortiGate unit is located between a source and a PIM router. either sparse mode or dense mode must be enabled on all the PIM-router interfaces. If sparse mode is enabled. the FortiGate unit can perform any of these functions at any time as configured. IP/Netmask Enter the IP address and netmask of the network to be advertised. Delete icon Select to delete a BGP neighbor entry or a BGP network definition. The domain contains at least one Boot Strap Router (BSR).

Router Dynamic Multicast To view and edit PIM settings. go to Router > Dynamic > Multicast. Select to save the specified static RP addresses. A firewall policy must be created on PIM-enabled interfaces to pass encapsulated packets and decapsulated data between the source and destination. The priority number assigned to RP candidacy on that interface. select the Edit icon in the row that corresponds to the interface. The status of parse-mode RP candidacy on the interface. and data from the source is sent to the RP. See “Overriding the multicast settings on an interface” on page 230. For more information. The webbased manager offers a simplified user interface to configure basic PIM options. Apply Create New Interface Mode Status Priority DR Priority Delete and Edit icons Select to delete or edit the PIM settings on the interface. Select to create a new multicast entry for an interface. see the “router” chapter of the FortiGate CLI Reference. Advanced PIM options can be configured through the CLI. To enable or disable RP candidacy on an interface. Only available when sparse mode is enabled. If an RP for the specified IP’s multicast group is already known to the Boot Strap Router (BSR). the RP known to the BSR is used and the static RP address that you specify is ignored.0 MR3 Administration Guide 01-30003-0203-20061124 229 . enter the IP address of a Rendezvous Point (RP) that may be used as the root of a packet distribution tree for a multicast group. Only available when RP candidacy is enabled. The names of FortiGate interfaces having specific PIM settings. This will allow you to fine-tune PIM operation on a specific FortiGate interface or override the global PIM settings on a particular interface. Figure 136:Basic Multicast options Add Static RP Delete Edit Enable Multicast Routing Add Static RP Select to enable PIM version 2 routing. The mode of PIM operation (Sparse or Dense) on that interface. FortiGate Version 3. The priority number assigned to Designated Router (DR) candidacy on the interface. If required for sparse mode operation. Join messages from the multicast group are sent to the RP.

you can adjust the priority number that is used to advertise Rendezvous Point (RP) and/or Designated Router (DR) candidacy on the interface. Select the mode of operation: Sparse Mode or Dense Mode. PIM Mode DR Priority RP Candidate RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate interface. The interface must be connected to a PIM version 2 enabled network segment. adjust the remaining options as described below. The range is from 1 to 255. The range is from 1 to 4 294 967 295. and the router having the highest DR priority is selected to be the DR. Enter the priority number for advertising DR candidacy on the FortiGate interface. This value is compared to the DR interfaces of all other PIM routers on the same network segment. 230 FortiGate Version 3. If you select Sparse Mode. Select to enable or disable RP candidacy on the interface. For example. When sparse mode is enabled. you can enable dense mode on an interface that is connected to a PIM-enabled network segment. All PIM routers connected to the same network segment must be running the same mode of operation.0 MR3 Administration Guide 01-30003-0203-20061124 .Multicast Router Dynamic Overriding the multicast settings on an interface Multicast (PIM) interface options enable you to set operating parameters for FortiGate interfaces connected to PIM domains. Figure 137:Multicast interface settings Interface Select the name of the root VDOM FortiGate interface to which these settings apply.

Router Dynamic Multicast FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 231 .

Multicast Router Dynamic 232 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

go to Router > Monitor. Figure 138 shows the Routing Monitor list belonging to a FortiGate unit that has interfaces named “port1”.Router Monitor Displaying routing information Router Monitor This section explains how to interpret the Routing Monitor list. which matches the destination IP address of “any/all” packets. The following topics are included in this section: • • Displaying routing information Searching the FortiGate routing table Displaying routing information By default. “port4”. The names of the interfaces on your FortiGate unit may be different.0. To display the routes in the routing table.0. Figure 138:Routing Monitor list FortiGate Version 3. The list displays the entries in the FortiGate routing table. The default static route is defined as 0.0/0. and “lan”.0 MR3 Administration Guide 01-30003-0203-20061124 233 . all routes are displayed in the Routing Monitor list.

the metric of the redistributed route is equivalent to the external cost only. Network Gateway Enter an IP address and netmask (for example. • • OSPF inter area means the destination is in the OSPF AS. External 1 means the destination is outside the OSPF AS. • An empty string implies an intra-area route. or BGP). but the route was received through a not-so-stubby area. 234 FortiGate Version 3. • • • • • • Connected displays all routes associated with direct connections to FortiGate interfaces. but the route was received through a not-so-stubby area. For details about HA routing synchronization. the subtype classification assigned to OSPF routes. OSPF. The administrative distance associated with the route. Enter an IP address and netmask (for example. Static displays the static routes that have been added to the routing table manually. Refer to the FortiGate CLI Reference for dynamic routes. expressed as an OSPF cost. see “Adding a static route to the routing table” on page 208. and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster. 192. see the FortiGate High Availability User Guide. but the FortiGate unit is not connected to that area. OSPF displays all routes learned through OSPF.Displaying routing information Router Monitor Type Select one of these route types to search the routing table and display routes of the selected type only: • All displays all routes recorded in the routing table. External 2 means the destination is outside the OSPF AS. In this case. 172.14.16. OSPF NSSA 2 has the same meaning as External 2. OSPF NSSA 1 has the same meaning as External 1. Connected. A value of 0 means the route is preferable compared to routes to the same destination. HA routes are maintained on subordinate units and are only visible if you are viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster.0/24) to search the routing table and display routes that match the specified network. Type Subtype The type values assigned to FortiGate routes (Static. To modify the administrative distance assigned to static routes. OSPF. RIP. Apply Filter Select to search the entries in the routing table based on the specified search criteria and display any matching routes. The metric of a redistributed route is calculated by adding the external cost and the OSPF cost together. The destination is in an area to which the FortiGate unit is connected.0 MR3 Administration Guide 01-30003-0203-20061124 . RIP displays all routes learned through RIP.168. HA displays RIP. If applicable.1/32) to search the routing table and display routes that match the specified gateway. • • • Network Distance The IP addresses and network masks of destination networks that the FortiGate unit can reach. BGP displays all routes learned through BGP.12.

or select RIP to display all routes learned through RIP. several attributes besides MED determine the best path to a destination network. select the type of route to display. Multi-Exit Discriminator (MED) is used for this metric for routes learned through BGP.16. • • Relative cost is used for routes learned through OSPF.14. The interface through which packets are forwarded to the gateway of the destination network. To search the FortiGate routing table 1 2 Go to Router > Monitor > Routing Monitor. and/or routes associated with the network or gateway that you specify. type 172. if the FortiGate unit is connected to network 172. Gateway Interface Up Time The IP addresses of gateways to the destination networks. OSPF. select Connected to display all connected routes. or BGP has been reachable. or BGP.16.0/24.Router Monitor Searching the FortiGate routing table Metric The metric associated with the route type. Any entry that contains the word “Connected” in its Type field and the specified value in the Gateway field will be displayed.0 MR3 Administration Guide 01-30003-0203-20061124 235 . However. 3 4 5 FortiGate Version 3. For example.14. you can display static routes. type the IP address of the gateway in the Gateway field. connected routes. From the Type list. Note: All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed. If you want to display routes to a specific gateway. Select Apply Filter. Searching the FortiGate routing table You can apply a filter to search the routing table and display certain routes only. For example. you must select Connected from the Type list. routes learned through RIP.14. type the IP address and netmask of the network in the Networks field.0/24 in the Network field. For example. OSPF. The total accumulated amount of time that a route learned through RIP. If you want to display routes to a specific network.16. and then select Apply Filter to display the associated routing table entry or entries. If you want to search the routing table by route type and further limit the display according to network or gateway.0/24 and you want to display all directly connected routes to network 172. all of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed (an implicit AND condition is applied to all of the search parameters you specify). The metric of a route influences how the FortiGate unit dynamically adds it to the routing table: • Hop count is used for routes learned through RIP.

Searching the FortiGate routing table Router Monitor 236 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

require authentication before the connection is allowed. destination address. see “Firewall Protection Profile” on page 297. the default policy is a very general policy because it matches all connection attempts. Use policies to configure port address translation (PAT) through the FortiGate unit. deny the connection.0 MR3 Administration Guide 01-30003-0203-20061124 237 . For example. Each policy can be configured to route connections or apply network address translation (NAT) to translate source and destination IP addresses and ports. Exceptions to that policy are added to the policy list above the default policy. Policy options are configurable when creating or editing a firewall policy. a different set of options is presented. the source address.Firewall Policy About firewall policies Firewall Policy Firewall policies control all traffic passing through the FortiGate unit. When the firewall receives a connection request in the form of a packet. For the packet to be connected through the FortiGate unit. FortiGate Version 3. Add protection profiles to firewall policies to apply different protection settings for the traffic that is controlled by firewall policies. No policy below the default policy will ever be matched. For details about protection profiles. Enable traffic logging for a firewall policy so the FortiGate unit logs all connections that use this policy. Arrange policies in the policy list from more specific to more general. and service of the packet must match a firewall policy. The following topics are included in this section: • • • • About firewall policies Viewing the firewall policy list Configuring firewall policies Firewall policy examples About firewall policies Firewall policies are instructions the FortiGate unit uses to decide what to do with a connection request. The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. The action can be to allow the connection. zones. it analyzes the packet to extract its source address. The policy directs the firewall action on the packet. or process the packet as an IPSec VPN packet. and VLAN subinterfaces. Add firewall policies to control connections and traffic between FortiGate interfaces. Depending on the type of action selected. and service (by port number). Add IP pools to use dynamic NAT when the firewall translates source addresses. destination address.

0 MR3 Administration Guide 01-30003-0203-20061124 . then these specific exception policies should be added to the policy list above the general policies. otherwise. The FortiGate unit chooses the policy list based on the source and destination addresses of the connection attempt. edit. IPSec VPN tunnel mode policies must be added to the policy list above matching accept or deny policies SSL VPN policies must be added to the policy list above matching accept or deny policies • • Viewing the firewall policy list If virtual domains are enabled on the FortiGate unit. To view the policy list. The first policy that matches is applied to the connection attempt. but connection attempts for all other kinds of services do not match the FTP policy but do match the general policy. To access policies. delete. go to Firewall > Policy. If you want to block access to FTP servers on the Internet. For example. Therefore. select a virtual domain from the main menu.Viewing the firewall policy list Firewall Policy How policy matching works When the FortiGate unit receives a connection attempt at an interface. If you want to add policies that are exceptions to general policies. If no policy matches. General policies are policies that can accept connections from multiple source and destination addresses or from address ranges. and re-order policies in the policy list. always order firewall policies from most specific to most general. service port. 238 FortiGate Version 3. you should add a policy that denies FTP connections above the general policy. the policy that does not require authentication is selected first. The deny policy blocks FTP connections. firewall policies are configured separately for each virtual domain. General policies can also accept connections from multiple service ports or have schedules that mean the policy can be matched over a wide range of times and dates. the firewall still accepts all connections from the internal network to the Internet other than FTP connections. As a general rule. and time and date at which the connection attempt was received. You can add. it selects a policy list to search through for a policy that matches the connection attempt. The FortiGate unit then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses. you may have a general policy that allows all users on your internal network to access all services on the Internet. the connection is dropped. Also note the following about policy matching: • Policies that require authentication must be added to the policy list above matching policies that do not.

Select to move the corresponding policy before or after another policy in the list. Column Settings Filter icon ID Source Destination Schedule Service Profile Action Delete icon Edit icon Insert Policy Before icon Move To icon Adding a firewall policy Use the following steps to add a firewall policy to a firewall policy list. Policies are numbered in the order they are added to the policy list. Clicking on the address opens the Edit Address dialog box. See “Firewall Schedule” on page 271. See “Moving a policy to a different position in the policy list” on page 240. See “Firewall Address” on page 259. A firewall policy section is a way of grouping firewall policies. Select the source and destination interfaces. The source address or address group to which the policy applies. See “Adding a firewall policy” on page 239. Select Create New or select the Insert Policy before icon beside a policy in the list to add the new policy above that policy. FortiGate Version 3. You can select the columns to show and specify the column displaying order in the table. Select the down arrow beside Create New to choose to either add a firewall policy or firewall policy section. Select to customize the table view. See “Firewall Service” on page 263. The response to make when the policy matches a connection attempt. 1 2 3 4 Go to Firewall > Policy. The service to which the policy applies. The protection profile that is associated with the policy. See “Firewall Address” on page 259.0 MR3 Administration Guide 01-30003-0203-20061124 239 . Address information can also be edited from the policy list. Select the source and destination addresses. The destination address or address group to which the policy applies. Address information can also be edited from the policy list. Select to add a new policy above the corresponding policy (the New Policy screen appears). Clicking on the address opens the Edit Address dialog box. Select to edit the column filters.Firewall Policy Viewing the firewall policy list Figure 139:Sample policy list Filter Edit Delete Insert Policy Before Move To The policy list displays the following information by default: Create New Select to add a firewall policy. The policy identifier. which allow you to filter or sort the policy list according to the criteria you specify. The schedule that controls when the policy should be active. Select to open the policy for editing. Select to delete the policy from the list.

see “How policy matching works” on page 238 and “Moving a policy to a different position in the policy list”. Arrange policies in the policy list so they have the expected results. The ordering of firewall encryption policies is important to ensure that they take effect as expected—firewall encryption policies must be evaluated before regular firewall policies. the policy that is first in the list is evaluated first. When more than one policy has been defined for the same interface pair. For information about configuring policies. Moving a policy to a different position in the policy list You can move a policy in the list to influence how policies are evaluated. Specify the position for the policy. Select OK. You can add ACCEPT policies that accept communication sessions. 240 FortiGate Version 3. Configuring firewall policies Use firewall policies to define how a firewall policy is selected to be applied to a communication session and to define how the FortiGate unit process the packets in that communication session. An ACCEPT policy can enable interface-mode IPSec VPN traffic if either the source or the destination is an IPSec virtual interface. For more information. see “Configuring firewall policies” on page 240.Configuring firewall policies Firewall Policy 5 Configure the policy. For information about arranging policies in a policy list. To add or edit a firewall policy go to Firewall > Policy. Select the Move To icon in the row beside the policy that you want to move. You can add DENY policies to deny communication sessions.0 MR3 Administration Guide 01-30003-0203-20061124 . Moving a policy in the list does not change its policy ID number. 6 7 Select OK. Figure 140:Move Policy 1 2 3 4 Go to Firewall > Policy. Using an accept policy you can apply FortiGate features such as virus scanning and authentication to the communication session accepted by the policy. see “Overview of IPSec interface mode” on page 309.

a tunnel may be initiated automatically whenever an IP packet of the specified type arrives at the FortiGate interface to the local private network.0 MR3 Administration Guide 01-30003-0203-20061124 241 . see “IPSec firewall policy options” on page 251 and/or “SSL-VPN firewall policy options” on page 252. Figure 141:Policy options . For more information.Transparent mode ACCEPT policy FortiGate Version 3. Firewall encryption policies determine which types of IP traffic will be permitted during an IPSec or SSL VPN session.Firewall Policy Configuring firewall policies You can also add IPSec encryption policies to enable IPSec tunnel mode VPN traffic and SSL VPN encryption policies to enable SSL VPN traffic. If permitted by the firewall encryption policy.NAT/Route mode ACCEPT policy Figure 142:Policy options .

The Address Name matches the source and destination address of the communication session Schedule defines when the firewall policy is enabled.0 MR3 Administration Guide 01-30003-0203-20061124 . Specify an action to accept or deny traffic or configure a firewall encryption policy.DENY policy Figure 144:Policy options .Configuring firewall policies Firewall Policy Figure 143:Policy options . Action defines how the FortiGate unit processes traffic.FortiClient check The source and destination Interface/Zone match the firewall policy with the source and destination of a communication session. 242 FortiGate Version 3. Service matches the firewall policy with the service used by a communication session.

Interface/Zone Select the name of the FortiGate interface or zone on which IP packets are received.0 MR3 Administration Guide 01-30003-0203-20061124 243 . Addresses can be created in advance. If Action is set to SSL-VPN and the policy is for web-only mode clients. See“Configuring addresses” on page 261. select the name of the address that you reserved for tunnel mode clients. the interface is associated with the local private network. Address Name Destination Specify the destination characteristics of IP packets that will be subject to the policy. If Action is set to IPSEC. Interfaces and zones are configured on the System Network page. See “Zone” on page 83 for information about zones. FortiGate Version 3. See “Configuring intra-VLAN firewall policies” on page 246. select all. the address is the private IP address of the host. If Action is set to SSL-VPN. A packet must have the associated IP address in its header to be subject to the policy. See “Interface” on page 67 for information about interfaces. Protection Profile. Authentication. Log Violation Traffic. Firewall policy options Go to Firewall > Policy and select Create New to add a firewall policy. You can configure the following firewall policy options: Intra-VLAN Policy Source Enable to create a policy governing traffic between switch ports that are on the same switch VLAN. and Traffic shaping) to set additional features.Firewall Policy Configuring firewall policies You can use the remaining firewall policy options (NAT. or network behind the FortiGate unit. Log Allowed Traffic. or select Create New to define a new IP address. Select the name of a previously defined IP address to associate with the source interface or zone. This applies only to the FortiGate224B. Specify the origination characteristics of IP packets that will be subject to the policy. If Action is set to IPSEC. If Action is set to SSL-VPN and the policy is for tunnel mode clients. the interface is associated with connections from remote SSL VPN clients. server. Differentiated services can be configured through CLI commands (see the “firewall” chapter of the FortiGate CLI Reference). Log Violation Traffic can be applied to policies that deny traffic.

The new custom service or service group is added to the Service list. select the name of the IP address that corresponds to the host. You can configure NAT. which causes the FortiGate unit to accept SSL VPN traffic. See“Configuring addresses” on page 261. Select the name of a service or service group that matches the service or protocol of the packets to be matched with this policy. See “Interface” on page 67 for information about interfaces. Address Name Schedule Select a one-time or recurring schedule that controls when the policy is available to be matched with communication sessions. shape traffic.0 MR3 Administration Guide 01-30003-0203-20061124 . Configure an IPSec firewall encryption policy. Service groups can be created in advance by going to Firewall > Service > Group. You can also select Create New to create a Recurring or One-time schedule during policy configuration. If Action is set to IPSEC. See “Zone” on page 83 for information about zones.Configuring firewall policies Firewall Policy Interface/Zone Select the name of the FortiGate interface or zone to which IP packets are forwarded. Select from a wide range of predefined services. See “SSL-VPN firewall policy options” on page 252. Reject traffic matched by the policy. Addresses can be created in advance. or add a comment to the policy. ACCEPT Accept traffic matched by the policy. which causes the FortiGate unit to process IPSec VPN packets. The only other configurable policy options are to log traffic (to log the connections denied by this policy) or add a comment. Configure an SSL-VPN firewall encryption policy. See “Firewall Schedule” on page 271. or network that remote clients need to access behind the FortiGate unit. You can also select Create New to create a custom service or a service group during policy configuration. A packet must have the associated IP address in its header to be subject to the policy. If Action is set to SSL-VPN. server. Add the information required for the custom service or service group and select OK. Custom services can be created in advanced by going to Firewall > Service > Custom. the interface is associated with the entrance to the VPN tunnel. protection profiles. Schedules can be created in advance by going to Firewall > Schedule. If Action is set to SSL-VPN. log traffic. This option is available only after you have added a SSL-VPN user group. If Action is set to IPSEC. the interface is associated with the local private network. Interfaces and zones are configured on the System Network page. or select Create New to define a new IP address. Select the name of a previously defined IP address to associate with the destination interface or zone. Add the information required for the recurring or one-time schedule and select OK. Select how you want the firewall to respond when a packet matches the conditions of the policy. set authentication options. See “IPSec firewall policy options” on page 251. The new schedule is added to the Schedule list. Service Action DENY IPSEC SSL-VPN 244 FortiGate Version 3. the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. See “Configuring custom services” on page 267 and “Configuring service groups” on page 269.

a policy with Fixed Port selected can only allow one connection at a time. For information about adding and configuring Protection profiles. and logging are applied to a firewall policy. see “Log&Report” on page 427. IPS. content archiving. Dynamic IP Pool Select to translate the source address to an address randomly selected from an IP Pool. and 5005FA2. the protection profile option is disabled because the user group chosen for authentication ia already tied to a protection profile. or one of the interfaces or VLAN subinterfaces in the destination zone is configured using DHCP or PPPoE. web category filtering. For information about logging. For information about adding IP Pools. NAT is not available in Transparent mode. WebTrends. web filtering. Dynamic IP Pool and Fixed Port can be configured. IPSEC or SSL-VPN policies to record messages to the traffic log whenever the policy processes a connection. For information about logging. FortiGate Version 3. When NAT is selected. memory. see “Firewall Protection Profile” on page 297. See “Options to check FortiClient on Running hosts” on page 252. An IP pool list appears if IP Pool addresses have been added to the destination interface. or FortiAnalyzer) and set the logging severity level to Notification or lower. Select Log Allowed Traffic. spam filtering. memory. see “Adding authentication to firewall policies” on page 247. You cannot use IP pools when using zones. Dynamic IP Pool cannot be selected if the destination interface. local disk if available. Protection profiles can be created in advance or during profile configuration. Add users and a firewall protection profile to a user group before selecting Authentication. For authentication in the advanced settings. firewall policies is Installed and can deny access for hosts that do not have FortiClient Host Security software installed and operating. For more information about adding authentication to firewall policies. Enable traffic log for a logging location (syslog. Select the name of an IP Pool added to the destination interface to cause the FortiGate unit to translate the source address to one of the addresses defined by this IP Pool. Select Fixed Port to prevent NAT from translating the source port. In most cases. see “IP pools” on page 293. An IP pool can only be associated with an interface. Profiles created at this point appear in the protection profile list. see “Log&Report” on page 427. for Accept. see “Adding authentication to firewall policies” on page 247. If Dynamic IP pool is not selected. Some applications do not function correctly if the source port is changed. if Fixed Port is selected. see “User group” on page 347. Fixed Port Protection Profile Select a protection profile to configure how antivirus. For more information about adding authentication to firewall policies. Select Log Violation Traffic.0 MR3 Administration Guide 01-30003-0203-20061124 245 . VLAN subinterface. For information about adding and configuring user groups. for Deny policies. to record messages to the traffic log whenever the policy processes a connection. Dynamic IP pool is also selected. Log Allowed Traffic Log Violation Traffic Authentication Check FortiClient On the FortiGate model 1000A. Enable traffic log for a logging location (syslog. local disk if available. An IP Pool can be a single IP address or an IP address range. 3600A.Firewall Policy Configuring firewall policies NAT Enable Network Address Translation for the policy. or FortiAnalyzer) and set the logging severity level to Notification or lower. NAT translates the source address and port of packets accepted by the policy. Authentication is available if Action is set to Accept or SSLVPN. WebTrends.

Add a description or other information about the policy. Comments Configuring intra-VLAN firewall policies The FortiGate-224B unit can create firewall policies governing traffic between switch ports that are on the same switch VLAN. Go to Firewall > Policy and select Create New to configure a new firewall policy. The user must accept the disclaimer to connect to the destination. the policy. including spaces. For information about how to configure traffic shaping. These are called switch VLANsecure policies. This option is available on some models. It is not available for SSL-VPN policies. and sets the priority of the traffic processed by. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface. If you want to create policies between VLANs. medium and high).0 MR3 Administration Guide 01-30003-0203-20061124 . You can use the disclaimer in conjunction with authentication or a protection profile. An intra-VLAN policy must have at least one secure port as source or destination. Note: • Be sure to enable traffic shaping on all firewall policies. It is not available for SSL-VPN policies. see “Firewall policy options” on page 243. This option is available on some models. If you do not apply any traffic shaping rule to a policy. For information about creating secure switch ports. If you enter a URL. see “Adding traffic shaping to firewall policies” on page 248 User Authentication Disclaimer Redirect URL Display the Authentication Disclaimer page (a replacement message). the policy is set to high priority by default. The comment can be up to 63 characters long. It is not possible to create a firewall policy between two non-secure ports. the user is redirected to the URL after authenticating and/or accepting the user authentication disclaimer. 246 FortiGate Version 3. • • Distribute firewall policies over all three priority queues (low.Configuring firewall policies Firewall Policy Traffic Shaping Traffic Shaping controls the bandwidth available to. see “Configuring a switch-LAN interface” on page 179.

Source/Destination Interface/Zone Source and Destination Port Address Set other firewall options as needed. For information about creating switch VLANs see “Configuring a switch VLAN” on page 181. FortiGate Version 3. The dialog box changes to show the fields described below. Adding authentication to firewall policies Add users and a firewall protection profile to a user group before selecting Authentication. Select Any or a specific switch port. Select Authentication and select one or more user groups to require users to enter a user name and password before the firewall accepts the connection. For information about adding and configuring user groups. you must select a secure port as destination. If you select a nonsecure port as source. Authentication is available if Action is set to Accept. Select All or specify an IP address range. Select nativeor a switch VLAN. See “Firewall policy options” on page 243.0 MR3 Administration Guide 01-30003-0203-20061124 247 . see “User group” on page 347.Firewall Policy Configuring firewall policies Figure 145:Creating an intra-VLAN firewall policy Intra-VLAN Policy You must enable this to create a policy between switch ports.

In most cases. they are prompted to enter a firewall username and password.Configuring firewall policies Firewall Policy Figure 146:Selecting user groups for authentication Select Authentication for any service. Authentication with Active Directory groups and other groups cannot be combined in the same policy. For example. otherwise. Note: To allow the FortiGate unit to authenticate with an Active Directory server. the policy for the corporate web server might be given higher priority than the policies for most employees’ computers. Adding traffic shaping to firewall policies Traffic Shaping controls the bandwidth available to. Traffic shaping is available for Accept. the policy. or FTP policy that is configured for authentication. FSAE is available from Fortinet Technical Support. ensure users can use DNS through the firewall without authentication. and sets the priority of the traffic processed by. create a service group that includes the services for which to require authentication. or FTP. Traffic shaping cannot increase the total amount of bandwidth available. and RADIUS users. add an HTTP. Guaranteed and maximum bandwidth in combination with queuing ensures minimum and maximum bandwidth is available for traffic. Telnet. or Telnet server using a domain name. Telnet. Users can authenticate with the firewall using HTTP. or FTP before using the other service. If DNS is not available. users cannot connect to a web. For users to authenticate using other services (for example POP3 or IMAP). UDP. TCP. IPSEC. and ESP.0 MR3 Administration Guide 01-30003-0203-20061124 248 . When users attempt to connect through the firewall using this policy. as well as LDAP. For users to be able to authenticate. ICMP. Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device. the policy that does not require authentication is selected first. It is also available for all supported services. FortiGate Version 3. Note: Policies that require authentication must be added to the policy list above matching policies that do not. FTP. Telnet. as well as HTTP. Select Active Directory from the drop-down list to choose Active Directory groups defined in User > User Group. Telnet. The Firewall authentication method includes locally defined user groups. An employee who needs unusually high-speed Internet access could have a special outgoing policy set up with higher bandwidth. the Fortinet Server Authentication Extensions (FSAE) must be installed on the Active Directory Domain Controller. Users can then authenticate with the policy using HTTP. and FTP. but it can be used to improve the quality of bandwidth-intensive and sensitive traffic. including H.323. and SSL-VPN policies.

Important and latency-sensitive traffic should be assigned a high priority. However. The FortiGate Antivirus Firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. all of these communications sessions must share from the bandwidth available for the policy. Traffic Priority Set traffic priority to manage the relative priorities of different types of traffic. and a user on an internal network uses FTP to put and get files. Then you can assign a high priority to the policy that controls voice traffic and a medium priority to the policy that controls e-commerce traffic. For example. The guaranteed and maximum bandwidth available for a policy is the total bandwidth available to all traffic controlled by the policy. If multiple users start multiple communications session using the same policy. you may want to give a higher guaranteed bandwidth to your e-commerce traffic. Guaranteed bandwidth and maximum bandwidth When you enter a value in the Guaranteed Bandwidth field of a firewall policy you guarantee the amount of bandwidth available for selected network traffic (in Kbytes/sec). When you enter a value in the Maximum Bandwidth field of a firewall policy you limit the amount of bandwidth available for selected network traffic (in Kbytes/sec). so as to save some bandwidth for the more important e-commerce traffic. both the put and get sessions share the bandwidth available to the traffic controlled by the policy.0 MR3 Administration Guide 01-30003-0203-20061124 249 . For example. During a busy time. For example. bandwidth availability is not shared between multiple instances of using the same service if these multiple instances are controlled by different policies. you can add policies to guarantee bandwidth for voice and ecommerce traffic. Less important and less sensitive traffic should be assigned a low priority. if both voice and e-commerce traffic are competing for bandwidth. you can create one FTP policy to limit the amount of bandwidth available for FTP for one network address and create another FTP policy with a different bandwidth availability for another network address. the higher priority voice traffic will be transmitted before the ecommerce traffic. For example. For example. The bandwidth available for traffic controlled by a policy is used for both the control and data sessions and is used for traffic in both directions.Firewall Policy Configuring firewall policies Note: For more information would traffic shaping you can also see the FortiGate Traffic Shaping Technical Note. if guaranteed bandwidth is applied to an internal to external FTP policy. you may want to limit the bandwidth of IM traffic usage. FortiGate Version 3.

Configure the following three options: 250 FortiGate Version 3. delays. If for example you are applying bandwidth limitations to certain flows. then FortiGate and switch settings may require adjusting. collisions or buffer overruns. ensure that the interface ethernet statistics are clean of errors. Traffic shaping which is applied to a firewall policy. via a Internal -> External policy. is enforced for traffic which may flow in either direction.Configuring FortiGate traffic shaping You enable and specify traffic shaping settings when you configure firewall policies. To make traffic shaping work efficiently. and sessions will be affected. you must accept the fact that these sessions can be limited and therefore negatively impacted. But there is a physical limitation to the amount of data which can be buffered and for how long. the policy is set to high priority by default. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface. select the Traffic Shaping option. Traffic shaping is not effective during extremely high-traffic situations where the traffic is exceeding the FortiGate unit’s capacity. Also note that traffic shaping is effective for normal IP traffic at normal traffic rates. If you do not apply any traffic shaping rule to a policy. Once these thresholds have been surpassed. To configure traffic shaping 1 2 3 Go to Firewall > Policy. This would mean that you accept to sacrifice certain performance and stability on traffic X. frames and packets will be dropped. which may be attempting to recover from these errors. When you create a new policy or edit a policy. in order to increase or guarantee performance and stability to traffic Y.0 MR3 Administration Guide 01-30003-0203-20061124 . then dropped packets. A basic traffic shaping example would be to prioritize certain traffic flows at the detriment of other traffic which can be discarded. If these are not clean. Packets must be received by the FortiGate unit before they are subject to traffic shaping. will have Traffic shaping applied even if the data stream is then coming from external to internal. medium and high). an FTP “get” or a SMTP server connecting to an external one. and latency are likely to occur. Therefore a session which may be setup by an internal host to an external one. in order to retrieve email.Configuring firewall policies Firewall Policy Traffic shaping considerations Traffic shaping will by definition attempt to “normalize” traffic peaks/bursts and can be configured to prioritize certain flows over others. If the FortiGate unit cannot process all of the traffic it receives. be sure to observe the following rules: • • Enable traffic shaping on all firewall policies. Distribute firewall policies over all three priority queues (low. For example. since the excessive discarding of packets can create additional overhead at the upper layers. To ensure that traffic shaping is working at its best. Incorrect traffic shaping configurations may actually further degrade certain network flows.

For more information. Distribute firewall policies over all three priority queues.Firewall Policy Configuring firewall policies Guaranteed Bandwidth Use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. or Low. Select to enable traffic from computers on the local private network to initiate the tunnel. Be sure to enable traffic shaping on all firewall policies. Guarantee bandwidth (in Kbytes) to ensure there is enough bandwidth available for a high-priority service. Select to translate the source IP addresses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network. and then specifies the IPSec virtual interface as a source or destination interface in a regular (ACCEPT or DENY) firewall policy. Less important services should be assigned a low priority. one binds a route-based VPN tunnel to an IPSec virtual interface. the following options are available: Figure 147:IPSEC encryption policy VPN Tunnel Allow Inbound Allow outbound Inbound NAT Select the VPN tunnel name defined in the phase 1 configuration. Outbound NAT Note: Route-based (interface mode) IPSec tunnels are not configured the same way as tunnel mode IPSec tunnels: instead of defining a (tunnel mode “IPSEC”) firewall encryption policy to permit VPN connections and control IP traffic through the tunnel. Do not select Outbound NAT unless you specify a natip value through the CLI. the policy is set to high priority by default. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. Select High. Limit bandwidth to keep less important services from using bandwidth needed for more important services. Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. see the “firewall” chapter of the FortiGate CLI Reference. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface. the policy does not allow any traffic. Medium. IPSec firewall policy options When Action is set to IPSEC. If you do not apply any traffic shaping rule to a policy. Use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. The specified tunnel will be subject to this firewall encryption policy.0 MR3 Administration Guide 01-30003-0203-20061124 251 . When a natip value is specified. Maximum Bandwidth Traffic Priority Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero). the source addresses of outbound IP packets are replaced before the packets are sent through the tunnel. FortiGate Version 3. For example. Select in combination with a natip CLI value to translate the source addresses of outbound cleartext packets into the IP address that you specify. a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority.

• Select Any to enable all of the above authentication methods. • If the remote clients will be authenticated by an external RADIUS server. Cipher Strength Select one of the following options to determine the level of SSL encryption to use. then LDAP. This feature can detect FortiClient software version 3. Figure 148:SSL-VPN encryption policy SSL Client Certificate Restrictive Allow traffic generated by holders of a (shared) group certificate. then Radius. see “Configuring SSL VPN user group options” on page 352.0 MR3 Administration Guide 01-30003-0203-20061124 . select Medium >= 128. and 5005FA2. For information about how to create a firewall encryption policy for SSL VPN users. User Authentication Method Select one of the following options: • If the user group that will be bound to this firewall policy is a local user group. see the “Defining a firewall encryption policy” chapter of the FortiGate IPSec VPN User Guide. 252 FortiGate Version 3. 3600A.0 MR2 or later. • To use a 164-bit or greater cipher suite. select Radius. select LDAP.Configuring firewall policies Firewall Policy For more information. select Any. select Local. see the “SSL VPN administration tasks” chapter of the FortiGate SSL VPN User Guide. To create user accounts and SSL VPN user groups. SSL-VPN firewall policy options When Action is set to SSL-VPN. Options to check FortiClient on hosts On the FortiGate model 1000A. Local is attempted first. Do not select more than one user group unless all members of the selected user groups have identical access requirements. firewall policies can deny access for hosts that do not have FortiClient Host Security software installed and operating. the following options are available: Note: The SSL-VPN option is available from the Action list after one or more SSL VPN user groups have been created. • If the remote clients will be authenticated by an external LDAP server. select High >= 164. and then select the right-pointing arrow. The web browser on the remote client must be capable of matching the level that you select: • To use any cipher suite. • To use a 128-bit or greater cipher suite. The holders of the group certificate must be members of an SSL VPN user group. Available Groups Select the name of the user group requiring SSL VPN access. and the name of that user group must be present in the Allowed field.

0 MR2 documentation. On units that FortiGate Download Portal support it. • • Scenario one: SOHO sized business Scenario two: enterprise sized business Scenario one: SOHO sized business Company A is a small software company performing development and providing customer support. Firewall policy examples FortiGate units are fully capable of meeting various network requirements from home use to SOHO.0 MR3 Administration Guide 01-30003-0203-20061124 253 . Enable the following reasons to deny access as needed: • FortiClient is Not Installed • • • • • FortiClient is Not Licensed AV/IPS Database Out-of-Date AV Disabled Firewall Disabled Web Filter Disabled Redirect Restricted Users to Select to redirect denied users to the internal web portal which provides the reason for denial. users can download FortiClient Host Security software. all 15 of the internal computers are behind a router and must go to an external source to access the IPS Mail and Web servers. to large enterprises and ISPs. With their current network topography.Firewall Policy Firewall policy examples Figure 149:FortiClient Host Security check options Check FortiClient Installed and Running Select to check that the source host is running FortiClient Host Security software. For more detail on these two examples please see the Example Library Network and SOHO and SMB Network Protection example guides in the FortiOS v3. FortiGate Version 3. All home based employees access the router through open/non secured connections. they also have several employees that work from home all or some of the time. In addition to their internal network of 15 computers. The following two scenarios will demonstrate the practical applications of firewall policies in the SOHO and large enterprise environments.

To deal with their first requirement company A configures specific policies for each home-based worker to ensure secure communication between the home-based worker and the internal network.0 MR3 Administration Guide 01-30003-0203-20061124 . block viruses. They want to apply different protection settings for different departments. 1 2 Go to Firewall > Policy. They also want to integrate web and email servers into the security solution. they rely heavily on email and Internet access to conduct business. Select Create New and enter or select the following settings for Home_User_1: Interface / Zone Address Name Schedule Service Action VPN Tunnel Allow Inbound Allow outbound Inbound NAT Outbound NAT Protection Profile Source: internal Source: CompanyA_Network Always ANY IPSEC Home1 yes yes yes no Enable and select standard_profile Destination: wan1 Destination: Home_User_1 254 FortiGate Version 3. and decrease spam. Like many companies. They want a comprehensive security solution to detect and prevent network attacks.Firewall policy examples Firewall Policy Figure 150:Example SOHO network before FortiGate installation Company A requires secure connections for home-based workers.

0 MR3 Administration Guide 01-30003-0203-20061124 255 . which is also behind the FortiGate unit. All home based employees now access the office network through the FortiGate unit via VPN tunnels. FortiGate Version 3. The 15 internal computers are behind the FortiGate unit. They now access the email and web servers in a DMZ.Firewall Policy Firewall policy examples 3 4 Select OK Select Create New and enter or select the following settings for Home_User_2: Interface / Zone Address Name Schedule Service Action VPN Tunnel Allow Inbound Allow outbound Inbound NAT Outbound NAT Protection Profile Source: internal Source: CompanyA_network Always ANY IPSEC Home2_Tunnel yes yes yes no Enable and select standard_profile Destination: wan1 Destination: All 5 Select OK Figure 151:SOHO network topology with FortiGate-100 The proposed network is based around a ForitGate 100A unit.

The current network topography at the main location consists of three user groups. Figure 152:The library system’s current network topology The library must be able to set different access levels for patrons and staff members. FortiGuard web filtering is also used to block advertising. with more than a dozen branches spread throughout the city. The staff firewall policies will all use a protection profile configured specifically for staff access. and blocking of all P2P traffic.Firewall policy examples Firewall Policy Scenario two: enterprise sized business Located in a large city. 256 FortiGate Version 3. IPS. The catalog access terminals directly access the catalog server without first going through the firewall. A second policy will allow direct access to the DMZ for staff members. the library system is anchored by a main downtown location serving most of the population. and spyware sites. A second pair of policies are required to allow branch staff members the same access. The main branch staff and public terminals access the servers in the DMZ behind the firewall. Enabled features include virus scanning. spam filtering. malware.0 MR3 Administration Guide 01-30003-0203-20061124 . Each branch is wired to the Internet but none are linked with each other by dedicated connections. The topography at the branch office has all three users accessing the servers at the main branch via non secured internet connections. The first firewall policy for main office staff members allows full access to the Internet at all times.

The proposed topography has the main branch staff and the catalog access terminals going through a Fortigate HA cluster to the servers in a DMZ. where additional policies can be applied. Main office ‘staff to Internet’ policy: Source Interface Source Address Destination Interface Destination Address Schedule Action Internal All External All Always Accept FortiGate Version 3. The branch office has all three users routed through a ForitWiFi unit to the main branch via VPN tunnels. depending on how they’re configured.Firewall Policy Firewall policy examples A few users may need special web and catalog server access to update information on those servers. Special access can be allowed based on IP address or user. The public access terminals first go through a ForitWiFi unit.0 MR3 Administration Guide 01-30003-0203-20061124 257 . Figure 153:Proposed library system network topology Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall > Protection Profile. to the HA Cluster and finally to the servers.

see: • • SOHO and SMB Configuration Example Guide FortiGate Enterprise Configuration Example In the FortiGate section of http://docs. 258 FortiGate Version 3.com.Firewall policy examples Firewall Policy Main office ‘staff to DMZ’ policy: Source Interface Source Address Destination Interface Destination Address Schedule Action Internal All DMZ Servers Always Accept Branches ‘staff to Internet’ policy: Source Interface Source Address Destination Interface Destination Address Schedule Action Branches Branch Staff External All Always Accept Branches ‘staff to DMZ’ policy: Source Interface Source Address Destination Interface Destination Address Schedule Action Branches Branch Staff DMZ Servers Always Accept For more information regarding these examples.0 MR3 Administration Guide 01-30003-0203-20061124 .forticare.

168.1.0.20. Firewall addresses are added to the source and destination address fields of firewall policies.Firewall Address About firewall addresses Firewall Address Add.255. The netmask for a class A subnet should be 255.255.168.255. The following topics are included in this section: • • • • • About firewall addresses Viewing the firewall address list Configuring addresses Viewing the address group list Configuring address groups About firewall addresses A firewall address can be: • • • • • • • • • The IP address of a single computer (for example. an IP address. The IP address of a subnetwork (for example. edit.45).0 x.46.1.0/255.0.x.x. The netmask for a class B subnet should be 255. The netmask for all addresses should be 0.255. The netmask for a class C subnet should be 255.x. 192.0/24 FortiGate Version 3.255.168.255. and delete firewall addresses as required.255 is not a valid firewall address.0 MR3 Administration Guide 01-30003-0203-20061124 259 .0. for example 192.45.255.x.0.0 A range of IP addresses in a subnet (for example.0.x. 192. It can also be a fully qualified domain name (FQDN).255.0. Firewall addresses are added to firewall policies to match the source or destination IP addresses of packets that are received by the FortiGate unit. Organize related addresses into address groups to simplify policy creation.0. Enter an IP address and netmask using the following formats: • • x.0 and Netmask: 255.x. and a netmask.0 for a class C subnet).255.10) The netmask corresponds to the type of address being added. A firewall address can be configured with a name.20.1.x/x.168. For example: An IP Range address represents: Note: IP address: 0.0.x.168.1 to 192. 0.0 to represent all possible IP addresses The netmask for the IP address of a single computer should be 255.x/x. for example 192.0. or a name and IP address range.255.0.0.0. 192.

168. go to Firewall > Address.0 and Netmask: 255.20.Viewing the firewall address list Firewall Address Enter an IP address range using the following formats: • • • • • • x.110.x. 260 FortiGate Version 3.255. A single IP address (for example.120 x.168.1 and Netmask: 255.x.255. select a virtual domain from the list in the main menu.x. Add addresses to the list and edit existing addresses.255) All possible IP addresses (represented by IP Address: 0. The IP address and mask. for example 192.0.fortinet.<second_level_domain_name>. To view the address list.0.168.110. or fully qualified domain name. IP Address: 192.0.* to represent all addresses on the subnet The address of a subnet (for example.x.[100-120] x.x.com An IP/Mask address can represent: Enter an FQDN using the following formats: • • • • An FQDN can be: Viewing the firewall address list If virtual domains are enabled on the FortiGate unit.[x-x].*.<top_level_domain_name> <host_name>. IP address: 192.x.110.168. and FQDN. IP Range. addresses are configured separately for each virtual domain.x-x.0 and Netmask: 0.<top_level_domain_name> www.0).20. IP address range.0) <host_name>.x. a class C subnet. Addresses in the list are sorted by type: IP/Mask.com example. Figure 154:Sample address list The address list has the following icons and features: Create New Name Address/FQDN Select to add a firewall address. for example 192.168. The FortiGate unit comes configured with the default ‘All’ address which represents any IP address on the network. for example 192.255.0.0 MR3 Administration Guide 01-30003-0203-20061124 . The name of the firewall address.110. To access addresses.x.100-192.x.255.168.

A single FQDN firewall policy can be created in which the FortiGate unit automatically resolves and maintains a record of all addresses to which the FQDN resolves. Figure 155:New address or IP range options Address Name Enter a name to identify the firewall address. FortiGate Version 3. while convenient. ! To add an IP address. does present some security risks. To view the address group list. address groups. Note: If an address group is included in a policy. forward slash. or FQDN. IP range. and subnet mask or enter an IP address range separated by a hyphen Viewing the address group list If virtual domains are enabled on the FortiGate unit. One FQDN may be mapped to multiple machines for load balancing and HA. select a virtual domain from the list in the main menu. Configuring addresses Addresses can also be created or edited during firewall policy configuration from the firewall policy window. after adding three addresses and configuring them in an address group. Subnet/IP Range.0 MR3 Administration Guide 01-30003-0203-20061124 261 . Type IP Range/Subnet Enter the firewall IP address. configure a single policy using all three addresses. go to Firewall > Address. Select the type of address: Subnet/IP Range or FQDN. The Delete icon is only available if the address has not been used in a firewall policy. Caution: Using a fully qualified domain name in a firewall policy.Firewall Address Configuring addresses Delete icon Edit icon Select to remove the address from the list. go to Firewall > Address > Group. it cannot be deleted unless it is first removed from the policy. Select to edit the following information: Name. Type. Organize related addresses into address groups to make it easier to configure policies. For example. address groups are configured separately for each virtual domain. Addresses. Be very cautious when using this feature. and virtual IPs must have unique names to avoid confusion in firewall policies. To access address groups.

The Delete icon is only available if the address group has not been used in a firewall policy. and virtual IPs must have unique names to avoid confusion in firewall policies. Use the arrows to move addresses between the lists. To organize addresses into an address group. address groups. The list of configured and default firewall addresses. Select to edit the following information: Group Name and Members. The list of addresses in the group. Use the arrows to move addresses between the lists. Available Addresses Members 262 FortiGate Version 3. Addresses. The name of the address group.Configuring address groups Firewall Address Figure 156:Sample address group list The address group list has the following icons and features: Create New Group Name Members Delete icon Edit icon Select to add an address group. Select to remove the group from the list. go to Firewall > Address > Group. The addresses in the address group.0 MR3 Administration Guide 01-30003-0203-20061124 . Configuring address groups Address groups can be created during firewall configuration by selecting Create New from the Address dropdown list. Figure 157:Address group options Group Name Enter a name to identify the address group.

Figure 158:Predefined service list The predefined services list has the following icons and features: Name Detail The name of the predefined service. predefined services are available globally. select Global Configuration then go to Firewall > Service. FortiGate Version 3. Add any of the predefined services to a policy.0 MR3 Administration Guide 01-30003-0203-20061124 263 . The protocol for each predefined service. The following topics are included in this section: • • • • • Viewing the predefined service list Viewing the custom service list Configuring custom services Viewing the service group list Configuring service groups Viewing the predefined service list If virtual domains are enabled on the FortiGate unit.Firewall Service Viewing the predefined service list Firewall Service Use services to determine the types of communication accepted or denied by the firewall. To view the predefined service list. on the main menu. Create custom services for each virtual domain and add services to service groups.

A connection using any of the predefined services is allowed through the firewall. A protocol allowing an arbitrary network protocol to be transmitted over any other arbitrary network protocol. FTP service for uploading files. Dynamic Host Configuration Protocol (DHCP) allocates network addresses and delivers configuration parameters from DHCP servers to hosts. HTTP with secure socket layer (SSL) service for secure communication with web servers. Encapsulating Security Payload. AutoIKE key VPN tunnels use ESP after establishing the tunnel using IKE. AOL instant messenger protocol. TCP BGP is an interior/exterior routing protocol. This service is used by manual key and AutoIKE VPN tunnels for communicating encrypted data. Add these services to any policy. TCP TCP TCP TCP TCP TCP UDP DNS ESP TCP UDP 53 53 50 FINGER FTP FTP_GET FTP_PUT GOPHER 79 21 21 21 70 GRE 47 H323 1720. A network service providing information about users.323 Technical Note. This protocol is used for authentication by IPSec remote gateways set to aggressive mode. AH provides source host authentication and data integrity. all Protocol Port 51 ANY all AOL BGP DHCP TCP 5190-5194 179 67 Border Gateway Protocol routing protocol. Domain name service for translating domain names into IP addresses. 1503 HTTP TCP 80 HTTPS TCP 443 264 FortiGate Version 3. Match connections on any port. For more information see the FortiGate Support for H. HTTP is the protocol used by the word wide web for transferring data for web pages.0 MR3 Administration Guide 01-30003-0203-20061124 . Generic Routing Encapsulation. Gopher organizes and displays Internet server contents as a hierarchically structured list of files. FTP service for downloading files Gopher communication service.323 multimedia protocol. H. H.Viewing the predefined service list Firewall Service Table 31 lists the FortiGate predefined firewall services. Table 31: FortiGate predefined services Service name AH Description Authentication Header. but not secrecy. FTP service for transferring files. by encapsulating the packets of the protocol within GRE packets.323 is a standard approved by the International Telecommunication Union (ITU) defining how audiovisual conferencing data is transmitted across networks.

Firewall Service Viewing the predefined service list Table 31: FortiGate predefined services (Continued) Service name ICMP_ANY Description Internet Control Message Protocol is a message control and error-reporting protocol between a host and gateway (Internet). For connections used by the popular Quake multi-player computer game. Protocol ICMP Port IKE UDP 500 IMAP TCP 143 INFO_ADDRESS ICMP information request messages. IRC Internet Relay Chat allows people connected to the Internet to join live discussions. TCP NFS 111. 27910. Point-to-Point Tunneling Protocol is a protocol allowing corporations to extend their own corporate network through private tunnels over the public Internet. Locator-Service User Locator Service. FortiGate Version 3. ICMP echo request/reply for testing connections to other devices. TCP QUAKE UDP 26000. OSPF is a common link state routing protocol. Internet Message Access Protocol is a protocol used for retrieving email messages. and retrieve USENET messages. UDP ICMP OSPF 89 PC-Anywhere PING POP3 PPTP 5632 8 110 1723 Post office protocol is an email protocol for TCP downloading email from a POP3 server. L2TP LDAP L2TP is a PPP-based tunnel protocol for remote access. Network News Transport Protocol is a protocol used to post.0 MR3 Administration Guide 01-30003-0203-20061124 265 . and LDAP over TLS/SSL. IKE is the protocol to obtain authenticated keying material for use with ISAKMP for IPSEC. Open Shortest Path First (OSPF) routing protocol. PC-Anywhere is a remote control and file transfer protocol. Network time protocol for synchronizing a computer’s time with a time server. TCP 389 TCP 1701 389 Lightweight Directory Access Protocol is a TCP set of protocols used to access information directories. Network File System allows network users TCP to access shared files stored on computers of different types. 27960 7070 520 RAUDIO RIP For streaming real audio multimedia traffic. ICMP ICMP TCP 17 15 6660-6669 InternetInternet Locator Service includes LDAP. 2049 NNTP 119 NTP NetMeeting TCP 123 1720 NetMeeting allows users to teleconference TCP using the Internet as the transmission medium. 27000. INFO_REQUEST ICMP address mask request messages. UDP Routing Information Protocol is a common UDP distance vector routing protocol. distribute.

possibly multimedia session. For more information see the FortiGate SIP Support Technical Note. Wide Area Information Server is an Internet search protocol. To access custom services. ICMP timestamp request messages. select a virtual domain from the list in the main menu. A protocol supporting conversations between two or more users. Samba allows Microsoft Windows clients to utilize file and print services from TCP/IP-enabled hosts. Protocol TCP TCP Port 513 139 SIP Session Initiation Protocol defines how UDP audiovisual conferencing data is transmitted across networks. TCP TCP TCP TCP Viewing the custom service list If virtual domains are enabled on the FortiGate unit. Telnet service for connecting to a remote computer to run commands. For WinFrame communications between computers running Windows NT. ICMP UDP UDP TIMESTAMP UDP UUCP VDOLIVE WAIS WINFRAME X-WINDOWS 13 0-65535 540 7000-7010 210 1494 6000-6063 For VDO Live streaming multimedia traffic. Unix to Unix copy utility. TCP UDP UDP UDP TCP TCP 161-162 161-162 22 22 514 517-518 0-65535 23 69 SSH SYSLOG TALK TCP TELNET TFTP Trivial File Transfer Protocol is a simple file UDP transfer protocol similar to FTP but with no security features.Viewing the custom service list Firewall Service Table 31: FortiGate predefined services (Continued) Service name RLOGIN SAMBA Description Rlogin service for remotely logging into a server.0 MR3 Administration Guide 01-30003-0203-20061124 266 . For remote communications between an X-Window server and X-Window clients. a simple file copying protocol. Syslog service for remote logging. All UDP ports. custom services are configured separately for each virtual domain. Add a custom service to create a policy for a service that is not in the predefined service list. FortiGate Version 3. Session Initiation Protocol is used by Microsoft Messenger to initiate an interactive. TCP 5060 SIPMSNmessenger SMTP 1863 TCP 25 SNMP Simple Network Management Protocol is a TCP set of protocols for managing complex UDP networks Secure Shell is a service for secure connections to computers for remote management. Simple Mail Transfer Protocol is used to send mail between email servers on the Internet. All TCP ports.

FortiGate Version 3. The default values allow the use of any source port. Select to remove the entry from the list.TCP/UDP Name Protocol Type Protocol Source Port Enter a name for the custom service. and Destination Port. Set Protocol Type to TCP/UDP. Source Port. Figure 159:Custom service list The custom services list has the following icons and features: Create New Service Name Detail Delete icon Edit icon Select a protocol and then Create New to add a custom service.0 MR3 Administration Guide 01-30003-0203-20061124 267 . Configuring custom services Custom services can be created during firewall policy configuration by selecting Create New from the Service dropdown list. enter this number in both the low and high fields. To add a custom TCP or UDP service 1 2 3 Go to Firewall > Service > Custom. Figure 160:New Custom Service . enter this number in both the low and high fields. The name of the custom service. Select the protocol type of the custom service: TCP/UDP. Destination Port Specify the Destination Port number range for the service by entering the low and high port numbers. Configure the following. Select to edit the following information: Name. The Delete icon is only available if the service has not been used in a firewall policy. Code. If the service uses one port number. Select TCP or UDP as the protocol of the port range being added. go to Firewall > Service > Custom. If the service uses one port number. Protocol Number. Protocol Type.Firewall Service Configuring custom services To view the custom service list. Type. The protocol and port numbers for each custom service. Specify the Source Port number range for the service by entering the low and high port numbers.

IP Name Protocol Type Enter the name of the IP custom service.0 MR3 Administration Guide 01-30003-0203-20061124 . To add a custom IP service 1 2 3 Go to Firewall > Service > Custom. Select the protocol type of the service being added: ICMP. Enter the ICMP code number for the service if required. service groups are created separately for each virtual domain. select Add to allow more source and destination ranges. 268 FortiGate Version 3. select a virtual domain from the list in the main menu. Figure 161:New Custom Service . Viewing the service group list If virtual domains are enabled on the FortiGate unit. Protocol Number The IP protocol number for the service. To add a custom ICMP service 1 2 3 Go to Firewall > Service > Custom.ICMP Name Protocol Type Type Code Enter the name of the ICMP custom service.Viewing the service group list Firewall Service Add Delete Icon If the custom service being created requires more than one port range. Set Protocol Type to ICMP. To access service groups. Configure the following. Set Protocol Type to IP. Configure the following. Enter the ICMP type number for the service. Figure 162:New Custom Service . Select the protocol type of the service being added: IP. Select to remove the entry from the list.

Use the arrows to move services between the lists. Select to edit the following information: Group Name and Members. The Delete icon is only available if the service group has not been used in a firewall policy. The name to identify the service group. A service group can contain predefined services and custom services in any combination. Figure 164:Service group options Group Name Available Services Members Enter a name to identify the service group.0 MR3 Administration Guide 01-30003-0203-20061124 269 . create groups of services and then add one policy to allow or block access for all the services in the group. Use the arrows to move services between the lists. go to Firewall > Service > Group. The list of services in the group. The services added to the service group. FortiGate Version 3. A service group cannot be added to another service group. To view the service group list. Select to remove the entry from the list.Firewall Service Configuring service groups To make it easier to add policies. Figure 163:Sample service group list The service group list has the following icons and features: Create New Group Name Members Delete icon Edit icon Select to add a service group. go to Firewall > Service > Group. Configuring service groups Service groups can be created during firewall policy configuration by selecting Create New from the dropdown list. To organize services into a service group. The list of configured and predefined services.

0 MR3 Administration Guide 01-30003-0203-20061124 .Configuring service groups Firewall Service 270 FortiGate Version 3.

a firewall might be configured with a default policy that allows access to all services on the Internet at all times. For example. Recurring schedules repeat weekly. To view the one-time schedule list. The following topics are included in this section: • • • • Viewing the one-time schedule list Configuring one-time schedules Viewing the recurring schedule list Configuring recurring schedules Viewing the one-time schedule list If virtual domains are enabled on the FortiGate unit. one-time schedules are configured separately for each virtual domain. One-time schedules are effective once for the period of time specified in the schedule. Recurring schedules are effective only at specified times of the day or on specified days of the week. select a virtual domain from the list on the main menu. Create a one-time schedule that activates or deactivates a policy for a specified period of time. Select to remove the schedule from the list. To access one-time schedules.Firewall Schedule Viewing the one-time schedule list Firewall Schedule This section describes how to use schedules to control when policies are active or inactive.0 MR3 Administration Guide 01-30003-0203-20061124 271 . The stop date and time for the schedule. The Delete icon only appears if the schedule is not being used in a firewall policy. The start date and time for the schedule. You can create one-time schedules or recurring schedules. Select to edit the schedule. FortiGate Version 3. Add a one-time schedule to block access to the Internet during a holiday period. The name of the one-time schedule. Figure 165:One-time schedule list The one-time schedule list has the following icons and features: Create New Name Start Stop Delete icon Edit icon Select to add a one-time schedule. go to Firewall > Schedule > One-time.

go to Firewall > Schedule > One-time. The start time of the recurring schedule.Configuring one-time schedules Firewall Schedule Configuring one-time schedules One-time schedules can be created during firewall policy configuration by selecting Create New from the Schedule dropdown list. Create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. 272 FortiGate Version 3. Viewing the recurring schedule list If virtual domains are enabled on the FortiGate unit. go to Firewall > Schedule > Recurring. Use this technique to create recurring schedules that run from one day to the next. Onetime schedules use a 24-hour clock. Figure 167:Recurring schedule list The recurring schedule list has the following icons and features: Create New Name Day Start Select to add a recurring schedule. The initials of the days of the week on which the schedule is active. select a virtual domain from the list on the main menu. Note: A recurring schedule with a stop time that occurs before the start time starts at the start time and finishes at the stop time on the next day. Enter the stop date and time for the schedule. Enter the start date and time for the schedule. To view the recurring schedule list. Set start and stop time to 00 for the schedule to be active for the entire day. To access recurring schedules. To add a one-time schedule. recurring schedules are created separately for each virtual domain.0 MR3 Administration Guide 01-30003-0203-20061124 . Create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time. For example. The name of the recurring schedule. prevent game play during working hours by creating a recurring schedule. Figure 166:New One-time Schedule Name Start Stop Enter the name to identify the one-time schedule.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 273 . To add a recurring schedule. Select the days of the week for the schedule to be active. Configuring recurring schedules Recurring schedules can be created during firewall policy configuration by selecting Create New from the Schedule dropdown list. Select to edit the schedule. Select the start time for the recurring schedule. Figure 168:New Recurring Schedule Name Select Start Stop Enter the name to identify the recurring schedule. The Delete icon only appears if the schedule is not being used in a firewall policy.Firewall Schedule Configuring recurring schedules Stop Delete icon Edit icon The stop time of the recurring schedule. Select to remove the schedule from the list. Select the stop time for the recurring schedule. go to Firewall > Schedule > Recurring. Recurring schedules use a 24-hour clock.

0 MR3 Administration Guide 01-30003-0203-20061124 .Configuring recurring schedules Firewall Schedule 274 FortiGate Version 3.

this example involves only three parts. The client computer sends data packets and the FortiGate unit receives them. as shown in Figure 169: the web server on a private network. Reduced to its basics. How virtual IPs map connections through the FortiGate unit An example use of static NAT virtual IP is to allow easy public access to a web server on a private network protected by a FortiGate unit. For example. and they’re forwarded to the server on the private network. Figure 169:A simple static NAT virtual IP example. Virtual IPs use Proxy ARP so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network. Proxy ARP is defined in RFC 1027. The following topics are included in this section: • • • • • • • • • Virtual IPs Viewing the virtual IP list Configuring virtual IPs Virtual IP Groups Viewing the VIP group list Configuring VIP groups IP pools Viewing the IP pool list Configuring IP Pools Virtual IPs Virtual IPs can be used to allow connections through a FortiGate unit using network address translation (NAT) firewall policies. The addresses in the packets are remapped. you can add a virtual IP to an external FortiGate unit interface so that the external interface can respond to connection requests for users who are actually connecting to a server on the DMZ or internal network. FortiGate Version 3.Firewall Virtual IP Virtual IPs Firewall Virtual IP This section describes FortiGate Virtual IPs and IP Pools and how to configure and use them in firewall policies. and the FortiGate unit connecting the two networks.0 MR3 Administration Guide 01-30003-0203-20061124 275 . the browsing computer on the Internet. A client computer attempts to contact the server.

The packets are then sent on their way and arrive at the client computer. all the communication is coming directly from the FortiGate unit.168.10.55.Virtual IPs Firewall Virtual IP The packets sent from the client computer have a source IP of 192.10. Note: Virtual IPs are not available or required in transparent mode. The client has no indication the server’s private network exists. the procedure works the same way but in the other direction.4 to 10. there is no reference to the server computer’s network. Note that the client computer’s address does not appear in the packets the server receives. The server has no indication another network exists.37. When the server answers the client computer.10. After the FortiGate unit translates the network addresses.4. the interface responds to ARP requests for the bound IP address or IP address range.10. 276 FortiGate Version 3. there is no reference to the client computer’s network. A Virtual IP can be a single IP address or an IP address range bound to a FortiGate unit interface.0 MR3 Administration Guide 01-30003-0203-20061124 .42 and a destination IP address of 10.168. Figure 171:Example of packet address remapping during NAT from server to client.2.10. When you bind an IP address or IP address range to a FortiGate unit interface using a virtual IP. As far as the server can tell. The FortiGate unit makes a note of this translation in the firewall session table it maintains internally. The packets are then sent on their way and arrive at the server computer. The source address is changed to 10. The FortiGate unit receives these packets at its external interface. After the FortiGate unit translates the network addresses.168.168.10.42.37. The server sends its response packets having a source IP address of 10.2 and the destination is changed to 10. This time however.42 so the packets’ addresses are changed. The FortiGate unit receives these packets at its internal interface. The virtual IP settings indicate a mapping from 192. In this example.168. As far as the client is concerned.10. the firewall session table entry is used to determine what the destination address will be translated to. The server computer’s address does not appear in the packets the client receives.37. the FortiGate unit is the web server.10.37.37.10.10. Figure 170:Example of packet address remapping during NAT from client to server.4 and the destination is changed to 192. the source address is changed to 192.55 and a destination IP of 192.

Virtual IP ranges can be of almost any size and can translate addresses to different subnets.Firewall Virtual IP Virtual IPs If the NAT check box is not selected when building the firewall policy. translates the destination address of the packets to a mapped IP address on another hidden network. an internal range of 20 ports mapped from external port 65530 is invalid as the last port in the range would be 65550. Unlike in the previous examples.255. the resulting policy will perform destination network address translation (DNAT). No duplicate entries or overlapping ranges are permitted. the virtual IP also contains all of the information required to map the IP address or IP address range from the interface that receives the packets to the interface connected to the same network as the actual IP address or IP address range. and static NAT virtual IPs mapped to a single IP address. the source address is not translated. support an external IP of 0. Port mapping maps a range of external port numbers to a range of internal port numbers. FortiGate Version 3. DNAT accepts packets from an external network that are intended for a specific destination IP address. The mapped IP range must not include any interface IP addresses. Therefore. The external IP cannot be 0.0 if the virtual IP type is static NAT and is mapped to a range of IP addresses. Only load balance virtual IPs. the packets can arrive at their final destination.255.0. Virtual IPs also translate the source IP address or addresses of return packets from the source address on the hidden network to be the same as the destination address of the originating packets.0. Virtual IP name cannot be the same as any address name or address group name. You can create five different kinds of virtual IPs. Once on the hidden destination network.0. For example. each of which can be used for a different DNAT variation.0 MR3 Administration Guide 01-30003-0203-20061124 277 . The number of ports in these two ranges must be equal.0 or 255.0. Virtual IP ranges have the following restrictions: • • The mapped IP cannot include 0. the external IP range cannot include any interface IP addresses. When port forwarding.0. and then forwards the packets through the FortiGate unit to the hidden destination network.0.255. the external port must not be set so that its range exceeds 65535.0. • • • • • In addition to binding the IP address or IP address range to the interface.

Static NAT port forwarding virtual IPs use one-to-one mapping. A range of external IP addresses is mapped to a corresponding range of mapped IP addresses and a range of external port numbers is mapped to a corresponding range of mapped port numbers. A given IP address in the source address range is always mapped to the same IP address in the destination address range. If you set the external IP address of a virtual IP to 0. Load balancing uses a one-to-many mapping and a load balancing algorithm to assign the destination IP address from the IP address range to ensure a more even distribution of traffic. For example. To add a firewall policy that maps addresses on an external network to an internal network. Load balancing port forwarding uses a one-to-many load balancing algorithm to assign the destination IP address from the IP address range to ensure a more even distribution of traffic. Static NAT port forwarding is also just called port forwarding.0 MR3 Administration Guide 01-30003-0203-20061124 .0. Also called dynamic port forwarding. Static NAT Port Forwarding Load Balancing Load Balancing port forwarding Dynamic virtual IPs You must add the virtual IP to a NAT firewall policy to actually implement the mapping configured in the virtual IP.Viewing the virtual IP list Firewall Virtual IP Static NAT Static NAT virtual IPs map an external IP address or IP address range on a source network to a mapped IP address or IP address range on a destination network. Static NAT port forwarding maps a single IP address or address range and a single port number or port range on one network to a different single IP address or address range and a different single port number or port range on another network. 278 FortiGate Version 3. Port forwarding virtual IPs can be used to configure the FortiGate unit for port address translation (PAT).0 you create a dynamic virtual IP in which any external IP address is translated to the mapped IP address or IP address range. and also assigns the destination port from the destination port number range. Viewing the virtual IP list To view the virtual IP list.10. To get packets from the Internet to the web server. go to Firewall > Virtual IP > Virtual IP. Add a virtual IP to the firewall that maps the external IP address of the web server on the Internet to the actual address of the web server on the internal network. A load balancing virtual IP maps a single IP address on one network to an IP address range on another network.10. if the computer hosting a web server is located on the internal network.42. Static NAT virtual IPs use one-to-one mapping.0. A range of external IP addresses is mapped to a corresponding range of mapped IP addresses. add an external to internal firewall policy and set the Destination Address to the virtual IP. To allow connections from the Internet to the web server. it might have a private IP address such as 10. A single external IP address is mapped to a single mapped IP address. there must be an external address for the web server on the Internet. you add an external to internal firewall policy and add the virtual IP to the destination address field of the policy. A load balancing with port forwarding virtual IP maps a single IP address and port number on one network to a range of IP addresses and a range of port numbers on another network.

0. Static NAT virtual IP for a single IP address is the simplest virtual IP configuration. The FortiGate unit connects the two networks and allows communication between them. or VPN interface. address groups. The mapped to IP address or address range on the destination network. go to Firewall > Virtual IP > Virtual IP and select the Edit icon for the virtual IP to edit. To avoid confusion. The service port is included in port forwarding virtual IPs. firewall policies. and virtual IPs cannot share names. FortiGate Version 3. To edit a virtual IP. To configure a dynamic virtual IP that accepts connections for any IP address. go to Firewall > Virtual IP > Virtual IP and select Create new. The name of the virtual IP.0 MR3 Administration Guide 01-30003-0203-20061124 279 .0. For a load balance dynamic virtual IP you can specify a single mapped address or a mapped address range.Firewall Virtual IP Configuring virtual IPs Figure 172:Virtual IP list The virtual IP list has the following icons and features: Create New Name IP Service Port Map to IP/IP Range Map to Port Delete icon Edit icon Select to add a virtual IP. For a static NAT dynamic virtual IP you can only add one mapped IP address. A single IP address on one network is mapped to another IP address on a second network. You can select any FortiGate interface. External Interface Select the virtual IP external interface from the list. T Name Enter or change the name to identify the virtual IP. The external port number or port number range. Edit the virtual IP to change any virtual IP option including the virtual IP name. The mapped to port number or port number range.0. Configuring virtual IPs To add a virtual IP. The Delete icon only appears if the virtual IP is not being used in a firewall policy. Type External IP Address/Range Select Static NAT or Load Balance. VLAN subinterface. Remove the virtual IP from the list. The map to port is included in port forwarding virtual IPs. The external IP address or IP address range. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. addresses. Enter the external IP address that you want to map to an address on the destination network. set the external IP address to 0.

Attempts to communicate with 192.10.37.4 rather than a FortiGate unit with a private network behind it. For a static NAT virtual IP. The computers on the Internet are unaware of this translation and see a single computer at 192.168.42 on a private network.4 from the Internet are translated and sent to 10. You can also enter a port number range to forward packets to multiple ports on the destination network. if you add a mapped IP address range the FortiGate unit calculates the external IP address range and adds the IP address range to the External IP Address/Range field. Select Create New.168.10.37. For a static NAT virtual IP. You can also enter an address range to forward packets to multiple IP addresses on the destination network. 280 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .37. Select the protocol (TCP or UDP) that you want the forwarded packets to use. Figure 173:Static NAT virtual IP for a single IP address example To add a static NAT virtual IP for a single IP address 1 2 Go to Firewall > Virtual IP > Virtual IP. Port forwarding Protocol External Service Port Map to Port • • • • • • • Adding a static NAT virtual IP for a single IP address Adding a static NAT virtual IP for an IP address range Adding static NAT port forwarding for a single IP address and a single port Adding static NAT port forwarding for an IP address range and a port range Adding a load balance virtual IP for an IP address range Adding a load balance port forwarding virtual IP for an IP address range and port range Adding dynamic virtual IPs Adding a static NAT virtual IP for a single IP address The IP address 192.10.4 on the Internet is mapped to 10. if you add a map to port range the FortiGate unit calculates the external port number range and adds the port number range to the External Service port field. Select to add a port forwarding virtual IP. Enter the port number on the destination network to which the external port number is mapped.42 by the FortiGate unit.Configuring virtual IPs Firewall Virtual IP Mapped IP Address/Range Enter the real IP address on the destination network to which the external IP address is mapped.168. Enter the external service port number for which you want to configure port forwarding.10.

the external interface responds to ARP requests for the external IP address. Name Type External IP Address/Range simple_static_NAT Static NAT The Internet IP address of the web server. Since there is only one IP address. FortiGate Version 3. The external IP address must be a static IP address obtained from your ISP for your web server. leave the second field blank.Firewall Virtual IP Configuring virtual IPs 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using.0 MR3 Administration Guide 01-30003-0203-20061124 281 . The virtual IP address and the external IP address can be on different subnets. Figure 174:Virtual IP options: static NAT virtual IP for a single IP address 4 Select OK. the external IP address must be routed to the selected interface. External Interface wan1 Map to IP/IP Range The IP address of the server on the internal network. Select OK. The virtual IP translates the destination address of these packets from the external IP to the DMZ network IP address of the web server. Configure the firewall policy: Source Interface/Zone Source Address Name wan1 All (or a more specific address) Destination Interface/Zone dmz1 Destination Address Name simple_static_NAT Schedule Service Action always HTTP ACCEPT 3 4 Select NAT. To add a static NAT virtual IP for a single IP address to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. 1 2 Go to Firewall > Policy and select Create New. When you add the virtual IP. However. In our example the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.

168.43.Configuring virtual IPs Firewall Virtual IP Adding a static NAT virtual IP for an IP address range The IP address range 192.10. Use the following procedure to add a virtual IP that allows users on the Internet to connect to three individual web servers on the DMZ network.168.10. These addresses must be unique IP addresses that are not used by another host and cannot be the same as the IP addresses of the external interface the virtual IP will be using.37. However.37.10. The external IP addresses must be static IP addresses obtained from your ISP for your web server.37. and packets destined for 192.10. The virtual IP addresses and the external IP address can be on different subnets. 282 FortiGate Version 3.37. When you add the virtual IP. The computers on the Internet are unaware of this translation and see three computers with individual IP addresses rather than a FortiGate unit with a private network behind it.10.5 are translated and sent to 10.44 on a private network.123. Select Create New.44. In our example the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.42 by the FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 .4-192.168. Figure 175:Static NAT virtual IP for an IP address range example To add a static NAT virtual IP for an IP address range 1 2 3 Go to Firewall > Virtual IP > Virtual IP.4 are translated and sent to 10. Packets from Internet computers communicating with 192.37.6 are translated and sent to 10.6 on the Internet is mapped to 10. packets destined for 192. the external IP addresses must be routed to the selected interface. Name External Interface Type static_NAT_range wan1 Static NAT External IP Address/Range The Internet IP address range of the web servers.10.42-10.10. Map to IP/IP Range The IP address range of the servers on the internal network.10.168. the external interface responds to ARP requests for the external IP addresses. Similarly.10.168.

37. Attempts to communicate with 192. Select OK. To add a static NAT virtual IP with an IP address range to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the server IP addresses.4.37. packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface.4. The virtual IP translates the destination addresses of these packets from the external IP to the DMZ network IP addresses of the servers. port 80 from the Internet are translated and sent to 10. port 8000 by the FortiGate unit. Configure the firewall policy: Source Interface/Zone Source Address Name wan1 All (or a more specific address) Destination Interface/Zone dmz1 Destination Address Name static_NAT_range Schedule Service Action always HTTP ACCEPT 3 4 Select NAT.0 MR3 Administration Guide 01-30003-0203-20061124 283 .37.10.10.168. FortiGate Version 3. port 80 rather than a FortiGate unit with a private network behind it. The computers on the Internet are unaware of this translation and see a single computer at 192.42. port 80 on the Internet is mapped to 10. port 8000 on a private network. Adding static NAT port forwarding for a single IP address and a single port The IP address 192.168.10.4. 1 2 Go to Firewall > Policy and select Create New.42.10.168. static NAT virtual IP with an IP address range 4 Select OK.Firewall Virtual IP Configuring virtual IPs Figure 176:Virtual IP options.

Configuring virtual IPs

Firewall Virtual IP

Figure 177:Static NAT virtual IP port forwarding for a single IP address and a single port example

To add static NAT virtual IP port forwarding for a single IP address and a single port 1 2 3 Go to Firewall > Virtual IP > Virtual IP. Select Create New. Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name External Interface Type Port_fwd_NAT_VIP wan1 Static NAT

External IP Address/Range The Internet IP address of the web server. The external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. Map to IP/IP Range Port Forwarding Protocol External Service Port Map Port The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank. Selected TCP The port traffic from the Internet will use. For a web server, this will typically be port 80. The port on which the server expects traffic. Since there is only one port, leave the second field blank.

284

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Firewall Virtual IP

Configuring virtual IPs

Figure 178:Virtual IP options; Static NAT port forwarding virtual IP for a single IP address and a single port

4

Select OK. To add static NAT virtual IP port forwarding for a single IP address and a single port to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers.

1 2

Go to Firewall > Policy and select Create New. Configure the firewall policy:
Source Interface/Zone Source Address Name wan1 All (or a more specific address)

Destination Interface/Zone dmz1 Destination Address Name Port_fwd_NAT_VIP Schedule Service Action always HTTP ACCEPT

3 4

Select NAT. Select OK.

Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network. Attempts to communicate with 192.168.37.5, port 82 from the Internet, for example, are translated and sent to 10.10.10.43, port 8002 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.5 rather than a FortiGate unit with a private network behind it.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

285

Configuring virtual IPs

Firewall Virtual IP

Figure 179:Static NAT virtual IP port forwarding for an IP address range and a port range example

To add static NAT virtual IP port forwarding for an IP address range and a port range 1 2 3 Go to Firewall > Virtual IP > Virtual IP. Select Create New. Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name External Interface Type Port_fwd_NAT_VIP_port_range wan1 Static NAT

External IP Address/Range The external IP addresses must be static IP addresses obtained from your ISP. This addresses must be unique, not used by another host, and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses. Map to IP/IP Range The IP addresses of the server on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field. Selected TCP The ports that traffic from the Internet will use. For a web server, this will typically be port 80. The ports on which the server expects traffic. Define the range by entering the first port of the range in the first field and the last port of the range in the second field. If there is only one port, leave the second field blank.

Port Forwarding Protocol External Service Port Map Port

286

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Firewall Virtual IP

Configuring virtual IPs

Figure 180:Virtual IP options; static NAT port forwarding virtual IP for an IP address range and a port range

4

Select OK. To add static NAT virtual IP port forwarding for an IP address range and a port range to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers.

1 2

Go to Firewall > Policy and select Create New. Configure the firewall policy:
Source Interface/Zone Source Address Name wan1 All (or a more specific address)

Destination Interface/Zone dmz1 Destination Address Name Port_fwd_NAT_VIP_port_range Schedule Service Action always HTTP ACCEPT

3 4

Select NAT. Select OK.

Adding a load balance virtual IP for an IP address range
The IP address 192.168.37.4 on the Internet is mapped to 10.10.123.42 through 10.10.123.44 on a private network. The IP address mapping is determined by the FortiGate unit’s load balancing algorithm. Attempts to communicate with 192.168.37.4 from the Internet are translated and sent to 10.10.10.42, 10.10.10.10.43, or 10.10.10.44 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit with a private network behind it.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

287

Configuring virtual IPs

Firewall Virtual IP

Figure 181:Load balance virtual IP for an IP address range

To add a load balance virtual IP for an IP address range 1 2 3 Go to Firewall > Virtual IP > Virtual IP. Select Create New. Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name External Interface Type Load_Bal_VIP wan1 Load Balance

External IP address/Range The Internet IP address of the web server. The external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. Map to IP/IP Range The IP address of the servers on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.

Figure 182:Virtual IP options; load balancing virtual IP

4

Select OK.

288

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Firewall Virtual IP

Configuring virtual IPs

To add a load balance virtual IP for an IP address range to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the dmz network IP addresses of the web servers. 1 2 Go to Firewall > Policy and select Create New. Configure the firewall policy:
Source Interface/Zone Source Address Name wan1 All (or a more specific address)

Destination Interface/Zone dmz1 Destination Address Name Load_Bal_VIP Schedule Service Action always HTTP ACCEPT

3 4

Select NAT. Select OK.

Adding a load balance port forwarding virtual IP for an IP address range and port range
Connections to 192.168.37.4 on the Internet are mapped to 10.10.10.42 through 10.10.10.44 on a private network. The IP address mapping is determined by the FortiGate unit’s load balancing algorithm. Ports 80 to 83 on 192.168.37.4 are mapped to 8000 through 8003, in sequence. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit with a private network behind it.
Figure 183:Load balance virtual IP port forwarding for an IP address range and a port range example

To add a load balance virtual IP for an IP address range 1 2 Go to Firewall > Virtual IP > Virtual IP. Select Create New.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

289

Configuring virtual IPs

Firewall Virtual IP

3

Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name External Interface Type Load_Bal_VIP_port_forward wan1 Load Balance

External IP Address/Range The Internet IP address of the web server. The external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. Map to IP/IP Range The IP address of the servers on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field. Selected TCP The ports that traffic from the Internet will use. For a web server, this will typically be port 80. The ports on which the server expects traffic. Define the range by entering the first port of the range in the first field and the last port of the range in the second field. If there is only one port, leave the second field blank.

Port Forwarding Protocol External Service Port Map Port

Figure 184:Virtual IP options; load balancing port forwarding virtual IP

4

Select OK. To add a load balance virtual IP for an IP address range to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the dmz network IP addresses of the web servers.

1

Go to Firewall > Policy and select Create New.

290

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Firewall Virtual IP

Configuring virtual IPs

2

Configure the firewall policy:
Source Interface/Zone Source Address Name wan1 All (or a more specific address)

Destination Interface/Zone dmz1 Destination Address Name Load_Bal_VIP_port_forward Schedule Service Action always HTTP ACCEPT

3 4

Select NAT. Select OK.

Adding dynamic virtual IPs
Adding a dynamic virtual IP is similar to adding a virtual IP. The difference is that the External IP address must be set to 0.0.0.0 so the External IP address matches any IP address.
Figure 185:Add New Virtual IP Mapping - dynamic port forwarding

To add a dynamic virtual IP 1 2 3 4 Go to Firewall > Virtual IP > Virtual IP. Select Create New. Enter a name for the dynamic virtual IP. Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. Select any firewall interface or a VLAN subinterface. 5 6 Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port).

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

291

Virtual IP Groups

Firewall Virtual IP

7 8

Enter the Map to IP address to which to map the external IP address. For example, the IP address of a PPTP server on an internal network. Enter the Map to Port number to be added to packets when they are forwarded. Enter the same number as the External Service Port if the port is not to be translated.

9

Select OK.

Virtual IP Groups
You can create virtual IP groups to facilitate firewall policy traffic control. For example, on the DMZ interface, if you have two email servers that use Virtual IP mapping, you can put these two VIPs into one VIP group and create one externalto-DMZ policy, instead of two policies, to control the traffic.

Viewing the VIP group list
To view the virtual IP group list, go to Firewall > Virtual IP > VIP Group.
Figure 186:VIP Group list

The VIP group list has the following icons and features:
Create New Group Name Members Interface Delete icon Edit icon Select to add a new VIP group. See “Configuring VIP groups” on page 292. The name of the virtual IP group. Lists the group members. Displays the interface that the VIP group belongs to. Remove the VIP group from the list. The Delete icon only appears if the VIP group is not being used in a firewall policy. Edit the VIP group information, including the group name and membership.

Configuring VIP groups
To add a VIP group, go to Firewall > Virtual IP > VIP Group and select Create new. To edit a VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP group to edit.

292

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Firewall Virtual IP IP pools Figure 187:Editing a VIP group Configure the following settings and select OK: Group Name Interface Enter or modify the group name. Select Enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool. Available VIPs and Members IP pools Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. If you are editing the group. With an IP pool added to the internal interface. FortiGate Version 3. you can select Dynamic IP pool for policies with the internal interface as the destination. the Interface box is grayed out. Select the interface for which you want to create the VIP group.0 MR3 Administration Guide 01-30003-0203-20061124 293 . all of which respond to ARP requests on the interface to which the IP pool is added. An IP pool list appears when the policy destination interface is the same as the IP pool interface. An IP pool defines an address or a range of IP addresses. Add or remove members.

110. use either of the following formats. For example. Figure 188:IP pool list 294 FortiGate Version 3. Select fixed port for NAT policies to prevent source port translation.120 x.x.x. If the FortiGate unit is operating in NAT/Route mode. IP pools are created separately for each virtual domain. However. for example 192. select a virtual domain from the list on the main menu. NAT translates source ports to keep track of connections for a particular service.[x-x]. an organization might have purchased a range of Internet addresses but has only one Internet connection on the external interface of the FortiGate unit. To view the IP pool list go to Firewall > Virtual IP > IP Pool.110. Assign one of the organization’s Internet IP addresses to the external interface of the FortiGate unit.100 is a valid IP pool address.x. The firewall randomly selects an IP address from the IP pool and assigns it to each connection. 192. As a result. To access IP pools.[100-120] IP pools and dynamic NAT Use IP pools for dynamic NAT.168.110. For example. selecting fixed port means that only one connection can be supported through the firewall for this service.x.100-192.x. • • x. IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection.x. IP pools are not available in Transparent mode.168. connections to the Internet appear to be originating from any of the IP addresses in the IP pool.168. and then select dynamic IP pool in the policy. Viewing the IP pool list If virtual domains are enabled on the FortiGate unit.x.0 MR3 Administration Guide 01-30003-0203-20061124 .110. To be able to support multiple connections. For connections to originate from all the Internet IP addresses. Then select Dynamic IP Pool for all policies with the external interface as the destination. add an IP pool to the destination interface. all connections from the network to the Internet appear to come from this IP address. For each connection. the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. If an IP address range is required. A single IP address is entered normally.x-x.168.Viewing the IP pool list Firewall Virtual IP Add multiple IP pools to any interface and select the IP pool to use when configuring a firewall policy. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool. add this address range to an IP pool for the external interface. for example 192.

Interface. Figure 189:New Dynamic IP Pool Name Interface Enter or change the name for the IP pool. The start IP defines the start of an address range. go to Firewall > Virtual IP > IP Pool. Configuring IP Pools To add an IP pool. The IP range does not have to be on the same subnet as the IP address of the interface to which the IP pool is being added. IP Range/Subnet. Select the interface to which to add an IP pool.Firewall Virtual IP Configuring IP Pools The IP pool list has the following icons and features: Create New Name Start IP End IP Delete icon Edit icon Select to add an IP pool. IP Range/Subnet Enter the IP address range for the IP pool. Select to remove the entry from the list.0 MR3 Administration Guide 01-30003-0203-20061124 295 . The IP range defines the start and end of an address range. FortiGate Version 3. The name of the IP pool. The start of the range must be lower than the end of the range. The Delete icon only appears if the IP pool is not being used in a firewall policy. Select to edit the following information: Name. The end IP defines the end of an address range.

Configuring IP Pools Firewall Virtual IP 296 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

and Yahoo instant messaging. you can customize types and levels of protection for different firewall policies. and SMTP policies. Gnutella.0 MR3 Administration Guide 01-30003-0203-20061124 297 . and IM policies. ICQ. protection profiles are configured globally and are available to all virtual domains. Configure web filtering for HTTP and HTTPS policies. Configure spam filtering for IMAP. Kazaa. Configure policies for different traffic services to use the same or different protection profiles. while traffic between internal and external addresses might need strict protection. Configure P2P access and bandwidth control for Bit Torrent. IMAP. Use protection profiles to: • • • • • • • • • Configure antivirus protection for HTTP. and IM policies. Configure which protection profile actions will be logged. traffic between trusted internal addresses might need moderate protection. FTP. FTP. MSN. To access protection profiles. Enable IPS for all services. POP3. Using protection profiles. FortiGate Version 3. Configure content archiving for HTTP. POP3. and WinNY peer to peer clients. SMTP. If virtual domains are enabled on the FortiGate unit. Configure web category filtering for HTTP and HTTPS policies. you can tailor the settings to the type of traffic each policy handles. SMTP. HTTPS. POP3. go to Global Configuration > Firewall > Protection Profile. The following topics are included in this section: • • • • • • What is a protection profile Viewing the protection profile list Default protection profiles Configuring a protection profile Adding a protection profile to a policy Protection profile CLI configuration What is a protection profile A protection profile is a group of settings you can adjust to suit a particular purpose. Configure IM filtering and access control for AIM. Since protection profiles apply different protection settings to traffic controlled by firewall policies. IMAP. eDonkey. For example.Firewall Protection Profile What is a protection profile Firewall Protection Profile This section describes how to add protection profiles to NAT/Route mode and Transparent mode policies. Skype.

POP3. Scan Web Unfiltered Viewing the protection profile list To view the protection profile list. IMAP. the file is quarantined on the FortiGate hard disk. blocking or IPS. if antivirus scanning finds a virus in a file. go to Firewall > Protection Profile and select Create New. system administrators can recover quarantined files. If required. Apply virus scanning to HTTP. Select to modify a protection profile. Apply virus scanning and web content blocking to HTTP traffic. To add a protection profile. FTP.Viewing the protection profile list Firewall Protection Profile Default protection profiles The FortiGate unit is preconfigured with four protection profiles.0 MR3 Administration Guide 01-30003-0203-20061124 . and SMTP traffic. IMAP. 298 FortiGate Version 3. Strict Apply maximum protection to HTTP. On FortiGate models with a hard drive. and SMTP traffic. Note: A protection profile cannot be deleted (the Delete icon is not visible) if it is selected in a firewall policy or included in a user group. Add this protection profile to firewall policies that control HTTP traffic. The Delete icon is only available if the profile is not being used in a firewall policy. go to Firewall > Protection Profile. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Apply no scanning. The strict protection profile may not be useful under normal circumstances but it is available when maximum protection is required. Quarantine is also selected for all content services. Configuring a protection profile If the default protection profiles do not provide the settings required. POP3. Use the unfiltered content profile if no content protection for content traffic is required. FTP. Figure 190:Default protection profiles The Protection Profile list has the following icons and features: Create New Name Delete Edit Select to add a protection profile. create custom protection profiles. The name of the protection profile Select to remove a protection profile from the list.

enter a description of the profile. See “Web filtering options” on page 301. Note: If both Virus Scan and File Block are enabled.Firewall Protection Profile Configuring a protection profile Figure 191:New Protection Profile Profile Name Comments AntiVirus Web Filtering Spam Filtering IPS Content Archive IM & P2P Logging Enter a name for the protection profile. Antivirus options Figure 192:Protection profile antivirus options Note: NNTP options cannot be selected. FortiGuard-Web Filtering See “FortiGuard-Web filtering options” on page 302. See “IPS options” on page 305. FortiGate Version 3. Support will be added in the future. If required. See “IM and P2P options” on page 306. See “Antivirus options” on page 299. See “Logging options” on page 307.0 MR3 Administration Guide 01-30003-0203-20061124 299 . See “Spam filtering options” on page 303. See “Content archive options” on page 305. the FortiGate unit blocks files matching enabled file patterns before they are scanned for viruses.

Note: For email scanning. 300 FortiGate Version 3. IMAP. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment.Configuring a protection profile Firewall Protection Profile The following options are available for antivirus through the protection profile. So a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the configured oversize threshold. Files can be blocked or allowed by name. POP3. The most common encoding. translates 3 bytes of binary data into 4 bytes of base64 data. is included with the Virus Scan. Heuristic. or any other pattern. users have no indication the FortiGate unit is buffering the download and they may cancel the transfer thinking it has failed. The maximum threshold for scanning in memory is 10% of the FortiGate unit RAM.0 MR3 Administration Guide 01-30003-0203-20061124 . the oversize threshold refers to the final size of the email after encoding by the email client. is also included with the Virus Scan. Fragmented email cannot be scanned for viruses. SMTP. It is also the time between subsequent intervals. File pattern drop-down list: Select which file pattern list will be used with this protection profile. including attachments. Interval The time in seconds before client comforting starts after the download has begun. Enable or disable quarantine for each protocol. as set in the Oversized File/Email drop down. If disabled. Note that streaming mode is enabled automatically when you enable virus scanning. See “AntiVirus” on page 355 for more antivirus configuration options. POP3. extension. FTP. The number of bytes sent at each interval. Threshold If the file is larger than the threshold value in megabytes. The quarantine option is not displayed in the protection profile if the FortiGate does not have a hard drive or a configured FortiAnalyzer unit. Virus Scan Enable or disable virus scanning for each protocol (HTTP. Add signature to Create and enable a signature to append to outgoing email (SMTP outgoing emails only). if enabled with the CLI. IM). the file is passed or blocked. Users can observe web pages being drawn or file downloads progressing. emails Comfort Clients Enable or disable client comforting for HTTP and FTP traffic. File Pattern Quarantine (log disk required) Pass fragmented Enable or disable passing fragmented email for mail protocols (IMAP. Enable or disable file pattern processing for each protocol. base64. if enabled in AntiVirus > Config > Grayware. The default file pattern list is called builtinpatterns. Amount Oversized File/Email Select block or pass for files and email messages exceeding configured thresholds for each protocol. Quarantine suspect files to view them or submit files to Fortinet for analysis. SMTP). File pattern processing provides the flexibility to block files that may contain harmful content. Client comforting provides a visual status for files that are being buffered for downloads using HTTP and FTP. Grayware.

Firewall Protection Profile

Configuring a protection profile

Web filtering options
Figure 193:Protection profile web filtering options

The following options are available for web filtering through the protection profile.
Web Content Block Enable or disable web page blocking for HTTP traffic based on the content block patterns in the content block list. Web content block drop-down list: Select which content block list will be used with this protection profile. Threshold: If the combined scores of the content block patterns appearing on a web page exceed the threshold value, the page will be blocked. See “Viewing the web content block list” on page 385 for details. Enable or disable the override of web content block based on the content exempt patterns in the content exempt list. Web content exempt drop-down list: Select which content exempt list will be used with this protection profile. Enable or disable web page filtering for HTTP and HTTPS traffic based on the URL list. Web URL filter drop-down list: Select which web URL filter list will be used with this protection profile. Enable blocking of ActiveX controls. Enable blocking of cookies. Enable blocking of Java applets. Enable to block downloading parts of a file that have already been partially downloaded. Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDFs, are fragmented to increase download speed. Enabling this option can cause download interruptions with these types of file. The FortiGate unit can perform validation on the CN to ensure that it is a valid hostname before applying web-filtering. If the CN is not a valid hostname, the traffic will be blocked if you enable this option.

Web Content Exempt

Web URL Filter

ActiveX Filter Cookie Filter Java Applet Filter Web resume download block

Block Invalid URLs

See “Web Filter” on page 381 for more web filter configuration options.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

301

Configuring a protection profile

Firewall Protection Profile

FortiGuard-Web filtering options
Figure 194:Protection profile FortiGuard-Web web filtering options

The following options are available for web category filtering through the protection profile.
Enable FortiGuard-Web Filtering Enable FortiGuard-Web Filtering Overrides Enable FortiGuard-Web™ category blocking. Enable category overrides. When selected, a list of groups is displayed. If no groups are available, the option is grayed out. For more information about overrides, see “Viewing the override list” on page 393 and “Configuring override rules” on page 394. For more information about groups, see “User group” on page 347. Display a replacement message for 400 and 500-series HTTP errors. If the error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web category blocking.

Provide details for blocked HTTP 4xx and 5xx errors (HTTP only)

Rate images by URL (blocked Block images that have been rated by FortiGuard. images will be replaced with Blocked images are replaced on the originating web pages with blanks. blanks) (HTTP only) Image types that are rated are GIF, JPEG, PNG, BMP, and TIFF. Allow websites when a rating Allow web pages that return a rating error from the web filtering service. error occurs Strict Blocking When enabled, web site access is disallowed if any classification or category matches the block rating or lists. When disabled, web site access is allowed if any classification or category matches the allowed list. This option is enabled by default.

302

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Firewall Protection Profile

Configuring a protection profile

Rate URLs by domain and IP When enabled, this option sends both the URL and the IP address of the requested site for checking, providing address additional security against attempts to bypass the FortiGuard system. However, because IP rating is not updated as quickly as URL rating, some false ratings may occur. This option is disabled by default. Category The FortiGuard-Web content filtering service provides many categories by which to filter web traffic. Set the action to take on web pages for each category. Choose from allow, block, monitor, or allow override. Classifications block whole classes of web sites. Web sites that provide cached content, Google for example, can be blocked. Web sites that allow image, audio, or video searches can also be blocked. Web sites that are classified are also rated in one of the categories or are unrated. Choose from allow, block, monitor, or allow override.

Classification

See “FortiGuard - Web Filter” on page 393 for more category blocking configuration options.

Spam filtering options
Figure 195:Protection profile spam filtering options

Note: NNTP options cannot be selected. Support will be added in the future.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

303

Configuring a protection profile

Firewall Protection Profile

The following options are available for spam filtering through the protection profile.
FortiGuard-Antispam IP address Enable or disable the FortiGuard-Antispam™ filtering IP address blacklist. FortiGuard-Antispam check extracts the SMTP mail server source address and sends the IP address to a FortiGuard-Antispam server to see if this IP address matches the list of known spammers. If the IP address is found, FortiGuard-Antispam terminates the session. If FortiGuard-Antispam does not find a match, the mail server sends the email to the recipient. See “FortiGuard-Antispam Service” on page 160 for more information about this service. URL check Enable or disable the FortiGuard-Antispam spam filtering URL blacklist. FortiGuard-Antispam checks the body of email messages to extract any URL links. These URL links are sent to a FortiGuardAntispam server to see if any are listed. Spam messages often contain URL links to advertisements (also called spamvertizing). If a URL match is found, FortiGuard-Antispam terminates the session. If FortiGuard-Antispam does not find a match, the mail server sends the email to the recipient. See “FortiGuard-Antispam Service” on page 160 for more information about this service. E-mail checksum check Enable or disable the FortiGuard-Antispam e-mail message checksum blacklist. If enabled, this filter calculates the checksum of an email message and sends this checksum to the FortiGuard servers to determine if the checksum is in the blacklist. The FortiGate unit then passes or marks/blocks the email message according to the server response.

Spam When enabled, all e-mail messages marked as submission spam have a link added to the message body. If an email message is not spam, simply click the link in the message to inform FortiGuard of the false positive. IP address BWL check Black/white list check. Enable or disable the checking incoming IP addresses against the configured spam filter IP address list. (SMTP only.) IP address BWL check drop-down list: Select which IP address black/white list will be used with this protection profile. HELO DNS lookup E-mail address BWL check Enable or disable looking up the source domain name (from the SMTP HELO command) in the Domain Name Server. Enable or disable checking incoming email addresses against the configured spam filter email address list. E-mail address BWL check drop-down list: Select which email address black/white list will be used with this protection profile. Enable or disable checking that the domain specified in the replyto or from address has an A or MX record. Enable or disable checking source email against the configured spam filter banned word list. Banned word check drop-down list: Select which banned word list will be used with this protection profile. Threshold: If the combined scores of the banned word patterns appearing in an email message exceed the threshold value, the message will be processed according to the Spam Action setting. See “Viewing the antispam banned word list” on page 405 for details.

Return e-mail DNS check Banned word check

304

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Firewall Protection Profile

Configuring a protection profile

Spam Action

Action the spam filter will take. Tagged allows you to append a custom tag to the subject or header of email identified as spam. For SMTP, if you have virus scan or streaming mode (also known as splice) enabled, you will only be able to discard spam email. (Note that streaming mode is enabled automatically when you enable virus scanning.) Discard immediately drops the connection. Without streaming mode or scanning enabled, you can chose to tag or discard SMTP spam. You can tag email by adding a custom word or phrase to the subject or inserting a MIME header and value into the email header. You can choose to log any spam action in the event log. Append the tag to the subject or MIME header of the email identified as spam. Enter a word or phrase (tag) to append to email identified as spam. The maximum length is 63 characters.

Append to Append with

Note: Some popular email clients cannot filter messages based on the MIME header. Check email client features before deciding how to tag spam.

See “Antispam” on page 401 for more spam filter configuration options. To configure the FortiGuard Anti-spam service, see “Configuring the FortiGate unit for FDN and FortiGuard services” on page 160.

IPS options
Figure 196:Protection profile IPS options

The following options are available for IPS through the protection profile.
IPS Signature Select one or more IPS signature severity levels for this profile. Options are Critical, High, Medium, Low, and Information. Signatures with severity levels that have not been selected are not triggered. Select one or more IPS anomaly severity levels for this profile. Options are Critical, High, Medium, Low, and Information. Anomalies with severity levels that have not been selected are not triggered.

IPS Anomaly

See “Intrusion Protection” on page 369 for more IPS configuration options.

Content archive options
To be able to access all content archiving options, a FortiAnalyzer unit must be configured and logging to the FortiAnalyzer must be enabled. For more information, see “Logging to a FortiAnalyzer unit” on page 429.
Figure 197:Protection profile content archive options

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

305

Configuring a protection profile

Firewall Protection Profile

Note: NNTP and file archiving options cannot be selected. Support will be added in the future.

The following options are available for content archive through the protection profile.
Display content metainformation on the system dashboard Archive to FortiAnalyzer Enable to have meta-information for each type of traffic display in the Content Summary section of the FortiGate status page. View statistics for HTTP traffic, HTTPS traffic, FTP traffic, and email message traffic (IMAP, POP3, and SMTP combined). Select one from the following three options: None: No archiving. Summary: Archiving content meta-information to a FortiAnalyzer unit for each protocol. Content metainformation can include date and time, source and destination information, request and response size, and scan result. Content archive is only available if FortiAnalyzer is enabled under Log&Report > Log Config > Log Setting. Full: Archiving copies of downloaded files for HTTP and FTP, or copies of all email messages for IMAP, POP3, and STMP. Enable to save spam email messages together with normal email messages. By default, spam email messages are not archived.

Archive SPAMed emails to FortiAnalyzer

Archive IM to FortiAnalyzer Select one from the following three options: (AIM, ICQ, MSN, Yahoo!) None: No archiving. Summary: Logging summary information for IM protocols: AIM, ICQ, MSN, and Yahoo. Summary information can include date and time, source and destination information, request and response size, and scan result. Full: Archiving full chat information for IM protocols to a FortiAnalyzer unit for each protocol. Content archive is only available if FortiAnalyzer is enabled under Log&Report > Log Config > Log Setting. Note: You must enable IM options in the IM & P2P section of the protection profile for content archiving to function.

IM and P2P options
Figure 198:Protection profile IM and P2P options

The following options are available for IM and P2P through the protection profile. Block Login Block File Transfers Enable to prevent instant message users from logging in to AIM, ICQ, MSN, and Yahoo services. Enable to block file transfers for AIM, ICQ, MSN, and Yahoo protocols.

306

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

Firewall Protection Profile

Configuring a protection profile

Block Audio Inspect Non-standard Port Action

Enable to block audio for AIM, ICQ, MSN, and Yahoo protocols. Enable inspection of non-standard ports for IM traffic. Pass, block, or rate limit P2P transfers for BitTorrent, eDonkey, Gnutella, Kazaa, and WinNY protocols. Skype transfers can be passed or blocked, but not rate limited. Specify bandwidth limit for BitTorrent, eDonkey, Gnutella, Kazaa, and WinNY protocols if action is set to rate limit.

Limit (KBytes/s)

Changes to IM protection profile options, while IM users are logged in, will take effect only upon their next login. Enabling Block Login, for example, cannot be used to disconnect currently logged in users. See “IM/P2P” on page 417 for more IM configuration options.

Logging options
Figure 199:Protection profile logging options

The following options are available for logging through the protection profile:
Antivirus Viruses Blocked Files Enable logging of scanned viruses. Enable logging of blocked files.

Oversized Files/Emails Enable logging of oversized files and email messages. Web Filtering Content Block URL Block ActiveX Filter Cookie Filter Java Applet Filter Enable logging of content blocking. Enable logging of blocked and exempted URLs. Enable logging of blocked Active X. Enable logging of blocked cookies. Enable logging of blocked Java Applets.

FortiGuard Web Log rating errors (HTTP Enable logging of rating errors. only) Filtering Spam Filtering Log Spam IPS Log Intrusions Enable logging of spam detected. Enable logging of signature and anomaly intrusions.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

307

Adding a protection profile to a policy

Firewall Protection Profile

IM and P2P

Log IM Activity Log P2P Activity

Enable logging of IM activity. Enable logging of P2P activity.

For more information about logging, see “Log&Report” on page 427.

Adding a protection profile to a policy
Enable protection profiles for firewall policies with action set to allow or IPSec and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. If virtual domains are enabled on the FortiGate unit, protection profiles must be added to policies in each virtual domain. To access the policy, select a virtual domain from the main menu. 1 2 Go to Firewall > Policy. Select a policy list to which to add a protection profile. For example, to enable network protection for files downloaded from the web by internal network users, select an internal to external policy list. 3 4 5 6 7 8 Select Create New to add a policy, or select Edit for the policy to modify. Select protection profile. Select a protection profile from the list. Configure the remaining policy settings, if required. Select OK. Repeat this procedure for any policies for which to enable network protection.

Protection profile CLI configuration
Note: For complete descriptions and examples of how to use CLI commands, see the FortiGate CLI Reference.

config firewall profile
Use the config firewall profile CLI command to add, edit or delete protection profiles. Use protection profiles to apply different protection settings for traffic controlled by firewall policies.

308

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

VPN IPSEC

Overview of IPSec interface mode

VPN IPSEC
This section provides information about policy-based (tunnel-mode) and routebased (interface mode) Internet Protocol Security (IPSec) VPN options available through the web-based manager. FortiGate units implement the Encapsulated Security Payload (ESP) protocol. The encrypted packets look like ordinary packets that can be routed through any IP network. Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates. As an option, you can specify manual keys. Interface mode is supported in NAT/Route mode only. It creates a virtual interface for the local end of a VPN tunnel. The following topics are included in this section: • • • • • Overview of IPSec interface mode Auto Key Manual Key Concentrator Monitor

Overview of IPSec interface mode
When you define a route-based (interface mode) IPSec tunnel, a virtual IPSec interface is created automatically. Regardless of whether you choose to have IKE keys generated automatically or you specify the keys manually, the virtual IPSec interface is created as a subinterface to the local FortiGate physical, aggregate, or VLAN interface that you select when you define IPSec phase 1 parameters. An IPSec virtual interface is considered to be up when it can establish a phase 1 connection with a VPN peer or client. However, the virtual IPSec interface cannot be used to send traffic through a tunnel until it is bound to a phase 2 definition. Virtual IPSec interface bindings are shown on the System > Network > Interface page. The names of all tunnels bound to physical interfaces are displayed under their associated physical interface names in the Name column. For more information about the Interface page, see “Interface” on page 67.

Note: You can bind a virtual IPSec interface to a zone.

After an IPSec virtual interface has been bound to a tunnel, traffic can be routed to the interface using specific metrics for both static routes and policy routes. In addition, you can create a firewall policy having the virtual IPSec interface as the source or destination interface.

FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124

309

it is decapsulated and forwarded to the IPSec virtual interface. the datagram is decrypted and the associated IP traffic is redirected through the IPSec virtual interface. go to VPN > IPSEC > Auto Key (IKE). Two firewall policies are needed to support bidirectional traffic through a route-based IPSec tunnel: one to control traffic in the outbound direction. In the outbound direction. IPSec interface mode is enabled on the interface). the same interface can be both source and destination. In the inbound direction. The firewall policy associated with a specific path is responsible for controlling all IP traffic passing between the source and destination addresses. You can configure a route for the same IP traffic using different route metrics. To configure the FortiGate unit to generate unique keys automatically in phase 1 and phase 2. When encapsulated traffic from a remote VPN peer or client reaches a local FortiGate physical interface. Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy. There must be more than one IPSec interface. the FortiGate unit performs a route lookup to find the interface through which it must forward traffic to reach the next hop router. and the other to control traffic in the inbound direction.Auto Key VPN IPSEC You can create the equivalent of a tunnel-mode concentrator in any of the following ways: • Define a firewall policy between each pair of IPSec interfaces that you want to concentrate. If the primary VPN connection fails or the priority of a route changes through dynamic routing. the traffic is encapsulated by the tunnel and forwarded through the physical interface to which the IPSec virtual interface is bound. If the FortiGate unit finds a route through a virtual interface that is bound to a specific VPN tunnel. the FortiGate unit determines if an IPSec virtual interface is associated with the physical interface through selectors in the traffic. the FortiGate unit identifies a VPN tunnel using the destination IP address and the Security Parameter Index (SPI) in the ESP datagram to match a phase 2 Security Association (SA). This can become tedious if you have many site-to-site connections. Put all the IPSec interfaces in a zone and enable intra-zone traffic. • • When IP traffic that originates from behind a local FortiGate unit reaches an outbound FortiGate interface that acts as the local end of an IPSec tunnel (that is.0 MR3 Administration Guide 01-30003-0203-20061124 310 . or BGP) routing information through VPN tunnels. Auto Key Two VPN peers (or a FortiGate dialup server and a VPN client) can be configured to generate unique Internet Key Exchange (IKE) keys automatically during the IPSec phase 1 and phase 2 exchanges. If a matching SA is found. an alternative route will be selected to forward traffic using the redundant connection. If required. the traffic is encrypted and sent through the VPN tunnel. You can also configure the exchange of dynamic (RIP. For dialup. Route-based VPNs help to simplify the implementation of VPN tunnel redundancy. If the traffic matches predefined selectors. OSPF. FortiGate Version 3. you can configure more than one firewall policy to regulate the flow of traffic going into and/or emerging from a route-based VPN tunnel.

or VLAN interfaces to which IPSec tunnels are bound. go to VPN > IPSEC > Auto Key (IKE) and select Create Phase 1.VPN IPSEC Auto Key When you define phase 2 parameters. See “Creating a new phase 1 configuration” on page 311. Note: There can be only one phase 2 configuration associated with each phase 1 configuration. Creating a new phase 1 configuration In phase 1. certificate distinguished name. or group name will be used to identify the remote VPN peer or client when a connection attempt is made • • To define basic IPSec phase 1 parameters. Figure 200:Auto Key list Edit Delete Create Phase 1 Create Phase 2 Phase 1 Phase 2 Interface Binding Create a new phase 1 tunnel configuration. you can choose any set of phase 1 parameters to set up a secure connection for the tunnel and authenticate the remote peer. FortiGate Version 3. The basic phase 1 settings associate IPSec phase 1 parameters with a remote gateway and determine: • whether the various phase 1 parameters will be exchanged in multiple rounds with encrypted authentication information (main mode) or in a single message with authentication information that is not encrypted (aggressive mode) whether a pre-shared key or digital certificates will be used to authenticate the identities of the two VPN peers (or a VPN server and its client) whether a special identifier. The names of existing phase 2 configurations. The names of the local physical. Auto Key configuration applies to both tunnel-mode and interface-mode VPNs. aggregate.0 MR3 Administration Guide 01-30003-0203-20061124 311 . See “Creating a new phase 2 configuration” on page 316. Delete and Edit icons Delete or edit a phase 1 configuration. two VPN peers (or a FortiGate dialup server and a VPN client) authenticate each other and exchange keys to establish a secure communication channel between them. The names of existing phase 1 tunnel configurations. Create a new phase 2 configuration.

This option is available in NAT/Route mode only. the FortiGate unit also uses the name for the virtual IPSec interface that it creates automatically. See Peer Options. If a remote peer that has a domain name and subscribes to a dynamic DNS service will be connecting to the FortiGate unit. When the remote VPN peer or client has a dynamic IP address. If Dynamic DNS is selected. you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address.0 MR3 Administration Guide 01-30003-0203-20061124 . 35 characters for a policy-based VPN. The FortiGate unit obtains the IP address of the interface from System > Network > Interface settings (see “Interface” on page 67) unless you are configuring an IPSec interface. type the IP address of the remote peer. • Mode 312 FortiGate Version 3. aggregate. select Dynamic DNS. select Static IP Address. For a tunnel mode VPN. In Aggressive mode. • If one or more FortiClient™ or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit. or the remote VPN peer or client will be authenticated using an identifier (local ID). Select Main or Aggressive: • In Main mode. in which case you can specify a different IP address in the Local Gateway IP field under Advanced settings (see “Local Gateway IP” on page 314). below. Remote Gateway • IP Address Dynamic DNS Local Interface If Static IP Address is selected. the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. Select the nature of the remote connection: • If the remote peer has a static IP address. Select the name of the physical. the name should reflect the origination of the remote connection. type the domain name of the remote peer. Peer Options settings may require a particular mode. select Dialup User. The maximum name length is 15 characters for an interface mode VPN. For a route-based tunnel. or VLAN interface through which remote peers or dialup clients connect to the FortiGate unit.Auto Key VPN IPSEC Figure 201:New Phase 1 Name Type a name to represent the phase 1 definition. the phase 1 parameters are exchanged in single message with authentication information that is not encrypted.

see the FortiGate Certificate Management User Guide. For FortiClient dialup clients. Enter the identifier in the field. see the “user” chapter of the FortiGate CLI Reference. For optimum protection against currently known attacks. select Config in the Policy section of the Advanced Settings for the connection and specify the identifier in the Local ID field. only The certificate must be added to the FortiGate configuration through the config user peer CLI command before it can be selected. refer to the Authenticating FortiClient Dialup Clients Technical Note. To configure FortiClient dialup clients. This option is available only if the remote peer has a dynamic IP address. you can set Mode to Main if there is only one dialup phase 1 configuration for this interface IP address. FortiGate Version 3. Select the group from the list adjacent to the Accept peer ID in dialup group option. Mode must be set to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. Select the certificate from the list adjacent to the option. If Pre-shared Key is selected. If RSA Signature is selected. type the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. Accept this Authenticate one (or more) remote peers or dialup clients based on peer certificate a particular (or shared) security certificate. For more information. You must create a dialup user group for authentication purposes. One or more of the following options are available to authenticate VPN peers or clients. The FortiGate unit does not check identifiers (local IDs). the identifier must be specified in the Local ID field of the phase 1 configuration. depending on the Remote Gateway and Authentication Method settings. Accept the local ID of any remote VPN peer or client. To obtain and load the required server certificate. If the dialup clients use unique pre-shared keys only. You must define the same value at the remote peer or client. Certificate Name Peer Options Accept any peer ID Accept this peer ID Accept peer ID Authenticate multiple FortiGate or FortiClient dialup clients that use in dialup group unique identifiers and unique pre-shared keys (or unique pre-shared keys only) through the same VPN tunnel. See “User group” on page 347. Authenticate remote peers based on a particular identifier.VPN IPSEC Auto Key Authentication Method Pre-shared Key Select Preshared Key or RSA Signature. refer to the FortiGate IPSec VPN User Guide. This option is available when Authentication Method is set to RSA Signature. The remote peer must be configured with the same identifier. If the remote VPN peer or client has a dynamic IP address. select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. set Mode to Aggressive. Mode can be set to Aggressive or Main. The key must contain at least 6 printable characters and should only be known by network administrators. To configure FortiGate dialup clients. If the remote peer is a FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 313 . the key should consist of a minimum of 16 randomly chosen alphanumeric characters.

set Mode to Aggressive. Select one of the following: • Main Interface IP .Auto Key VPN IPSEC Accept this Use a certificate group to authenticate dialup clients that have peer certificate dynamic IP addresses and use unique certificates. • 314 FortiGate Version 3. you need to specify an IP address for the local end of the VPN tunnel. You cannot configure Interface mode in a Transparent mode VDOM. If the remote VPN peer or client has a dynamic IP address. Figure 202:Phase 1 advanced settings Add Enable IPSec Interface Mode Local Gateway IP Create a virtual interface for the local end of the VPN tunnel.0 MR3 Administration Guide 01-30003-0203-20061124 .specify an IP address. Advanced Define advanced phase 1 parameters. This is not available in Transparent mode. Additional advanced phase 1 settings can be selected to ensure the smooth operation of phase 1 negotiations. This option is available when Authentication Method is set to RSA Signature and Remote Gateway is set to Dialup User.the FortiGate unit obtains the IP address of the interface from System > Network > Interface settings (see “Interface” on page 67) Specify . go to VPN > IPSEC > Auto Key (IKE). See “Defining phase 1 advanced settings” on page 314. or VLAN interface selected in the phase 1 Local Interface field (see “Local Interface” on page 312). see the “user” chapter of the FortiGate CLI Reference. Select the name of the group from the list. If you selected Enable IPSec Interface Mode. and then select Advanced. The IP address is assigned to the physical. You must first create the group only group through the config user peer and config user peergrp CLI commands before you can select it. To modify IPSec phase 1 advanced parameters. For more information. select Create Phase 1. Defining phase 1 advanced settings The advanced P1 Proposal parameters select the encryption and authentication algorithms that the FortiGate unit uses to generate keys for the IKE exchange. aggregate.

select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes. At least one of the settings on the remote peer or client must be identical to the selections on the FortiGate unit. in which plain text is encrypted three times by three keys. To specify a third combination. • When the remote VPN peer or client has a dynamic IP address and uses aggressive mode. AES256-A 128-bit block algorithm that uses a 256-bit key. the hash algorithm developed by RSA Data Security. Select a minimum of one and a maximum of three combinations. a new key is generated without interrupting service. • Keylife Type the length of time (in seconds) until the IKE encryption key expires. The keylife can be from 120 to 172800 seconds. If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes. • • • • 3DES-Triple-DES. Add or delete encryption and authentication algorithms as required. If the VPN peer or client employs main mode. • If both VPN peers (or a VPN server and its client) have static IP addresses and use aggressive mode. If the FortiGate unit will act as a VPN client and you are using security certificates for authentication. You can select any of the following symmetric-key algorithms: • DES-Digital Encryption Standard. and 5. The setting on the FortiGate unit must be identical to the setting on the remote peer or dialup client. DH Group Select one or more Diffie-Hellman groups from DH group 1. AES128-A 128-bit block algorithm that uses a 128-bit key. When using aggressive mode. 2. The remote peer or client must be configured to use at least one of the proposals that you define. use the Add button beside the fields for the second combination. • SHA1-Secure Hash Algorithm 1. select a single DH group. set Mode to Aggressive. which produces a 160-bit message digest. You can select either of the following message digests to check the authenticity of messages during phase 1 negotiations: • MD5-Message Digest 5. enter the identifier that the FortiGate unit will supply to the VPN server during the phase 1 exchange. If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is. AES192-A 128-bit block algorithm that uses a 192-bit key. you can select multiple DH groups. The setting on the remote peer or client must be identical to one of the selections on the FortiGate unit.VPN IPSEC Auto Key P1 Proposal Select the encryption and authentication algorithms used to generate keys for protecting negotiations. select up to three DH groups on the FortiGate unit and one DH group on the remote peer or dialup client. the tunnel will be dedicated to this FortiGate dialup client). Local ID FortiGate Version 3. a 64-bit block algorithm that uses a 56-bit key. DH groups cannot be negotiated. When the key expires.0 MR3 Administration Guide 01-30003-0203-20061124 315 .

the specific IPSec security associations needed to implement security services are selected and a tunnel is established. If the FortiGate unit is a dialup client and you select Enable as Client. Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit. For information about these topics. If Remote Gateway is set to Dialup User and dialup clients will authenticate as members of a dialup group. See “Configuring a user group” on page 350. or enable the option to keep the tunnel connection open when no traffic is being generated inside the tunnel (for example. in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically—traffic may be suspended while the IP address changes). and a retry interval. The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration that specifies the remote end point of the VPN tunnel. To configure phase 2 settings. see the FortiGate CLI Reference. you must first create user groups to identify the dialup clients that need access to the network behind the FortiGate unit. Figure 203:New Phase 2 316 FortiGate Version 3. you need to configure only basic phase 2 settings. phase 2 begins. The value represents an interval from 0 to 900 seconds. type the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server. Enable this option to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to be notified whenever a tunnel goes up or down. To select Enable as Server. In most cases. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. see “Configuring a RADIUS server” on page 343 or “Configuring an LDAP server” on page 345. enter a keepalive frequency setting. the XAuth client and the external authentication server.0 MR3 Administration Guide 01-30003-0203-20061124 . If you enabled NAT-traversal. You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server. For more information. Nat-traversal Keepalive Frequency Dead Peer Detection Creating a new phase 2 configuration After IPSec phase 1 negotiations complete successfully. Enable this option if a NAT device exists between the local FortiGate unit and the VPN peer or client. a retry count. the FortiGate unit can act as an XAuth server. During phase 2. and then select the user group from the User Group list.Auto Key VPN IPSEC XAuth This option is provided to support the authentication of dialup clients. When the Dead Peer Detection option is selected. The phase 2 parameters define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. you can use the config vpn ipsec phase1 (tunnel mode) or config vpn ipsec phase1-interface (interface mode) CLI command to optionally specify a long and short idle time. go to VPN > IPSEC > Auto Key (IKE) and select Create Phase 2.

and how the connection to the remote peer or client will be secured. FortiGate Version 3. AES192-A 128-bit block algorithm that uses a 192-bit key. See “Defining phase 2 advanced settings” on page 317. the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. AES128-A 128-bit block algorithm that uses a 128-bit key.VPN IPSEC Auto Key Name Phase 1 Type a name to identify the phase 2 configuration. and then select Advanced. The remote peer must be configured to use at least one of the proposals that you define. The keys are generated automatically using a Diffie-Hellman algorithm. To modify IPSec phase 2 advanced parameters. Advanced Defining phase 2 advanced settings In phase 2.0 MR3 Administration Guide 01-30003-0203-20061124 317 . Select a minimum of one and a maximum of three combinations. AES256-A 128-bit block algorithm that uses a 256-bit key. a 64-bit block algorithm that uses a 56-bit key. Select the phase 1 tunnel configuration. Define advanced phase 2 parameters. • • • • • DES-Digital Encryption Standard. in which plain text is encrypted three times by three keys. The phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel. select Create Phase 2. A number of additional advanced phase 2 settings are available to enhance the operation of the tunnel. You can select any of the following symmetric-key algorithms: • NULL-Do not use an encryption algorithm. See “Creating a new phase 1 configuration” on page 311. 3DES-Triple-DES. go to VPN > IPSEC Auto Key (IKE). Figure 204:Phase 2 advanced settings Add P2 Proposal Select the encryption and authentication algorithms that will be used to change data into encrypted code. Add or delete encryption and authentication algorithms as required. The P2 Proposal parameters select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs).

KBytes. See “Internet browsing configuration” on page 319. Select the method for determining when the phase 2 key expires: Seconds. The remote peer or dialup client must be configured to use the same group. or 5). Replay attacks occur when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel. To specify one combination only. If you select both. Enable replay detection Optionally enable or disable replay detection. set the Encryption and Authentication options of the second combination to NULL. Enable perfect Enable or disable PFS. The range is from 120 to 172800 seconds. use the Add button beside the fields for the second combination. To specify a third combination. • • MD5-Message Digest 5. The DHCP relay parameters must be configured separately. forward secrecy (PFS) DH Group Keylife Select one Diffie-Hellman group (1. If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server.0 MR3 Administration Guide 01-30003-0203-20061124 . or Both. 2. Note: You can enable VPN users to browse the Internet through the FortiGate unit. Alive DHCP-IPSec Select Enable if the FortiGate unit acts as a dialup server and FortiGate DHCP relay will be used to assign VIP addresses to FortiClient dialup clients.Auto Key VPN IPSEC You can select either of the following message digests to check the authenticity of messages during an encrypted session: • NULL-Do not use a message digest. the key expires when either the time has passed or the number of KB have been processed. the hash algorithm developed by RSA Data Security. Autokey Keep Enable the option if you want the tunnel to remain active when no data is being processed. 318 FortiGate Version 3. or from 5120 to 2147483648 KB. Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. For more information. This is available only for tunnel mode phase 2 configurations associated with a dialup phase 1 configuration. see “System DHCP” on page 111. which produces a 160-bit message digest. select Enable to cause the FortiGate unit to act as a proxy for the dialup clients. SHA1-Secure Hash Algorithm 1.

255.255.16.16.1/32 for a server or host. dst-name. See the dst-addr-type. or 192.0/255.16.168. or 172. Source address If the FortiGate unit is a dialup server. To specify all services.5. Type the destination IP address that corresponds to the recipient(s) or network behind the remote VPN peer (for example.80-192. The range is 0 to 65535. the default value 0. 172. source address must refer to the private network behind the FortiGate dialup client. FortiGate Version 3. This option exists only in the CLI. To specify all ports. The required policies are different for policy-based and route-based VPNs.255. the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. Type the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). The range is 1 to 255.0. Type the IP protocol number of the service. type 0.0.0/0 means all IP addresses behind the local VPN peer.10.5.0.VPN IPSEC Auto Key Quick Mode Selector Optionally specify the source and destination IP addresses to be used as selectors for IKE negotiations.0.10. or 172. Select IPSEC.168.168. You do this with firewall policies.0/0 means all IP addresses behind the remote VPN peer. If the FortiGate unit is a dialup server. You can specify a single host IP address.5.[80-100] for an address range).0 MR3 Administration Guide 01-30003-0203-20061124 319 .255 for a server or host. type 0.[80-100] or 192. or a network address. To specify all ports. Select All Select the FortiGate unit public interface. type 0.0/24 for a subnet.0.20. type the source IP address that corresponds to the local sender(s) or network behind the local VPN peer (for example.10. Source port Destination address Destination port Protocol Internet browsing configuration You can enable VPN users to browse the Internet through the FortiGate unit.16. A value of 0. A value of 0.1/255. 192.5.10.0/24 or 172. see “Configuring firewall policies” on page 240.0/0 should be kept unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. or 192.0 for a subnet.168.100 for an address range). If you are editing an existing phase 2 configuration.168. For more information about firewall policies. Policy-based VPN Internet browsing configuration Configure an additional firewall policy as follows: Source Interface/Zone Source Address Name Destination Interface/Zone Destination Address Name Action Select the FortiGate unit public interface. You may optionally specify source and destination port numbers and/or a protocol number.1/32 or 172. an IP address range.255. Type the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number).16. Select the remote network address name. src-addr-type and src-name keywords for the vpn ipsec phase2 command in the FortiGate CLI Reference.5.0. The range is 0 to 65535. If the FortiGate unit is a dialup client.

Select All Select ACCEPT.Manual Key VPN IPSEC VPN Tunnel Inbound NAT Select the tunnel that provides access to the private network behind the FortiGate unit. you do not specify IPSec phase 1 and phase 2 parameters. Enable Configure other settings as required.0 MR3 Administration Guide 01-30003-0203-20061124 . Manual Key If required. Note: It may not be safe or practical to define manual keys because network administrators must be trusted to keep the keys confidential. one of the VPN peers requires a specific IPSec encryption and/or authentication key). The names of the encryption algorithms specified in the manual key configurations. 320 FortiGate Version 3. The names of existing manual key configurations. and propagating changes to remote VPN peers in a secure manner may be difficult. See “Creating a new manual key configuration” on page 321. Select All Select the FortiGate unit public interface. Encryption and authentication needs to be disabled. you can manually define cryptographic keys for establishing an IPSec VPN tunnel. you define manual keys on the VPN > IPSEC > Manual Key page instead. Enable Configure other settings as required. • In both cases. Figure 205:Manual Key list Edit Delete Create New Tunnel Name Remote Gateway Encryption Algorithm Create a new manual key configuration. The IP addresses of remote peers or dialup clients. You would define manual keys in situations where: • Prior knowledge of the encryption and/or authentication key is required (that is. Route-based VPN Internet browsing configuration Configure an additional firewall policy as follows: Source Interface/Zone Source Address Name Destination Interface/Zone Destination Address Name Action NAT Select the IPSec interface.

0 MR3 Administration Guide 01-30003-0203-20061124 321 . In addition. SAs. and SA databases for your particular installation. 35 characters for a policybased VPN. The valid range is from 0x100 to 0xffffffff. Type a hexadecimal number (up to 8 characters. 0-9. it is essential that both VPN devices be configured with complementary Security Parameter Index (SPI) settings. go to VPN > IPSEC > Manual Key and select Create New. 0-9. The value is placed in ESP datagrams to link the datagrams to the SA. do not attempt the following procedure without qualified assistance. Delete or edit a manual key configuration. Type a hexadecimal number (up to 8 characters. selectors. a-f) that represents the SA that handles outbound traffic on the local FortiGate unit. Creating a new manual key configuration If one of the VPN devices uses specific authentication and/or encryption keys to establish a tunnel. a-f) that represents the SA that handles inbound traffic on the local FortiGate unit. An SPI must be specified manually for each SA. Local SPI Remote SPI FortiGate Version 3. Each SPI identifies a Security Association (SA). The maximum name length is 15 characters for an interface mode VPN. ! To specify manual keys for creating a tunnel. The valid range is from 0x100 to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer. both VPN devices must be configured to use identical authentication and/or encryption keys. Because an SA applies to communication in one direction only. This value must match the Local SPI value in the manual key configuration at the remote peer. When an ESP datagram is received.VPN IPSEC Manual Key Authentication Algorithm Delete and Edit icons The names of the authentication algorithms specified in the manual key configurations. the recipient refers to the SPI to determine which SA applies to the datagram. Figure 206:New Manual Key Name Type a name for the VPN tunnel. Caution: If you are not familiar with the security policies. you must specify two SPIs per configuration (a local SPI and a remote SPI) to cover bidirectional communications between two VPN devices.

which produces a 128-bit message digest. aggregate. AES128. in which plain text is encrypted three times by three keys. VPN tunnels between any two of the remote peers can be established through the FortiGate unit “hub”. policy-based VPN connections to a number of remote peers radiate from a single. Concentrator In a hub-and-spoke configuration. IPSec Interface Mode Create a virtual interface for the local end of the VPN tunnel. AES128-A 128-bit block algorithm that uses a 128-bit key. type 40-character hexadecimal number (0-9. Site-to-site connections between the remote peers do not exist. a 64-bit block algorithm that uses a 56-bit key. The address identifies the recipient of ESP datagrams. AES256. central FortiGate unit. which produces a 160-bit message digest. Authentication Key If you selected: • MD5.0 MR3 Administration Guide 01-30003-0203-20061124 . a-f) separated into two segments of 16 characters. type a 48-character hexadecimal number (0-9. a-f) separated into one segment of 16 characters and a second segment of 24 characters. a-f) separated into two segments of 16 characters. type a 64-character hexadecimal number (0-9. The FortiGate unit obtains the IP address of the interface from System > Network > Interface settings (see “Interface” on page 67). • • • • 3DES-Triple-DES. • SHA1-Secure Hash Algorithm 1.Concentrator VPN IPSEC Remote Gateway Local Interface Type the IP address of the public interface to the remote peer. however. Authentication Algorithm Select one of the following message digests: • MD5-Message Digest 5 algorithm. Select one of the following symmetric-key encryption algorithms: • DES-Digital Encryption Standard. AES256-A 128-bit block algorithm that uses a 256-bit key. a-f) separated into three segments of 16 characters. • SHA1. 322 FortiGate Version 3. a-f) separated into three segments of 16 characters. a-f) separated into four segments of 16 characters. Encryption Algorithm Encryption Key If you selected: • DES. a-f). or VLAN interface to which the IPSec tunnel will be bound. • • • • 3DES. AES192-A 128-bit block algorithm that uses a 192-bit key. Select the name of the physical. type a 16-character hexadecimal number (0-9. This option is available in NAT/Route mode only. type a 32-character hexadecimal number (0-9. AES192. This command is available only in NAT/Route mode. type a 32-character hexadecimal number (0-9. type a 48-character hexadecimal number (0-9.

To remove a tunnel from the concentrator. Members Delete and Edit icons Defining concentrator options A concentrator configuration specifies which spokes to include in an IPSec huband-spoke configuration. Repeat these steps until all of the tunnels associated with the spokes are included in the concentrator. Members FortiGate Version 3. Available Tunnels A list of defined IPSec VPN tunnels.VPN IPSEC Concentrator In a hub-and-spoke network. all VPN tunnels terminate at the hub. A list of tunnels that are members of the concentrator. Select a tunnel from the list and then select the right-pointing arrow. select the tunnel and select the leftpointing arrow. go to VPN > IPSEC > Concentrator. To define a concentrator. You define a concentrator to include spokes in the hub-and-spoke configuration. Concentrator Name The names of existing IPSec VPN concentrators. To specify the spokes of an IPSec hub-and-spoke configuration. The peers that connect to the hub are known as “spokes”.0 MR3 Administration Guide 01-30003-0203-20061124 323 . Figure 208:New VPN Concentrator Concentrator Name Type a name for the concentrator. managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub. Delete or edit a concentrator. Figure 207:Concentrator list Edit Delete Create New Define a new concentrator for an IPSec hub-and-spoke configuration. The tunnels that are associated with the concentrators. See “Defining concentrator options” on page 323. go to VPN > IPSEC > Concentrator and select Create New. The hub functions as a concentrator on the network.

The public IP address and UDP port of the remote host device. The number of tunnels shown in the list can change as dialup clients connect and disconnect. or private networks behind the FortiGate unit. the public IP address and UDP port of the NAT device. To view active tunnels. When the phase 2 key expires. including tunnel mode and route-based (interface mode) tunnels. or if a NAT device exists in front of the remote host. The amount of time before the next phase 2 key exchange.Monitor VPN IPSEC Monitor You can use the monitor to view activity on IPSec VPN tunnels and start or stop those tunnels. proxy IDs. or XAuth user name of the dialup client (if a peer ID.0 MR3 Administration Guide 01-30003-0203-20061124 . The names of configured tunnels. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. certificate name. The display provides a list of addresses. The peer ID. Username Timeout Proxy ID Source 324 FortiGate Version 3. a new key is generated without interrupting service. The IP addresses of the hosts. Page up and Page down icons Name Remote gateway Display the previous or next page of dialup-tunnel status listings. certificate name. The list displays the IP addresses of dialup clients and the names of all active tunnels. or XAuth user name was assigned to the dialup client for authentication purposes). Figure 209:Monitor list Page down Page up The Dialup list provides information about the status of tunnels that have been established for dialup clients. and timeout information for all active tunnels. A network range may be displayed if the source address in the firewall encryption policy was expressed as a range of IP addresses. go to VPN > IPSEC > Monitor. servers.

down icon A red arrow pointing down means the tunnel is not processing traffic. or the subnet address from which VIP addresses were assigned. Remote gateway The IP addresses and UDP ports of the remote gateways. Proxy ID Source The IP addresses of the hosts. the Proxy ID Destination field displays the public IP address of the remote host Network Interface Card (NIC).VPN IPSEC Monitor Proxy ID Destination When a FortiClient dialup client establishes a tunnel: • If VIP addresses are not used. When a FortiGate dialup client establishes a tunnel. • Tunnel up or tunnel A green arrow pointing up means the tunnel is currently processing traffic. Select to bring down tunnel. Proxy ID Destination The IP addresses of the hosts. FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 325 . For dynamic DNS tunnels. a new key is generated without interrupting service. servers. Tunnel up or . servers. Select to bring up tunnel. A network range may be displayed if the source address in the firewall encryption policy was expressed as a range of IP addresses. You can use this list to view status and IP addressing information for each tunnel configuration. Select to bring up tunnel.A green arrow pointing up means the tunnel is currently processing tunnel down icon traffic. the IP addresses are updated dynamically. When the phase 2 key expires. If VIP addresses were configured (manually or through FortiGate DHCP relay). or private networks behind the remote FortiGate unit. Page up and Display the previous or next page of VPN-tunnel status listings. Select to bring down tunnel. A red arrow pointing down means the tunnel is not processing traffic. the Proxy ID Destination field displays the IP address of the remote private network. Page down icons Name The names of configured tunnels. You can also start and stop individual tunnels from the list. Timeout The amount of time before the next phase 2 key exchange. The Static IP and dynamic DNS list provides information about VPN tunnels to remote peers that have static IP addresses or domain names. or private networks behind the FortiGate unit. the Proxy ID Destination field displays either the VIP address belonging to the FortiClient dialup client. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife.

Monitor VPN IPSEC 326 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

you can configure the FortiGate unit to forward PPTP packets to a PPTP server on the network behind the FortiGate unit.x. Windows or Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been configured to act as a PPTP server.x. go to VPN > PPTP > PPTP Range. the FortiGate unit assigns an IP address from a reserved range of IP addresses to the client PPTP interface. To enable PPTP and specify the PPTP address range. The start and end IPs must be in the same 24bit subnet.g. You must add a user group before you can select the option. PPTP VPN is available only in NAT/Route mode. . see the FortiGate PPTP VPN User Guide. The PPTP address range is the range of addresses reserved for remote PPTP clients.0 MR3 Administration Guide 01-30003-0203-20061124 327 . The following topics are included in this section: • PPTP Range PPTP Range You can specify a PPTP address range on the PPTP Range page. select the required options. Type the ending address in the range of reserved IP addresses. As an alternative. FortiGate Version 3. For information about how to perform other related PPTP VPN setup tasks. e. Select the option to disable PPTP support.1. This section explains how to use the web-based manager to specify a range of IP addresses for PPTP clients.The current maximum number of PPTP and L2TP sessions is 254. See “User group” on page 347. and then select Apply. x. Select the name of the PPTP user group that you defined.254. Figure 210:Edit PPTP range Enable PPTP Starting IP Ending IP User Group Disable PPTP Select the option.x.x.VPN PPTP PPTP Range VPN PPTP FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. The PPTP client uses the assigned IP address as its source address for the duration of the connection. When the remote PPTP client connects.x. Type the starting address in the range of reserved IP addresses.

0 MR3 Administration Guide 01-30003-0203-20061124 .PPTP Range VPN PPTP 328 FortiGate Version 3.

you can enable SSL version 2 encryption (for compatibility with older browsers) through a FortiGate CLI command. you can also enable the use of digital certificates for authenticating remote clients. The SSL VPN feature is supported on FortiGate units that run in NAT/Route mode only. For more information. If required. see the FortiGate SSL VPN User Guide. FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 329 . The following topics are included in this section: • • Config Monitor Config The Config page contains basic SSL VPN settings including timeout values and SSL encryption preferences. Note: For detailed instructions about how to configure web-only mode or tunnel mode operation. see “ssl settings” in the “vpn” chapter of the FortiGate CLI Reference. go to VPN > SSL > Config. To display the current SSL configuration settings.VPN SSL Config VPN SSL This section provides information about the features of the VPN > SSL page in the web-based manager. Note: If required.

Select the signed server certificate to use for authentication purposes.Config VPN SSL Figure 211:SSL-VPN Settings Enable SSL VPN Login Port Select to enable SSL VPN connections. Specify the range of IP addresses reserved for tunnelmode SSL VPN clients. The default port number is 10443. If you leave the default setting (Self-Signed). the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect. If the web browser on the remote client is capable of matching a high level of SSL encryption. DES and higher 330 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 . when the remote client initiates a connection. select this option. Select the algorithm for creating a secure SSL connection between the remote client web browser and the FortiGate unit.RC4(128 bits) and higher High . select this option to enable a 64-bit or greater cipher suite. If you are not sure which level of SSL encryption the remote client web browser supports. select the option. If the web browser on the remote client is capable of matching a 128-bit or greater cipher suite.AES(128/256 bits) and 3DES Low . Type the starting and ending address that defines the range of reserved IP addresses. select this option to enable cipher suites that use more than 128 bits to encrypt data. Tunnel IP Range Server Certificate Require Client Certificate Encryption Key Algorithm Default .RC4(64 bits). Afterward. If you want to enable the use of group certificates for authenticating remote clients. the FortiGate unit prompts the client for its client-side certificate as part of the authentication process. Optionally enter a different HTTPS port number for remote client web browsers to connect to the FortiGate unit.

Figure 212:Monitor list Delete No. Enter up to two WINS Servers to be provided for the use of clients. The starting time of each connection. the IP address of the remote client. The range is from 10 to 28800 seconds. When a tunnelmode user is connected. go to VPN > SSL > Monitor. The interface does not time out when web application sessions or tunnels are up. Portal Message Advanced (DNS and WINS Servers) DNS Server #1 DNS Server #2 WINS Server #1 WINS Server #2 Monitor You can display a list of all active SSL VPN sessions. Take down a tunnel. To view the list of active SSL VPN sessions. Information about which services are being provided. The list displays the user name of the remote user. The list also identifies which services are being provided. If you want to display a custom caption at the top of the web portal home page. The IP addresses of the host devices connected to the FortiGate unit. type the message. Enter up to two DNS Servers to be provided for the use of clients. Delete icon FortiGate Version 3. and the time that the connection was made.0 MR3 Administration Guide 01-30003-0203-20061124 331 .VPN SSL Monitor Idle Timeout Type the period of time (in seconds) to control how long the connection can remain idle before the system forces the user to log in again. User Source IP Begin Time Description The identifier of the connection. The user names of all connected remote users. the Description field displays the IP address that the FortiGate unit assigned to the remote client. This setting applies to the SSL VPN session.

Monitor VPN SSL 332 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

Figure 213:Local Certificates list Download View Certificate Detail Generate Import Name Subject Status Generate a local certificate request. The status of the local certificate. go to VPN > Certificates > Local Certificates. After you submit the request to a CA. the CA will verify the information and register the contact information on a digital certificate that contains a serial number. and back up and restore installed certificates and private keys.0 MR3 Administration Guide 01-30003-0203-20061124 333 .VPN Certificates Local Certificates VPN Certificates This section explains how to manage X. The Distinguished Names (DNs) of local signed certificates. install signed certificates. The first entry in the list is the FortiGate unit’s self-signed certificate. which you cannot delete. The CA will then sign and send the signed certificate to you to install on the FortiGate unit. see the FortiGate Certificate Management User Guide. Refer to this module to generate certificate requests. select the View Certificate Detail icon in the row that corresponds to the certificate. The following topics are included in this section: • • • Local Certificates CA Certificates CRL Local Certificates Certificate requests and installed server certificates are displayed in the Local Certificates list. and the public key of the CA. To view certificate details.509 security certificates using the FortiGate web-based manager. For additional background information. FortiGate Version 3. PENDING designates a certificate request that needs to be downloaded and signed. import CA root certificates and certificate revocation lists. See “Generating a certificate request” on page 334. See “Importing a signed server certificate” on page 336. The names of existing local certificates and pending certificate requests. To view certificate requests and/or import signed server certificates. an expiration date. Import a signed local certificate.

To download and send the certificate request to a CA. See Figure 214. Send the request to your CA to obtain a signed server certificate for the FortiGate unit.Local Certificates VPN Certificates View Certificate Detail icon Delete icon Display certificate details such as the certificate name. subject. 334 FortiGate Version 3. Download icon Figure 214:Certificate Detail Information For detailed information and step-by-step procedures related to obtaining and installing digital certificates. see the FortiGate Certificate Management User Guide. see “Downloading and submitting a certificate request” on page 336. go to VPN > Certificates > Local Certificates and select Generate. Save a copy of the certificate request to a local computer. issuer. and valid certificate dates. This is available only if the certificate can be deleted. you can download the request to a computer that has management access to the FortiGate unit and then forward the request to a CA. Generating a certificate request The FortiGate unit generates a certificate request based on the information you enter to identify the FortiGate unit. Delete the selected certificate request or installed server certificate from the FortiGate configuration. To fill out a certificate request. After you generate a certificate request.0 MR3 Administration Guide 01-30003-0203-20061124 . Generated requests are displayed in the Local Certificates list with a status of PENDING.

Optionally select the country where the FortiGate unit is installed. To enable the export of a signed certificate as a PKCS12 file later on if required. Optionally type the name of the state or province where the FortiGate unit is installed. Subject Information • Organization Unit Organization Locality (City) State/Province Country e-mail Key Type Key Size Optionally type the name of your department. use an email address (or domain name if available) instead. If the FortiGate unit does not have a public IP address. Do not include the protocol specification (http://) or any port number or path names. If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service. If you select E-mail. If you select Domain Name. enter the fully qualified domain name of the FortiGate unit. Larger keys are slower to generate but they provide better security. select Host IP and enter the public IP address of the FortiGate unit. Select 1024 Bit. FortiGate Version 3. Enter the information needed to identify the FortiGate unit: • If the FortiGate unit has a static IP address. • If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service.VPN Certificates Local Certificates Figure 215:Generate Certificate Signing Request Certification Name Type a certificate name. enter the email address of the owner of the FortiGate unit. Optionally type the name of the city or town where the FortiGate unit is installed. Typically. an “unable to verify certificate” type message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes. 1536 Bit or 2048 Bit. this would be the name of the FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 335 . do not include spaces in the name. Optionally type the contact email address. Optionally type the legal name of your company or organization. use a domain name if available to identify the FortiGate unit. Only RSA is supported.

336 FortiGate Version 3. select the Download icon in the row that corresponds to the generated certificate request. Name the file and save it to the local file system. and then select OK. 6 When you receive the signed certificate from the CA. To install the signed server certificate. Alternatively.0 MR3 Administration Guide 01-30003-0203-20061124 . Follow the CA instructions to place a base-64 encoded PKCS#10 certificate request and upload your certificate request. Install the signed certificate through the Upload Local Certificate dialog box at the top of the page. When you receive the signed certificate from the CA. Figure 216:Upload Local Certificate Certificate File Browse Enter the full path to and file name of the signed server certificate. For more information. browse to the CA web site. and then install the root certificate and CRL on each remote client (refer to the browser documentation). The other dialog boxes are for importing previously exported certificates and private keys. In the Local Certificates list. see “Generating a certificate request” on page 334. The certificate file can be in either PEM or DER format. Importing a signed server certificate Your CA will provide you with a signed server certificate to install on the FortiGate unit. save the certificate on a computer that has management access to the FortiGate unit. Submit the request to your CA as follows: • • • Using the web browser on the management computer. select Save. See “Importing a signed server certificate” on page 336. go to VPN > Certificates > Local Certificates and select Import. To download and submit a certificate request 1 2 3 4 5 Go to VPN > Certificates > Local Certificates.Local Certificates VPN Certificates Downloading and submitting a certificate request You have to fill out a certificate request and generate the request before you can submit the results to a CA. browse to the location on the management computer where the certificate has been saved. install the certificate on the FortiGate unit. Follow the CA instructions to download their root certificate and Certificate Revocation List (CRL). select the certificate. In the File Download dialog box.

The file is associated with a password. see the FortiGate Certificate Management User Guide. and then select OK. type the password. Figure 217:Upload PKCS12 Certificate Certificate with key file Browse Enter the full path to and file name of the previously exported PKCS12 file. Figure 218:Upload Certificate Certificate file Key file Password Enter the full path to and file name of the previously exported certificate file. Before you begin. go to VPN > Certificates > Local Certificates and select Import. browse to the location on the management computer where the PKCS12 file has been saved. The two files to import must be available on the management computer. save a copy of the file on a computer that has management access to the FortiGate unit.VPN Certificates Local Certificates Importing an exported server certificate and private key The server certificate and private key to import must have been exported previously as a single PKCS12 file through the execute vpn certificate key export CLI command. select the file. Alternatively. Enter the full path to and file name of the previously exported key file. If a password is required to upload and open the files. Type the password needed to upload the PKCS12 file. Password Importing separate server certificate and private key files Use the Upload Certificate dialog box to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. To import the PKCS12 file. which you will need to know in order to import the file. For more information.0 MR3 Administration Guide 01-30003-0203-20061124 337 . FortiGate Version 3.

Display certificate details. you must obtain the corresponding root certificate and CRL from the issuing CA. save the certificate on a PC that has management access to the FortiGate unit. CA_Cert_3. The names of existing CA root certificates. Information about the issuing CA. Save a copy of the CA root certificate to a local computer. The FortiGate unit assigns unique names (CA_Cert_1. and so on) to the CA certificates when they are imported. install the signed certificate on the remote client(s) according to the browser documentation. To import a CA root certificate. Subject Delete icon View Certificate Detail icon Download icon For detailed information and step-by-step procedures related to obtaining and installing digital certificates. Installed CA certificates are displayed in the CA Certificates list. 338 FortiGate Version 3. You cannot delete the Fortinet_CA certificate. Figure 219:CA Certificates list View Certificate Detail Download Import Name Import a CA root certificate. To view root certificate details. See “Importing CA certificates” on page 338.0 MR3 Administration Guide 01-30003-0203-20061124 . When you apply for a signed personal (administrative) or group certificate to install on remote clients. see the FortiGate Certificate Management User Guide. CA_Cert_2. Importing CA certificates After you download the root certificate of the CA. When you receive the signed personal or group certificate. Delete a CA root certificate from the FortiGate configuration. go to VPN > Certificates > CA Certificates. select the View Certificate Detail icon in the row that corresponds to the certificate. Install the corresponding root certificate and CRL from the issuing CA on the FortiGate unit. go to VPN > Certificates > CA Certificates and select Import. To view installed CA root certificates or import a CA root certificate.CA Certificates VPN Certificates CA Certificates Note: The certificate file must not use 40-bit RC2-CBC encryption.

0 MR3 Administration Guide 01-30003-0203-20061124 339 . and then select OK. The system assigns a unique name to each CA certificate. Display CRL details such as the issuer name and CRL update dates. See “Importing a certificate revocation list” on page 340.VPN Certificates CRL Figure 220:Upload CA Certificate Upload File Browse Enter the full path to and file name of the CA root certificate. Figure 221:Certificate revocation list View Certificate Detail Download Import Name Import a CRL. CA_Cert_2. The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid. and so on). The FortiGate unit assigns unique names (CRL_1. Delete the selected CRL from the FortiGate configuration. To view installed CRLs or import/update a CRL. The names of existing certificate revocation lists. CRL_3. See example Figure 222. browse to the location on the management computer where the certificate has been saved. go to VPN > Certificates > CRL. Installed CRLs are displayed in the CRL list. and so on) to certificate revocation lists when they are imported. CRL A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. select the certificate. Save a copy of the CRL to a local computer. The names are numbered consecutively (CA_Cert_1. Alternatively. Information about the certificate revocation lists. CRL_2. Subject Delete icon View Certificate Detail icon Download icon Figure 222:CRL Certificate Detail FortiGate Version 3. CA_Cert_3.

After you download a CRL from the CA web site. and then select OK. To import a certificate revocation list. and so on). CRL_2. select the certificate. Alternatively. Figure 223:Upload CRL Upload File Browse Enter the full path to and file name of the CRL. The system assigns a unique name to each CRL. 340 FortiGate Version 3. browse to the location on the management computer where the CRL has been saved. CRL_3.CRL VPN Certificates Importing a certificate revocation list You must periodically retrieve certificate revocation lists from CA web sites and update the corresponding information on the FortiGate unit on a regular basis to ensure that clients having revoked certificates cannot establish a connection with the FortiGate unit. save the CRL on a computer that has management access to the FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 . The names are numbered consecutively (CRL_1. go to VPN > Certificates > CRL and select Import.

If you use a Microsoft Windows Active Directory server for authentication. See “Configuring a Windows AD server” on page 347. To set authentication timeout 1 2 Go to System > Admin > Settings. FortiGate Version 3. configure access to it. you can choose whether the password is verified by the FortiGate unit. These are components of user authentication that you can use to control access to network resources.User Configuring user authentication User This section explains how to set up user accounts. configure access to those servers. but creating user groups is not the first step in configuring authentication. 2 3 4 Setting authentication timeout Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. Users authenticated by Active Directory server do not need local user accounts on the FortiGate unit. You must configure user authentication in the following order: 1 If external authentication using RADIUS or LDAP servers is needed. The default authentication timeout is 15 minutes. by a RADIUS server or by an LDAP server. See “RADIUS servers” on page 343 and “LDAP servers” on page 344. type a number. See “Local user accounts” on page 342. user groups and external authentication servers. Create user groups in User > User Group and add members. Configure local user accounts in User > Local. You must install the Fortinet Server Authentication Extensions (FSAE) on your Windows network.0 MR3 Administration Guide 01-30003-0203-20061124 341 . in minutes. In Auth Timeout. Active Directory and SSL VPN. There are three types of user groups: Firewall. The following topics are included in this section: • • • • • • • Configuring user authentication Local user accounts RADIUS servers LDAP servers Windows AD servers User group Configuring peers and peer groups Configuring user authentication FortiGate authentication controls access by user group. For each user.

LDAP RADIUS 342 FortiGate Version 3. Select the RADIUS server from the drop-down list. See “RADIUS servers” on page 343. Type or edit the password. Select the LDAP server from the drop-down list.Local user accounts User Local user accounts Go to User > Local to add local user accounts and configure authentication.0 MR3 Administration Guide 01-30003-0203-20061124 . Note: You can only select an LDAP server that has been added to the FortiGate LDAP configuration. Select RADIUS to authenticate this user using a password stored on a RADIUS server. The authentication type to use for this user. Edit icon Note: Deleting the user name deletes the authentication configured for the user. Figure 224:Local user list Create New User Name Type Delete icon Add a new local user account. Select Disable to prevent this user from authenticating. Configuring a user account Go to User > Local and select Create New or the Edit icon of an existing user account. Delete the user. Select Password to authenticate this user using a password stored on the FortiGate unit. Figure 225:Local user options User Name Disable Password Type or edit the user name. Select LDAP to authenticate this user using a password stored on an LDAP server. See “LDAP servers” on page 344. Edit the user account. Note: The delete icon is not available if the user belongs to a user group. Note: You can only select a RADIUS server that has been added to the FortiGate RADIUS configuration. The local user name. The password should be at least six characters long.

Type or edit the RADIUS server secret. the connection is refused by the FortiGate unit. For more information see the config system global command in the FortiGate CLI Reference. Edit a RADIUS server configuration. If your RADIUS server is using port 1645.0 MR3 Administration Guide 01-30003-0203-20061124 343 .User RADIUS servers RADIUS servers If you have configured RADIUS support and a user is required to authenticate using a RADIUS server. Delete a RADIUS server configuration. use the CLI to change the default RADIUS port. Edit icon Configuring a RADIUS server Go to User > RADIUS and select Create New or the Edit icon of an existing RADIUS server. Server Name/IP Type or edit the domain name or IP address of the RADIUS server. To configure a RADIUS server. Server Name/IP The domain name or IP address of the RADIUS server. Note: The default port for RADIUS traffic is 1812. go to User > RADIUS. Figure 226:RADIUS server list Create New Name Delete icon Add a new RADIUS server. the FortiGate unit sends the user’s credentials to the RADIUS server for authentication. the user is successfully authenticated with the FortiGate unit. If the RADIUS server can authenticate the user. If the RADIUS server cannot authenticate the user. FortiGate Version 3. Figure 227:RADIUS configuration Name Server Secret Type or edit the name used to identify the RADIUS server. The name of the RADIUS server on the FortiGate unit. Note: You cannot delete a RADIUS server that has been added to a user group.

344 FortiGate Version 3. Server Name/IP The domain name or IP address of the LDAP server. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. the connection is refused by the FortiGate unit. FortiGate LDAP supports LDAP over SSL/TLS. The common name identifier for the LDAP server. To authenticate with the FortiGate unit.LDAP servers User LDAP servers If you have configured LDAP support and a user is required to authenticate using an LDAP server. Figure 228:LDAP server list Create New Name Port Common Name Identifier Distinguished Name Delete icon Edit icon Add a new LDAP server. In addition.0 MR3 Administration Guide 01-30003-0203-20061124 . Go to User > LDAP to configure an LDAP server. If the LDAP server cannot authenticate the user. The distinguished name used to look up entries on the LDAP server. The common name identifier for most LDAP servers is cn. that is available from some LDAP servers. However. FortiGate LDAP support does not extend to proprietary functionality. the FortiGate unit contacts the LDAP server for authentication. such as notification of password expiration. FortiGate LDAP support does not supply information to the user about why authentication failed. the user enters a user name and password. the user is successfully authenticated with the FortiGate unit. some servers use other common name identifiers such as uid. refer to the FortiGate CLI Reference. The name that identifies the LDAP server on the FortiGate unit. Edit the LDAP server configuration. The port used to communicate with the LDAP server. Delete the LDAP server configuration. To configure SSL/TLS authentication. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. If the LDAP server can authenticate the user. The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. The FortiGate unit sends this user name and password to the LDAP server.

ou=marketing.dc=com where ou is organization unit and dc is domain component.dc=fortinet. Select the DN from the list. You can also specify multiple instances of the same field in the distinguished name. Figure 229:LDAP server configuration Name Server Port Type or edit the name used to identify the LDAP server. To see the users within the LDAP Server user group for the selected Distinguished Name. Query icon FortiGate Version 3. for example. The DN you select is displayed in the Distinguished Name field. expand the Distinguished Name in the LDAP Distinguished Name Query tree. The tree helps you to determine the appropriate entry for the DN field.500 or LDAP format. However some servers use other common name identifiers such as uid. LDAP uses port 389.0 MR3 Administration Guide 01-30003-0203-20061124 345 .dc=com View the LDAP server Distinguished Name Query tree for the base Distinguished Name. to specify multiple organization units: ou=accounts. Type or edit the port used to communicate with the LDAP server. The FortiGate unit passes this distinguished name unchanged to the server. Common Name Type or edit the common name identifier for the LDAP server.User LDAP servers Configuring an LDAP server Go to User > LDAP and select Create New or the Edit icon of an existing LDAP server. 20 characters maximum. and all the distinguished names associated with the Common Name Identifier for the LDAP server.dc=fortinet. For example. Enter the base distinguished name for the server using the correct X. you could use the following base distinguished name: ou=marketing. Select OK and the Distinguished Name you selected will be saved in the Distinguished Name field of the LDAP Server configuration. Server Name/IP Type or edit the domain name or IP address of the LDAP server. By default. Distinguished Name Type or edit the distinguished name used to look up entries on the LDAP server. Identifier The common name identifier for most LDAP servers is cn. Expand the Common Name identifier to see the associated DNs. The LDAP Distinguished Name Query list displays the LDAP Server IP address.

Get current domain and group information from the Windows AD server. Edit this Windows AD server. You can expand the server name to display Windows AD domain group information.Windows AD servers User Figure 230:LDAP server Distinguished Name Query tree Windows AD servers On networks that use Windows Active Directory (AD) servers for authentication.0 MR3 Administration Guide 01-30003-0203-20061124 . The IP addresses and TCP ports of up to five collector agents that send Windows AD server logon information to the FortiGate unit. You must install the Fortinet Server Authentication Extensions (FSAE) on the network and configure the FortiGate unit to retrieve information from the Windows AD server. For more information about FSAE. Figure 231:Windows AD server list Create New FortiClient AD Add a new Windows AD server. The name of the Windows AD server with FSAE. FortiGate units can transparently authenticate users without asking them for their user name and password. see the FSAE Technical Note. Go to User > Windows AD to configure Windows AD servers. IP Address Delete icon Edit icon Refresh icon 346 FortiGate Version 3. Delete this Windows AD server.

The FortiGate unit receives the user’s name and IP address from the FSAE collector agent. FSAE Type or edit the IP address of the Windows AD server where this Collector IP collector agent is installed. the FortiGate unit checks the RADIUS or LDAP servers that belong to the user group. the FortiGate unit authenticates users by requesting their user name and password. Figure 232:Windows AD server configuration Name Type or edit the name of the Windows AD server. the Active Directory server authenticates users when they log on to the network. see the FSAE Technical Note. The FortiGate unit checks local user accounts first. This is required only if you configured your FSAE collector agent to require authenticated access. An identity can be: • • • • a local user account (user name and password) stored on the FortiGate unit a local user account with a password stored on a RADIUS or LDAP server a RADIUS or LDAP server (all identities on the server can authenticate) a user group defined on a Microsoft Active Directory server In most cases.User User group Configuring a Windows AD server Go to User > Windows AD and select Create New or the Edit icon of an existing Windows AD server. Port Type or edit the TCP port used for Windows AD. Authentication succeeds when a matching user name and password are found. Enter the following information for up to five collector agents. If a match is not found. Type or edit the password for the collector agent. For an Active Directory user group. This name appears in the list of Windows AD servers when you create user groups. Password User group A user group is a list of user identities. This must be the same as the FortiGate listening port specified in the FSAE collector agent configuration. FortiGate Version 3. For more information about FSAE.0 MR3 Administration Guide 01-30003-0203-20061124 347 .

A firewall user group can be used to provide override privileges for FortiGuard web filtering. FortiGate L2TP configuration This is configurable only using the config vpn l2tp CLI command. FortiGate PPTP configuration See “PPTP Range” on page 327. see “Creating a new phase 1 configuration” on page 311. For each resource that requires authentication. including the override feature.Web Filter” on page 393. In this case. • • Administrator login with RADIUS authentication See “Configuring RADIUS authentication for administrators” on page 144. The user can connect successfully to the IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit. XAuth for IPSec VPN Phase 1 configurations See XAUTH in “Defining phase 1 advanced settings” on page 314. the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option.Web Filter” on page 393. User group types There are three types of user group: • • • “Firewall” “Active Directory” “SSL VPN” Firewall A firewall user group provides access to a firewall policy that requires firewall type authentication and lists the user group as one of the allowed groups. The user’s VPN client is configured with the user name as peer ID and the password as pre-shared key. see “Adding authentication to firewall policies” on page 247. See “Configuring FortiGuard override options for a user group” on page 351. see “FortiGuard . SSL VPNs on the FortiGate unit See “SSL-VPN firewall policy options” on page 252.0 MR3 Administration Guide 01-30003-0203-20061124 348 . IPSec VPN Phase 1 configurations for dialup users See “Creating a new phase 1 configuration” on page 311. FortiGate Version 3. A firewall user group can also provide access to an IPSec VPN for dialup users.User group User You can configure user groups to provide authenticated access to: • • • • • • Firewall policies that require authentication See “Adding authentication to firewall policies” on page 247. you specify which user groups are permitted access. For more information. For detailed information about FortiGuard Web Filter. FortiGuard Web Filtering override groups See “FortiGuard . The FortiGate unit requests the group member’s user name and password when the user attempts to access the resource that the policy protects. See the FortiGate CLI Reference. A user group cannot be a dialup group if any member is authenticated using a RADIUS or LDAP server. You need to determine the number and membership of user groups appropriate to your authentication needs. For more information.

and RADIUS servers can be members of an SSL VPN user group. LDAP. For more information. Figure 233:User group list Create New Group Name Members FortiGate Version 3. See “Windows AD servers” on page 346. The user’s VPN client is configured with the user name as peer ID and the password as pre-shared key. Local user accounts. In this case. User group names are listed by type of user group: Firewall. RADIUS servers. See “Configuring SSL VPN user group options” on page 352. The users. the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. 349 . The members of the user group are Active Directory groups that you select from a list that the FortiGate unit receives from the Windows AD servers that you have configured. Note: An Active Directory user group cannot have FortiGuard Web Filter override privileges or SSL VPN access.0 MR3 Administration Guide 01-30003-0203-20061124 Add a new user group. or LDAP servers in the user group. User group list Go to User > User Group to configure user groups. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers. Note: A user group cannot be an IPSec dialup group if any member is authenticated using a RADIUS or LDAP server.User User group Active Directory On a Microsoft Windows network. The FortiGate unit requests the user’s user name and password when the user accesses the SSL VPN web portal. Active Directory and SSL VPN. see “Creating a new phase 1 configuration” on page 311. An SSL VPN user group can also provide access to an IPSec VPN for dialup users. An Active Directory user group provides access to a firewall policy that requires Active Directory type authentication and lists the user group as one of the allowed groups. The name of the user group. the FortiGate unit can allow access to members of Active Directory server user groups who have been authenticated on the Windows network. SSL VPN An SSL VPN user group provides access to a firewall policy that requires SSL VPN type authentication and lists the user group as one of the allowed groups. The user group settings include options for SSL VPN features. The user can connect successfully to the IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit.

The list of users. See “Adding authentication to firewall policies” on page 247. Firewall Select this group in any firewall policy that requires Firewall authentication. Figure 234:User group configuration Name Type Type or enter the name of the user group. RADIUS servers. See “Adding authentication to firewall policies” on page 247. To create a new protection profile. Note: You cannot delete a user group that is included in a firewall policy. See “SSL-VPN firewall policy options” on page 252. a dialup user phase 1 configuration. Delete icon Delete the user group. RADIUS servers.User group User Protection Profile The protection profile associated with this user group. Select a user name or server name in the Members list and select the left arrow button to move it to the Available Users list. Select a user or server name in the Available Users list and select the right arrow button to move it to the Members list. Remove a user or server from the Members list. or LDAP servers that belong to the user group. select Create New. Add a user or server to the Members list. Select this group in any firewall policy with Action set to SSL VPN. Select this group in any firewall policy that requires Active Directory authentication. The list of users. Select the user group type: See “User group types” on page 348. or LDAP servers that can be added to the user group. Active Directory SSL VPN Protection Profile Available only if Type is Firewall or Active Directory. Available Users Members Right arrow button Left arrow button 350 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 . Select a protection profile for this user group from the drop-down list. Edit the membership and options of the group. Edit icon Configuring a user group Go to User >Group and select Create New or the Edit icon of an existing user group. or a PPTP or L2TP configuration.

SSL-VPN User Group Options Note: If you try to add LDAP servers or local users to a group configured for administrator authentication. or include others. an “Entry not found” error occurs. Expand the FortiGuard Web Filtering Override section. The protection profile designates one user group as the Override Group. For detailed instructions about how to configure web-only mode or tunnel mode operation.Web Filter” on page 393. Make a selection from the drop-down list to include: User User Group IP Subnet Ask Override Type Only the user The user group to which the user belongs Any user at the user’s IP address Any user on the user’s subnet Authenticating user. see the FortiGate SSL VPN User Guide. For detailed information see “FortiGuard .User User group FortiGuard Web Filtering Override Available only if Type is Firewall. Configuring FortiGuard override options for a user group Go to User > Group and select the Edit icon for a firewall user group.0 MR3 Administration Guide 01-30003-0203-20061124 351 . Configure Web Filtering override capabilities for this group. The firewall protection profile FortiGuard Web Filtering overrides governing the connection must have FortiGuard overrides enabled. who chooses the override type Select from the drop-down list to allow access to: Directory Domain Categories Ask FortiGate Version 3. Override Scope The override can apply to just the user who requested the override. who chooses the override scope Only the lowest level directory in the URL The entire website domain The FortiGuard category Authenticating user. Figure 235:FortiGuard Web Filtering Override configuration Allowed to perform Select to allow members of this group to request an override on the FortiGuard Web Filtering Block page. Available only if Type is SSL-VPN. See “Configuring FortiGuard override options for a user group” on page 351. Members of the Override Group can authenticate on the FortiGuard Web Filter Block Override page to access the blocked site.

Select to set the duration of override in days. see the FortiGate SSL VPN User Guide. Not available in Transparent mode. Authenticating user chooses whether to allow use of off-site links. Allow Split Tunneling Select to allow split tunneling for this group. This is not available in Transparent mode.0 MR3 Administration Guide 01-30003-0203-20061124 . Internet traffic is sent through the usual unencrypted route. Expand the SSL-VPN User Group Options section. Select to enable the web portal to provide access to web applications. The duration set is the maximum.User group User Off-site URLs Select from the drop-down list whether the user can follow links to sites off of the blocked site: Allow Deny Ask User can follow links to other sites. Figure 236:SSL-VPN user group options Enable SSL-VPN Tunnel Service Select to allow users in this group to connect to the network behind the FortiGate unit using the SSL VPN tunnel. minutes. Select to allow the authenticating user to determine the duration of override. Override Time Select to set the duration of the override: Constant Ask Configuring SSL VPN user group options Go to User > Group and select the Edit icon for an SSL VPN user group. hours. 352 FortiGate Version 3. Split tunneling ensures that only the traffic for the private network is sent to the SSL VPN gateway. Restrict tunnel IP range for this group Enable Web Application Type the starting and ending IP address range for this group if you want to override the Tunnel IP range defined in VPN > SSL > Config. User can follow links only to destinations as defined by Override Type. For detailed instructions about how to configure web-only mode or tunnel mode operation.

For all other systems. For more information. see the Fortinet Technical Documentation web site.User User group HTTP/HTTPS Proxy FTP Telnet (applet) Samba VNC RDP If you enabled Web Application. See “AV/Firewall supported product detection” for supported products for Windows XP SP2.0 MR3 Administration Guide 01-30003-0203-20061124 353 . See “AV/Firewall supported product detection” for supported products for Windows XP SP2. This is executed with a downloaded ActiveX control. see the Fortinet Technical Documentation web site. Check for Third Party Select to allow the client to connect only if it has supported firewall software installed. see “Changing the SSL-VPN login message” on page 139. For all other systems. Check FortiClient FW Select to allow the client to connect only if it is running Installed and Running FortiClient Host Security FW software. for this group FortiGate Version 3. the user is not allowed to access the SSL VPN portal. Norton (Symantec) AntiVirus or McAfee VirusScan software is supported. The software must be installed AV Software and enabled (running). Select to open a second browser window at this URL when the SSL VPN web portal page opens. Norton (Symantec) AntiVirus or McAfee VirusScan software is supported. Works on Internet Explorer with Windows 2000/ Windows XP. Note: This option is not available if you select Check FortiClient Installed and Running. Redirect URL Customize portal message Type or edit a custom web portal home page caption for this group. The software must be installed Firewall Software and enabled (running). select to enable each of the applications that users in this group are permitted to access. The web server for this URL must reside on the private network behind the FortiGate unit. Note: If the client’s browser cannot install and run the cache cleaner. For information about this software. and Firefox. Check for Third Party Select to allow the client to connect only if it has supported antivirus software installed. For information about this software. Note: This option is not available if you select Check FortiClient Installed and Running. Check FortiClient AV Select to allow the client to connect only if it is running Installed and Running FortiClient Host Security AV software. Note: You can modify the SSL VPN web portal login page. Enable Cache Clean Select to remove all temporary Internet files created on the client computer between user login and logout.

see the “User” chapter of the FortiGate CLI Reference.Configuring peers and peer groups User Table 32: AV/Firewall supported product detection Product Trend Micro Sophos Panda Platinum 2006 Internet Security F-Secure Secure Resolutions Cat Computer Services Ahnlab AV Y Y Y Y Y Y Y Firewall Y N Y Y Y Y Y Configuring peers and peer groups You can define peers and peer groups used for authentication in some VPN configurations.0 MR3 Administration Guide 01-30003-0203-20061124 . 354 FortiGate Version 3. Use the CLI config user peer and config user peergrp commands to do this. For more information.

The FortiGate unit performs antivirus processing in the order the elements appear in the web-based manager menu: • • • • File pattern Virus scan Grayware Heuristics If a file fails any of the elements of the antivirus scan. previously unknown. if the file “fakefile. To ensure that your system is providing the most protection available. The virus scan. The four elements work together to offer your network unparalleled antivirus protection. Antivirus elements The antivirus elements work in sequence to give you an efficient method of scanning incoming files. the FortiGate unit will send the end user a replacement message and the file will be deleted or quarantined.EXE”. The first three elements have specific functions. For example. all virus definitions and signatures are up dated regularly through the FortiGuard antivirus services. no further scans are performed. virus threats. The elements will be discussed in the order that they are applied followed by FortiGuard antivirus. there is no need to use further system resources on the file at this time. grayware and heuristic scans will not be performed as the file is already found to be a threat and has been dealt with. is to cover any new. is recognized as a blocked pattern. The following topics are included in this section: • • • • • • • Order of operations Antivirus elements Antivirus settings and controls File pattern Quarantine Config Antivirus CLI configuration Order of operations Antivirus processing includes various modules and engines that perform separate tasks. FortiGate Version 3. the fourth. the heuristics.AntiVirus Order of operations AntiVirus This section describes how to configure the antivirus options associated with firewall protection profiles.0 MR3 Administration Guide 01-30003-0203-20061124 355 .

heuristic scanning may detect new viruses. If the file is not a blocked pattern the next level of protection is applied. The list is updated on a regular basis so you do not have to wait for a firmware upgrade. as well as the local spam DNSBL. For more information on updating virus definitions see FortiGuard antivirus.0 MR3 Administration Guide 01-30003-0203-20061124 . See “Configuring the FortiGate unit for FDN and FortiGuard services” on page 160 for more information. 356 FortiGate Version 3. For more information on configuring grayware please see Viewing the grayware list. Grayware Once past the file pattern and the virus scan. To access these features. but may also produce some false positive results. The FortiGate heuristic antivirus engine performs tests on the file to detect virus-like behavior or known virus indicators. it is subjected to the heuristics element. then it is stopped and a replacement message is sent to the end user. If the file is a blocked pattern. Heuristics After an incoming file has passed the first three antivirus elements. select Global Configuration on the main menu. Note: If virtual domains are enabled on the FortiGate unit. See the FortiGate CLI Guide. “. The virus definitions are keep up to date through the FortiNet Distribution Network. No other levels of protected are applied. antivirus features are configured globally. the FortiGate unit applies the file pattern recognition filter. Note: Heuristics is configurable only through the CLI.EXE” for example. The connection between the FortiGate unit and FortiGuard Center is configured in System > Maintenance > FortiGuard Center. In this way. Grayware configurations can be turned on and off as required and are kept up to date in the same manner as the antivirus definitions. The FortiGuard Center also provides the FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. FortiGuard antivirus FortiGuard antivirus services are an excellent resource and include automatic updates of virus and IPS (attack) engines and definitions. The FortiGate will check the file against the file pattern setting you have configured. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. Virus scan If the file is passed by the file pattern it will have a virus scan applied to it. the incoming file will be checked for grayware.Antivirus elements AntiVirus File pattern Once a file is accepted. through the FortiGuard Distribution Network (FDN).

specific settings can be implemented on a per profile basis. IM). Set the size thresholds for files and email messages for each protocol in AntiVirus. File pattern Configure file patterns to block all files that are a potential threat and to prevent active computer virus attacks. Table 33 compares antivirus options in protection profiles and the antivirus menu. Set the interval and byte amount to trigger client comforting. FTP. AntiVirus > Config > Grayware Enable or disable blocking of Grayware by category. or with a configured FortiAnalyzer unit. or any other pattern. Patterns can also be individually enabled or disabled. Oversized file/email Configure the FortiGate unit to block or pass oversized files and email messages for each protocol. Quarantine Enable or disable quarantining for each protocol. AntiVirus > File Pattern Configure file patterns to block or allow files. Table 33: Antivirus and Protection Profile antivirus configuration Protection Profile antivirus options Virus Scan Enable or disable virus scanning for each protocol (HTTP. Files can be blocked by name. FortiGate Version 3. extension. Add signature to outgoing email messages Create and enable a signature to append to outgoing email messages (SMTP only).AntiVirus Antivirus settings and controls Antivirus settings and controls While antivirus settings are configured for system-wide use. Antivirus setting AntiVirus > Config > Virus List View a read-only list of current viruses. SMTP. configure file patterns to upload automatically to Fortinet for analysis. Fragmented email messages cannot be scanned for viruses. File pattern blocking provides the flexibility to block potentially harmful content. File Pattern Enable or disable file pattern handling for each protocol. IMAP. and configure quarantining options in AntiVirus.0 MR3 Administration Guide 01-30003-0203-20061124 357 . POP3. Pass fragmented email messages Enable or disable passing fragmented email messages. Comfort Clients Enable or disable for HTTP and FTP traffic. AntiVirus > Quarantine View and sort the list of quarantined files. Quarantine is only available on units with a local disk.

list name. and enable it temporarily to block specific threats as they occur. go to AntiVirus > File Pattern. Creating a new file pattern list To add a file pattern list to the file pattern list catalog. For standard operation. If both File Pattern and Virus Scan are enabled. The FortiGate unit blocks files that match a configured file pattern and displays a replacement message instead. Optional description of each file pattern list. select the edit icon for the list you want to see. For example. 358 FortiGate Version 3.EXE. or list comment. For more information. adding *. Edit icon Select file pattern lists in protection profiles. Create New Name # Entries Profiles Comment Delete icon Select Create New to add a new file pattern list to the catalog. The available file pattern lists. go to AntiVirus > File Pattern and select Create New. Viewing the file pattern list catalog You can add multiple file pattern lists to FortiGate and then select the best file pattern list for each protection profile. select Global Configuration on the main menu. antivirus features are configured globally. Select to edit the file pattern list. The delete icon is only available if the file pattern list is not selected in any protection profiles. To access these features. see “Antivirus options” on page 299. To view the file pattern list catalog. you can choose to disable File Pattern in the Protection Profile. The number of file patterns in each file pattern list. The protection profiles each file pattern list has been applied to. The FortiGate unit also writes a message to the virus log and sends an alert email message if configured to do so. To view any individual file pattern list. Note: If virtual domains are enabled on the FortiGate unit.0 MR3 Administration Guide 01-30003-0203-20061124 . the FortiGate unit blocks files that match enabled file patterns and does not scan these files for viruses.exe to the file pattern list also blocks any files ending in .File pattern AntiVirus Note: File pattern entries are not case sensitive. Figure 237:Sample file pattern list catalog Note: The default file pattern list catalog is called built-in-patterns. Select to remove the file pattern list from the catalog.

go to AntiVirus > File Pattern and select the edit icon of the file pattern list you want to view. Select to move the file pattern to any position in the list. File pattern list name. Optional comment. this behavior can be reversed with all files being blocked unless explicitly passed. To add or edit comment. it is passed along to antivirus scanning (if enabled). Files matching the file patterns can be set to block or allow. FortiGate Version 3. edit text in the name field and select OK. Allowed files continue to antivirus scanning (if enabled) while files not matching any allowed patterns are blocked by the wildcard at the end. In effect. Enter a comment to describe the list. Using the allow action.*) with a block action. At the end of the list. Files are compared to the enabled file patterns from top to bottom. add an all-inclusive wildcard (*. Simply enter all the file patterns to be passed with the allow attribute. Clear the checkbox to disable the file pattern. Viewing the file pattern list To view the file pattern list. enter text in comment field and select OK. files are passed if not explicitly blocked.0 MR3 Administration Guide 01-30003-0203-20061124 359 . Select to edit the file pattern and action. Select to remove the file pattern from the list.AntiVirus File pattern Figure 238:New File Pattern List dialog box Name Comment Enter the name of the new list. To change the name. if required. If a file does not match any specified patterns. Figure 239:Sample file pattern list The file pattern list has the following icons and features: Name Comment OK Create New Pattern Action Enable Delete icon Edit icon Move To icon Select Create New to add a new pattern to the file pattern list. The current list of file patterns.

*. Note: If virtual domains are enabled on the FortiGate unit. To access these features. Select an action from the drop down list: Block or Allow. *. Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis.0 MR3 Administration Guide 01-30003-0203-20061124 .bat. select Create New.wps) Visual Basic files (*.tar. go to Log & Report > Log Config > Log Setting. Quarantine FortiGate units with a local disk can quarantine blocked and infected files. *. To add a new file pattern while viewing a file pattern list.gz.exe) compressed or archive files (*. For more information.doc.ppt. *.The file pattern can be an exact file name or can include wildcards.dll) HTML application (*. Figure 240:New file pattern Pattern Action Enable Enter the file pattern. antivirus features are configured globally.rar. 360 FortiGate Version 3. Files stored on the FortiAnalyzer can be retrieved for viewing. *. select Global Configuration on the main menu.vb?) screen saver files (*.hta) Microsoft Office files (*.com. and *. Select to enable the pattern.Quarantine AntiVirus The file pattern list is preconfigured with a default list of file patterns: • • • • • • • • • executable files (*. To edit an existing file pattern.tgz. View the file name and status information about the file in the quarantined file list. FortiGate units without a local disk can quarantine blocked and infected files to a FortiAnalyzer unit. select the edit icon associated with the pattern. *.zip) dynamic link libraries (*.scr) program information files (*.pif) File pattern is enabled in protection profiles. The maximum number of file patterns in a list is 5000. see “Antivirus options” on page 299. and *.xl?) Microsoft Works files (*. Configuring the file pattern list File patterns can be up to 80 characters long. To configure the FortiAnalyzer unit.

exe is stored as 3fc155d2. and a 32-bit checksum is performed on the file. The service from which the file was quarantined (HTTP.” Duplicate count. Figure 241:Quarantined files list The quarantined files list has the following features and displays the following information about each quarantined file: Apply Sort by Filter Select to apply the sorting and filtering selections to the quarantined files list. Specific information related to the status. TTL. date. Heuristics mode is configurable through the CLI only. or HTTP). POP3. POP3. Select Apply to complete the sort. This value indicates the time that the first file was quarantined if the duplicate count increases. In the case of duplicate files. or blocked. a file named Over Size. Filter the list to view only quarantined files with a specific status or from a specific service. SMTP. When a file is quarantined.AntiVirus Quarantine Viewing the Quarantined Files list The Quarantined Files list displays information about each file quarantined because of virus infection or file blocking. IM). or duplicate count. all spaces are removed from the file name. Filter the list. A rapidly increasing number can indicate a virus outbreak. heuristics. status. The date and time the file was quarantined. The processed file name of the quarantined file. file name. Select to remove the file from the list. The reason the file was quarantined: infected. service. Select to upload a suspicious file to Fortinet for analysis. for example. SMTP. The checksum appears in the replacement message but not in the quarantined file. blocked. Sort the list. Sort the files by file name. A count of how many duplicates of the same file were quarantined. FTP. go to AntiVirus > Quarantine > Quarantined Files. or heuristics) or service (IMAP. Time to live in the format hh:mm.oversize. FTP. Y indicates the file has been uploaded to Fortinet for analysis. in the format dd/mm/yyyy hh:mm. File Name Date Service Status Status Description DC TTL Upload status Delete icon Download icon Submit icon FortiGate Version 3. service.0 MR3 Administration Guide 01-30003-0203-20061124 361 . See “Antivirus CLI configuration” on page 367. Choose from status (infected. “File is infected with “W32/Klez. duplicate count (DC). Select Apply to complete the filtering. To view the Quarantined Files list. Choose from: status. The file is stored on the FortiGate hard disk with the following naming convention: <32bit_CRC>. or time to live (TTL).exe.h”” or “File was stopped by file block pattern.<processed_filename> For example. each duplicate found refreshes the TTL. Select to download the corresponding file in its original format. When the TTL elapses. N indicates the file has not been uploaded. the FortiGate unit labels the file as EXP under the TTL heading. date. IMAP.

select Enable AutoSubmit.0 MR3 Administration Guide 01-30003-0203-20061124 . go to AntiVirus > Quarantine > AutoSubmit. Viewing the AutoSubmit list Configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. Upload files to Fortinet based on status (blocked or heuristics). Add file patterns to the AutoSubmit list using wildcard characters (* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings.Quarantine AntiVirus Note: Duplicates of files (based on the checksum) are not stored. Figure 242:Sample AutoSubmit list AutoSubmit list has the following icons and features: Create New File Pattern Select to add a new file pattern to the AutoSubmit list. Select to remove the entry from the list. The TTL value and the duplicate count are updated each time a duplicate of a file is found. go to AntiVirus > Quarantine > AutoSubmit. go to AntiVirus > Quarantine > Config. Enable the check box to enable all file patterns in the list. Select to enable the file pattern Note: To enable automatic uploading of the configured file patterns. only counted. and select Use File Pattern. Figure 243:New File Pattern dialog box File Pattern Enable Enter the file pattern or file name to be upload automatically to Fortinet. Select to edit the following information: File Patter and Enable. 362 FortiGate Version 3. This option is only available on FortiGate units with a local disk. Delete icon Edit icon Configuring the AutoSubmit list To add a file pattern to the AutoSubmit list. Create a pattern by using ? or * wildcard characters. or submit individual files directly from the quarantined files list. The current list of file patterns that will be automatically uploaded. To view the AutoSubmit list. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25.

AntiVirus Quarantine Configuring quarantine options Go to AntiVirus > Quarantine > Config to set quarantine configuration options. including whether to quarantine blocked or infected files and from which service. and enable AutoSubmit settings. Figure 244:Quarantine Configuration (FortiGate with local disk) Figure 245:Quarantine Configuration (FortiAnalyzer from FortiGate with local disk) Figure 246:Quarantine Configuration (FortiAnalyzer from FortiGate with no local disk) FortiGate Version 3. Configure the time to live and file size values.0 MR3 Administration Guide 01-30003-0203-20061124 363 .

worms. and other threats from content as it passes through the FortiGate unit. FTP. go to AntiVirus > Config. Use file pattern: Enables the automatic upload of files matching the file patterns in the AutoSubmit list. 364 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .Config AntiVirus Note: NNTP options cannot be selected. Select to save the configuration. Select one or both of the options below. the TTL column displays EXP. See “Antivirus CLI configuration” on page 367. Support will be added in the future. Heuristics is configurable through the CLI only. View the entire list or parts of the list by selecting the number or alphabet ranges. The Quarantine Blocked Files option is not available for HTTP. Select either Heuristics or Block Pattern. Quarantine Blocked Files. The time limit in hours for which to keep files in quarantine. Viewing the virus list The virus list displays an alphabetical list of the current FortiGuard virus definitions (also called AV definitions) installed on the FortiGate unit. or IM because a file name is blocked before downloading and cannot be quarantined. Enable AutoSubmit Apply Config Config displays a list of the current viruses blocked by the FortiGate unit. trojans. The maximum size of quarantined files in MB. and the file is deleted (although a record is maintained in the quarantined files list). depending on low disk space action. To view the virus list. To access these features. Quarantine Suspicious Files: Select the protocols from which to quarantine suspicious files identified by heuristics. See “Log&Report” on page 427 for more information about configuring a FortiAnalyzer unit. select Global Configuration on the main menu. The age limit is used to formulate the value in the TTL column of the quarantined files list. and grayware blocking. Entering an age limit of 0 (zero) means files are stored on disk indefinitely. When the limit is reached. Quarantine configuration has the following options: Options Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning. antivirus features are configured globally. The FortiGate unit uses the virus definitions to detect and remove viruses. Also configure file and email size limits. Age limit Max filesize to quarantine Low disk space Select the action to take when the local disk is full: overwrite the oldest file or drop the newest file. Select the protocols from which to quarantine blocked files identified by antivirus file blocking. Setting the maximum file size too large may affect performance. Enable AutoSubmit: enables the AutoSubmit feature. Use file status: Enables the automatic upload of quarantined files based on their status. Note: If virtual domains are enabled on the FortiGate unit. FortiAnalyzer Select to enable storage of blocked and quarantined files on a FortiAnalyzer unit.

antivirus features are configured globally. often without the user’s consent or knowledge. To view the grayware list. Each time the FortiGate unit receives a virus and attack definitions update. and other threats that can be detected and removed by your FortiGate unit using the information in the FortiGuard virus definitions. Viewing the grayware list Grayware programs are unsolicited commercial software programs that get installed on computers. all new categories are disabled. To access these features. Grayware is enabled in a protection profile when Virus Scan is enabled. trojans. Grayware categories are populated with known executable files. FortiGate Version 3. The FortiGuard Center Virus Encyclopedia contains detailed descriptions of the viruses. Go to System > Maintenance > FortiGuard Center to configure automatic AV definition updates from the FDN. By default. The FortiGate unit scans for known grayware executable programs in each enabled category. The category list and contents are added or updated whenever the FortiGate unit receives a virus update package. Note: If virtual domains are enabled on the FortiGate unit. New categories may be added at any time and will be loaded with the virus updates. but these programs can cause system performance problems or be used for malicious ends. worms.0 MR3 Administration Guide 01-30003-0203-20061124 365 . select Global Configuration on the main menu. You can also update the AV definitions manually from the system dashboard (go to System > Status). go to AntiVirus > Config > Grayware. the grayware categories and contents are updated. Grayware programs are generally considered an annoyance. Figure 247:Virus list (partial) Usually the FortiGuard AV definitions are updated automatically from the FortiGuard Distribution Network (FDN).AntiVirus Config The FortiGuard virus definitions list is updated every time the FortiGate unit receives a new version of the FortiGuard AV definitions.

Block download programs. start pages. Block keylogger programs.Config AntiVirus Figure 248:Sample grayware options Enabling a grayware category blocks all files listed in the category. and menu options. Network management tools can be installed and used maliciously to change settings and disrupt network security. chat. You can choose to enable the following grayware categories: Adware Block adware programs. Block joke programs. Download components are usually run at Windows startup and are designed to install or download other software. Block network management tools. BHO Dial Download Game HackerTool Hijacker Joke Keylog Misc NMT P2P 366 FortiGate Version 3. Not all BHOs are malicious. often illegally. Games are usually joke or nuisance games that you may want to block from network users. including favorites or bookmarks. Block browser hijacking programs. while a legitimate protocol. and other files.x and later.0 MR3 Administration Guide 01-30003-0203-20061124 . Block dialer programs. Block games. Block browser helper objects. and instant messages. Dialers allow others to use the PC modem to call premium numbers or make long distance calls. BHOs are DLL files that are often installed as part of a software package so the software can control the behavior of Internet Explorer 4. movies. but the potential exists to track surfing habits and gather other information. The categories may change or expand when the FortiGate unit receives updates. Browser hijacking occurs when a ‘spyware’ type program changes web browser settings. especially advertising and dial software. Block peer to peer communications programs. Adware is usually embedded in freeware programs and causes ads to pop up whenever the program is opened or used. Joke programs can include custom cursors and programs that appear to affect the system. P2P. Block any programs included in the miscellaneous grayware category. Keylogger programs can record every keystroke made on a keyboard including passwords. Block hacker tools. is synonymous with file sharing programs that are used to swap music.

config antivirus heuristic The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last. Block spyware programs. heuristic scanning is enabled in a protection profile when Virus Scan is enabled. While some toolbars are harmless. heuristic scanning may detect new viruses. FortiGate Version 3. system global optimize The optimize feature configures CPU settings to ensure efficient operation of the FortiGate unit for either antivirus scanning or straight throughput traffic. Remote administration tools allow outside users to remotely change and monitor a computer on a network. such as web browsing habits. Spyware is a tracking and analysis program that can report your activities. but may also produce some false positive results. the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs. Use the heuristic command to change the heuristic scanning mode. see the FortiGate CLI Reference. When optimize is set to antivirus. to the advertiser’s web site where it may be recorded and analyzed. making scanning faster. is often included with freeware. The heuristic engine is enabled by default to pass suspected files to the recipient and send a copy to quarantine. Once configured in the CLI. For more information. spyware developers can use these toolbars to monitor web habits and send information back to the developer. Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the browser window. like adware. after file blocking and virus scanning have found no matches. Block remote administration tools.AntiVirus Antivirus CLI configuration Plugin Block browser plugins. Some toolbars and plugins can attempt to control or record and send browsing preferences. Spyware. This feature is available on models numbered 200 and higher. In this way. config antivirus quarantine The quarantine command also allows configuration of heuristic related settings.0 MR3 Administration Guide 01-30003-0203-20061124 367 . see the Antivirus failopen and optimization Fortinet Knowledge Center article. This feature is available on models numbered 1000 and higher. Block custom toolbars. For complete descriptions and examples of how to enable additional features through CLI commands. RAT Spy Toolbar Antivirus CLI configuration This section describes the CLI commands that extend features available through the web-based manager.

POP3. IMAP. IM. or SMTP traffic. and what ports the FortiGate unit scans for the service.0 MR3 Administration Guide 01-30003-0203-20061124 . 368 FortiGate Version 3. FTP.Antivirus CLI configuration AntiVirus config antivirus service <service_name> Use this command to configure how the FortiGate unit handles antivirus scanning of large files in HTTP.

FortiGuard services are a valuable customer resource and include automatic updates of virus and IPS (attack) engines and definitions through the FortiGuard Distribution Network (FDN). and can log. See “Configuring the FortiGate unit for FDN and FortiGuard services” on page 160 for more information. Fortinet’s FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures. can send alert email to system administrators. Create custom signatures to customize the FortiGate IPS for diverse network environments. The following topics are included in this section: • • • • • • About intrusion protection Predefined signatures Custom signatures Protocol Decoders Anomalies IPS CLI configuration About intrusion protection The FortiGate unit can record suspicious traffic in logs. For detailed information about IPS. drop. Configure the FortiGate unit to check automatically for and download updated attack definition files containing the latest signatures. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. reset. The FortiGuard Center also provides the FortiGuard virus and attack encyclopedia and the FortiGuard Bulletin. or download the updated attack definition file manually.0 MR3 Administration Guide 01-30003-0203-20061124 369 . Alternately. FortiGate Version 3. Attack signatures reliably protect your network from known attacks. If the default configuration has changed. Adjust some IPS anomaly thresholds to work best with the normal traffic on the protected networks. it checks to see if the default configuration for any existing signatures has changed. The connection between the FortiGate unit and FortiGuard is configured in System > Maintenance > FortiGuard Center.Intrusion Protection About intrusion protection Intrusion Protection The FortiGuard Intrusion Prevention System (IPS) combines signature and anomaly intrusion detection and prevention with low latency and excellent reliability. the changes are preserved. The FortiGate IPS matches network traffic against patterns contained in attack signatures. see the FortiGate IPS Guide. or clear suspicious packets or sessions. IPS provides configuration access to the IPS options enabled when creating a firewall protection profile. This section describes how to configure the FortiGate IPS settings. When the FortiGate unit installs an updated attack definition file. configure the FortiGate unit to allow push updates of updated attack definition files as soon as they are available from the FortiGuard Distribution Network. pass.

select Edit or Create New. Create custom signatures based on the network requirements. Enable packet logging for each signature or anomaly. An administrator can adjust the threshold levels to ensure a balance between performance and intrusion prevention.0 MR3 Administration Guide 01-30003-0203-20061124 . go to Firewall > Protection Profile. IPS setting Intrusion Protection > Signature View and configure a list of predefined signatures. For more information about FortiGate logging and alert email. Whenever the IPS detects or prevents an attack. Table 34 describes the IPS settings and where to configure and access them. Table 34: Protection Profile IPS and IPS configuration Protection Profile IPS options IPS Signature Enable or disable IPS signatures by severity level. the IPS is configured globally. and select IPS. Using IPS effectively requires monitoring and analysis of the attack logs to determine the nature and threat level of an attack. select Global Configuration on the main menu. When to use IPS IPS is best for large networks or for networks protecting highly sensitive information. Configure protocol decoders. for example. To access the IPS. To access protection profile IPS options. Configure how often the FortiGate unit sends alert email. Note: If virtual domains are enabled on the FortiGate unit. Packet logging provides administrators with the ability to analyze packets for forensics and false positive detection. Reduce the number of log messages and alerts by disabling signatures for attacks to which the system is not vulnerable. web attacks when there is no web server running. then enable or disable all signatures or all anomalies in individual firewall protection profiles. Intrusion Protection > Anomaly > [individual anomaly] Enable logging for each signature or signature group. IPS settings and controls Configure the IPS using either the web-based manager or the CLI. Small businesses and home offices without network 370 FortiGate Version 3. Configure the FortiGate unit to add the message to the attack log and send an alert email to administrators. see “Log&Report” on page 427. it generates an attack message. Intrusion Protection > Anomaly View and configure a list of predefined anomalies.About intrusion protection Intrusion Protection Create custom attack signatures for the FortiGate unit to use in addition to an extensive list of predefined attack signatures. IPS Anomaly Enable or disable IPS anomalies by severity level. Log Intrusions Enable logging of all signature and anomaly intrusions.

Signature groups include configurable parameters depending on the type of signatures in the signature group. By default. To access the IPS. disable all web server attack signatures. the other protection features in the FortiGate unit. When configured for a signature group. If access to a web server behind the FortiGate unit is not provided.0 MR3 Administration Guide 01-30003-0203-20061124 371 . such as antivirus (including grayware). Check the default settings to ensure they meet the requirements of the network traffic. In addition. Figure 249:Predefined signature list FortiGate Version 3. not all signatures are but logging of all signatures is enabled. select Global Configuration on the main menu. Predefined signatures Predefined signatures are arranged into groups based on the type of attack. To view the predefined signature list. For example. Note: If virtual domains are enabled on the FortiGate unit. go to Intrusion Protection > Signature > Predefined. the parameters apply to all of the signatures in the group. Viewing the predefined signature list Enable or disable and configure the settings for individual predefined signatures from the predefined signature list. The list can be viewed by signature severity level.Intrusion Protection Predefined signatures administrators may be overrun with attack log messages and not have the networking background required to configure the thresholds and other IPS settings. Disabling unneeded signatures can improve system performance and reduce the number of log messages and alert email messages the IPS generates. the IPS is configured globally. and web filters offer excellent protection for all networks. spam filters. the IPS detects a large number of web server attacks.

In this way all the signatures in a group can be enabled or disabled in one step. If set for non-TCP connection based attacks. Severity level can be set to Information. The status of the signatures within the group. If logging is enabled. Selecting reset for a group restores the default settings for the group and every signature within the group. A gray circle indicates no signatures in the group are enabled. If logging is enabled. the signature is effectively disabled. or Critical. Reset. or Pass Session. Logging Action Severity Revision Configure icon Configure settings for individual signatures or an entire group. Click on the blue triangle to show the signature group members. Low. If group settings are changed. Low. The FortiGate unit sends a reset to both the client and the server and drops the firewall session from the firewall session table. Action can be Pass. The action set for individual signatures. click on the blue triangle. Reset Server. the action will behave as Clear Session. custom signatures and anomalies. The firewall session is not touched.0 MR3 Administration Guide 01-30003-0203-20061124 . for example. Drop Session. >= to All. A green circle indicates every signature in the group is enabled. Drop. See Table 35 for descriptions of the actions. each signature in the group inherits the modified attributes. Table 35 describes each possible action to take for predefined signatures. Fortinet recommends using an action other than Drop for TCP connection based attacks. logging is enabled for all signatures. High. The severity level set for each signature. Drop Reset 372 FortiGate Version 3. the FortiGate unit generates an alert and drops the packet. If logging is disabled and action is set to Pass. When a packet triggers a signature. =.Predefined signatures Intrusion Protection View predefined Select filters then select Go to view only those signatures that match the signatures with filter criteria. Medium. If the Reset action is triggered before the TCP connection is fully established. This is used for TCP connections only. the action appears in the status field of the log message generated by the signature. The logging status for signatures within the group. Select the blue arrow to expand the signature group to view signatures that have been modified. When a packet triggers a signature. Reset Client. To show the signature group members. A half-green half-grey circle indicates some signatures are enabled and some are disabled. High. the FortiGate unit generates an alert and allows the packet through the firewall without further action. Severity level is set for individual signatures. severity Name Enable The signature group name. Sort criteria can be <=. the action appears in the status field of the log message generated by the signature. Table 35: Actions to select for each predefined signature Action Pass Description When a packet triggers a signature. The revision number for individual signatures. By default. it acts as Clear Session. or Critical. Reset icon Reset only appears when the default settings for a signature or group have been modified. Information. the FortiGate unit generates an alert and drops the packet. Selecting Reset for a signature restores the default settings. Clear Session. Medium.

See Table 35 for descriptions of the actions. Only the attributes modified in the group configuration window are applied to the signatures in the group. Drop. the action will behave as Clear Session. all follow-up packets could be dropped. Reset Server. For TCP. Pass Session. it acts as Clear Session. Low. Packet Log Severity FortiGate Version 3.Intrusion Protection Predefined signatures Table 35: Actions to select for each predefined signature (Continued) Reset Client When a packet triggers a signature. No reset is sent. the IPS is bypassed by all follow-up packets. the action will behave as Clear Session. the FortiGate unit generates an alert and the session to which the packet belongs is removed from the session table immediately. When a packet triggers a signature. For the remainder of this packet’s firewall session. Severity level is set for individual signatures. If the Reset Server action is triggered before the TCP connection is fully established. Select a severity level from the dropdown list. all follow-up packets could trigger the firewall to create a new session. Reset. the FortiGate unit generates an alert and allows the packet through the firewall. If the Reset Client action is triggered before the TCP connection is fully established. the FortiGate unit generates an alert and drops the packet. Severity level can be Information.0 MR3 Administration Guide 01-30003-0203-20061124 373 . High. The FortiGate unit sends a reset to the server and drops the firewall session from the firewall session table. the FortiGate unit generates an alert and drops the packet. Enable all signatures in the group. Drop Session. For the remainder of this packet’s session. Enable packet logging. Select an action from the list to apply to all signatures in the group. For UDP. Reset Server Drop Session Pass Session Clear Session Configuring predefined signature groups Select the configure icon associated with a predefined signature group to quickly and easily change attributes of all signatures within the group. or Critical. Medium. This is used for TCP connections only. When a packet triggers a signature. When a packet triggers a signature. it acts as Clear Session. Action can be Pass. If set for non-TCP connection based attacks. all follow-up packets are dropped. Reset Client. If set for non-TCP connection based attacks. This is used for TCP connections only. The FortiGate unit sends a reset to the client and drops the firewall session from the firewall session table. When a packet triggers a signature. Figure 250:Configure Predefined IPS Signature Groups Signature Enable Logging Action The signature group the changes will be applied to. the FortiGate unit generates an alert and drops the packet. Enable logging of all signatures in the group. or Clear Session.

Medium. Drop. Severity level is set for individual signatures. Reset Client. To access the IPS. add custom signatures based on the security alerts released by the application and platform vendors. Drop Session. drop. Viewing the custom signature list To view the custom signature list. The FortiGate IPS can pass. You can also create custom signatures to help you block P2P protocols.0 MR3 Administration Guide 01-30003-0203-20061124 . or Pass Session. go to Intrusion Protection > Signature > Custom. If an unusual or specialized application or an uncommon platform is being used. Reset Server. High. Figure 252:The custom signature list 374 FortiGate Version 3. select Global Configuration on the main menu. Reset. go to Intrusion Protection > Signature > Predefined. Low. Select a severity level from the dropdown list. Packet Log Severity Custom signatures Custom signatures provide the power and flexibility to customize the FortiGate IPS for diverse network environments. reset or clear packets or sessions. Figure 251:Configure Predefined IPS Signatures Action Select an action from the list. the IPS is configured globally. Severity level can be Information. To configure signature groups.Custom signatures Intrusion Protection Configuring predefined signatures For each signature. Enable or disable packet logging. Note: If virtual domains are enabled on the FortiGate unit. The FortiGate predefined signatures cover common attacks. Enable packet logging. configure the action the FortiGate IPS takes when it detects an attack. See Table 35 for descriptions of the actions. Action can be Pass. Clear Session. or Critical. Select a severity level to be applied to the signature.

Figure 253:Edit Custom Signature FortiGate Version 3. Reset. or clear to disable the custom signature group. set action to Drop Session. or Critical. Information. Note: Custom signatures are an advanced feature. --content "nude cheerleader". Medium. Clear Session. See Table 35 for descriptions of the actions. severity Enable custom Select to enable the custom signature group. see the FortiGate Intrusion Protection System (IPS) Guide. Clear all custom Remove all the custom signatures from the custom signature group. Action. For more information on custom signature syntax. signatures Reset to recommended settings Name Enable Logging Action Reset all the custom signatures to the recommended settings. A check mark in the box indicates the signature is enabled. and Severity. The status of each custom signature. If logging is enabled. The severity level set for each custom signature. Severity Delete icon Edit icon Creating custom signatures Use custom signatures to block or allow specific traffic. add custom signatures similar to the following: F-SBID (--protocol tcp. Medium. Drop. Severity level can be Information. or Critical. Severity level is set for individual signatures. This document assumes the user has previous experience creating intrusion detection signatures. =. go to Intrusion Protection > Signature > Custom. Select to edit the following information: Name. For example. >= to All. Reset Server. signature Create New Select to create a new custom signature.0 MR3 Administration Guide 01-30003-0203-20061124 375 . Sort criteria can be <=.Intrusion Protection Custom signatures View custom Select filters then select Go to view only those custom signatures that signatures with match the filter criteria. the action appears in the status field of the log message generated by the signature. A check mark in the box indicates logging is enabled for the custom signature. Signature. Select to delete the custom signature. -no_case) When adding the signature. Low. Reset Client. Action can be Pass. To create a custom signature. Low. High. or Pass Session. The action set for each custom signature. The custom signature name. Drop Session. Packet Log. High. --flow established. The logging status of each custom signature. to block traffic containing pornography.

High. View protocol decoders with severity Name Select filters then select Go to view only those decoders that match the filter criteria. The protocol anomaly detection list can be updated only when the FortiGate firmware image is upgraded. Note: If virtual domains are enabled on the FortiGate unit. Enable or disable logging for each protocol anomaly. however. Select an action from the list. or Critical. The IM and P2P features require these decoders to function. Use the CLI to configure session control based on source and destination network address. Severity level can be Information. Severity level is set for individual signatures. For more information about custom signature syntax. Drop. or Clear Session. Action Packet Log Severity Protocol Decoders The FortiGate IPS uses anomaly detection to identify network traffic that attempts to take advantage of known exploits. go to Intrusion Protection > Signature > Protocol Decoder.Protocol Decoders Intrusion Protection Name Signature The name of the custom signature. =. Information. Low. See Table 35 for descriptions of the actions. Drop Session. Reset Client. Sort criteria can be <=. see “Custom signature syntax” in the FortiGate Intrusion Protection System (IPS) Guide. the IPS is configured globally.0 MR3 Administration Guide 01-30003-0203-20061124 . Action can be Pass. Enter the custom signature. Reset Server. Reset. To access the IPS. The individual decoder with the groups can be disabled. Enable packet logging. Select a severity level from the dropdown list. 376 FortiGate Version 3. and configure the IPS action in response to detecting an anomaly. Medium. Medium. or Critical. The protocol decoder name. select Global Configuration on the main menu. Pass Session. High. Low. >= to All. Viewing the protocol decoder list To view the decoder list. Figure 254:A portion of the protocol decoder list Note: The im_decoder and p2p_decoder groups cannot be disabled.

Reset.Intrusion Protection Protocol Decoders Enable Logging The status of the protocol decoder. Drop. There is no need to wait for firmware upgrades. The logging status for each protocol decoder. Reset icon Upgrading IPS protocol decoder list IPS protocol decoders are included in the IPS upgrade package available through the FortiGuard Distribution Network (FDN). Use the Reset icon to restore modified settings to the recommended values. If logging is enabled. A half-green half-grey circle indicates some signatures are enabled and some are disabled. The action set for each protocol decoder. Severity level can be Information. or Pass Session. the action appears in the status field of the log message generated by the decoder. Action Severity Configure icon Select to edit the attributes of the protocol decoder group. FortiGate Version 3. Action can be Pass. A gray circle indicates no signatures in the group are enabled. The IPS upgrade package will keep the IPS decoder list up to date with new threats such as the latest versions of existing IM/P2P as well as new applications. Severity level is set for individual decoder. See Table 35 for descriptions of the actions. Reset Server. A green circle indicates every signature in the group is enabled. Drop Session. Each protocol anomaly group has different attributes specific to that group. Changing an attribute affects how the protocol decoder group functions.0 MR3 Administration Guide 01-30003-0203-20061124 377 . A check mark in the box indicates logging is enabled for the decoder. or modify the recommended configurations to meet the needs of your network. A check mark in the box indicates the decoder signature is enabled. Use the recommended configurations. go to Intrusion Protection > Signature > Protocol Decoder. How the change affects the group may be different for each group. Reset Client. Decoder groups use a graphical indicator for the status of signatures within the group. Low. To configure IPS traffic anomalies. Medium. Clear Session. Editing the group configuration will not change the settings of individual anomalies within the group. The severity level set for each protocol anomaly. The Reset icon is displayed only if an decoder has been modified. or Critical. High. Figure 255:Edit IPS Protocol Anomaly Group: HTTP Configuring IPS protocol decoders Each IPS traffic anomaly is preset with a recommended configuration. Configuring IPS protocol decoder groups Many protocol anomaly groups have attributes separate from signatures within the group. Select the configure icon associated with a protocol decoder group to edit the attributes of the group.

and ICMP protocols. Enable or disable logging for each traffic anomaly. Drop Session.Anomalies Intrusion Protection Figure 256:Edit IPS Protocol Anomaly: tcp_reassembler. Packet Log Severity Anomalies The FortiGate IPS uses anomaly detection to identify network traffic that does not fit known or preset traffic patterns. UDP. Flooding Scan Source session limit Destination session limit If the number of sessions targeting a single destination in one second is over a specified threshold. Note: It is important to know normal and expected network traffic before changing the default anomaly thresholds. Reset Server. The traffic anomaly detection list can be updated only when the FortiGate firmware image is upgraded. High. If the number of concurrent sessions from a single source is over a specified threshold. Setting the thresholds too low could cause false positives. Viewing the traffic anomaly list To view the anomaly list. the source session limit is reached. or Clear Session. Use the CLI to configure session control based on source and destination network address. stealth activity Action Select an action from the dropdown list: Pass. 378 FortiGate Version 3. the destination is experiencing flooding. In many cases. the thresholds the anomaly uses to detect traffic patterns that could represent an attack are configurable. Pass Session. If the number of concurrent sessions to a single destination is over a specified threshold. Select a severity level from the dropdown list: Information. Low. Drop. Enable packet logging. If the number of sessions from a single source in one second is over a specified threshold. select Global Configuration on the main menu. or Critical. To access the IPS. the destination session limit is reached. Medium.0 MR3 Administration Guide 01-30003-0203-20061124 . go to Intrusion Protection > Anomaly. The FortiGate IPS identifies the four statistical anomaly types for the TCP. the IPS is configured globally. the source is scanning. Reset Client. and setting the thresholds too high could miss some attacks. See Table 35 for descriptions of the actions. and configure the IPS action in response to detecting an anomaly. Note: If virtual domains are enabled on the FortiGate unit. Reset.

or Critical. Drop Session. Reset. Reset Client. Clear Session. High. =. Pass Session. Low. Use the Reset icon to restore modified settings to the recommended values. >= to All. The status of the traffic anomaly. Clear Session. severity Name Enable Logging Action The traffic anomaly name. If logging is enabled. and Threshold. go to Intrusion Protection > Anomaly. Medium. Severity. Reset Client. FortiGate Version 3. or Pass Session. Action can be Pass. See Table 35 for descriptions of the actions. Reset Server. Select to edit the following information: Action. The Reset icon is displayed only if an anomaly has been modified. Reset. Use the recommended configurations. Severity level can be Information. Reset Server. Low. or Critical. The severity level set for each traffic anomaly. or modify the recommended configurations to meet the needs of your network. Severity Edit icon Reset icon Configuring IPS traffic anomalies Each IPS traffic anomaly is preset with a recommended configuration. A check mark in the box indicates logging is enabled for the anomaly.0 MR3 Administration Guide 01-30003-0203-20061124 379 . Severity level is set for individual anomalies. Drop. The action set for each traffic anomaly. The logging status for each traffic anomaly.Intrusion Protection Anomalies Figure 257:A portion of the traffic anomaly list View traffic Select filters then select Go to view only those anomalies that match the anomalies with filter criteria. Drop Session. A check mark in the box indicates the anomaly signature is enabled. the action appears in the status field of the log message generated by the Anomaly. High. Drop. Sort criteria can be <=. Information. To configure IPS traffic anomalies. Medium. See Table 35 for descriptions of the actions. Figure 258:Edit IPS Traffic Anomaly: icmp_dst_session Action Select an action from the dropdown list: Pass.

and the updated settings are different. (config ips anomaly) config limit Access the config limit subcommand using the config ips anomaly <name_str> command. udp_src_session. user-modified settings are retained. IPS CLI configuration This section describes the CLI commands that extend features available through the web-based manager. ips global ip_protocol Save system resources by restricting IPS processing to only those services allowed by firewall policies. If recommended IPS signature settings have not been modified. it will fail open by default. udp_dst_session. icmp_dst_session. see the FortiGate CLI Reference. signature settings will be set according to accept-recommendedsettings. For complete descriptions and examples of how to enable additional features through CLI commands. or Critical. ips global fail-open If for any reason the IPS should cease to function. icmp_src_session.IPS CLI configuration Intrusion Protection Severity Threshold Select a severity level from the dropdown list: Information. Low. system autoupdate ips When the IPS is updated. This command is available for tcp_src_session. Medium. and the firewall will continue to operate while the problem is being resolved. ips global socket-size Set the size of the IPS buffer. tcp_dst_session. traffic over the specified threshold triggers the anomaly. High. Use this command for session control based on source and destination network address. This means crucial network traffic will not be blocked. For the IPS anomalies that include the threshold setting.0 MR3 Administration Guide 01-30003-0203-20061124 . 380 FortiGate Version 3.

the URL exempt and block filters. An allow match exits the URL filter list and checks the other web filters. How web filtering works The following information shows how the filters interact with each other and how to use them to your advantage. interact with each other in such a way as to provide maximum control and protection for the Internet users. For example.Web Filter Order of web filtering Web Filter The three main sections of the web filtering function. if you want to exempt www. FortiGate Version 3.Web Filter Order of web filtering Web filters are applied in a specific order: 1 2 3 4 5 6 7 URL Exempt (Web Exempt List) URL Block (Web URL Block) URL Block (Web Pattern Block) FortiGuard Web Filtering (Also called Category Block) Content Block (Web Content Block) Script Filter (Web Script Filter) Antivirus scanning The URL filter list is processed in order from top to bottom. The first section. the Web Filter Content Block. and the FortiGuard Web filter.google. The FortiGate unit applies the rules in this order and failure to comply with a rule will automatically block a site despite what the setting for later filters might be. This section contains the following topics: • • • • • • Order of web filtering How web filtering works Web filter controls Content block URL filter FortiGuard .0 MR3 Administration Guide 01-30003-0203-20061124 381 . you can add it to the URL exempt list. Then no web filtering or virus scanning will be taken to this web site. will allow you to decide what action to take for specific addresses. (In FortiOS v2. the URL Filter.) An exempt match stops all further checking including AV scanning.com from being scanned.80 the URL filter is processed as an unordered list. Local ratings are checked prior to other FortiGuard Web Filtering categories.

Table 36: Web filter and Protection Profile web content block configuration Protection Profile web filtering options Web Content Block Enable or disable web page blocking based on the banned words and patterns in the content block list for HTTP traffic. you can use the local rating to add specific sites to the local category you have created. you want User1 to be able to access www. You can use this section to set up the exemption. By enabling them here. you can use the Override within the FortiGuard Web Filter. Once you have created the category. Web filtering functions must be enabled in the active protection profile for the corresponding settings in this section to have any effect. For example.com for 1 hour.fakeLAND. Once you have finished configuring all of these settings. Finally the FortiGuard unit applies script filtering for ActiveX. you are telling the FortiGate unit to start using the filters as you have configured them. This will allow you to specify which users have access to which blocked URLs and how long they have that access. you still have to turn them all on in the Firewall > Protection Profile > Web filtering and Firewall > Protection Profile >FortiGuard Web Filtering. You then use the Firewall > Protection Profile to tell the FortiGuard Unit what action to take with the Local category. FortiGuard . It does not mean that the filter is turned on.Web filter controls Web Filter If you have blocked a pattern but want certain users to have access to URLs within that pattern. This section describes how to configure web filtering options. Rating corrections as well as suggesting ratings for new pages can be submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center.0 MR3 Administration Guide 01-30003-0203-20061124 . and Java applet. Any user listed in an override must fill out an online authentication form before the FortiGuard unit will grant access to the blocked URL. which can be configured in Firewall > Protection Profile > Web Filtering. FortiGuard Web Filter also lets you create local categories to block groups of URLs. 382 FortiGate Version 3. The following tables compare web filtering options in protection profiles and the web filter menu. Note: Enabled means that the filter will be used when you turn on web filtering. To turn on all enabled filters you must go to Firewall> Protection Profile. To actually activate the enabled filters you go to Firewall> Protection Profile.Web Filter is described in detail in“FortiGuard-Web filtering options” on page 302. Web filter controls As a general rule you go to Web Filter to configure the web filtering settings and to enable the filters for use in a protection profile. The local ratings overwrite the FortiGuard ratings. Web Filter setting Web Filter > Content Block Add words and patterns to block web pages containing those words or patterns. Cookie.

Choose from allow. block. Table 38: Web filter and Protection Profile web script filtering and download configuration Protection Profile web filtering options Enable or disable blocking scripts from web pages for HTTP traffic. Classification/Action When selected. Enabling this option prevents the unintentional download of virus files. Strict Blocking (HTTP only) Category / Action FortiGuard-Web filtering service provides many categories by which to filter web traffic. and video files.) Rate images by URL (Blocked images will be replaced with blanks) (HTTP only). Web resume Download Block Enable to block downloading the remainder of a file that has already been partially downloaded. users can access web sites that provide content cache. log.0 MR3 Administration Guide 01-30003-0203-20061124 383 . or allow override. n/a Web Filter setting Active X Filter. Local Categories can be configured to best suit local requirements. log. Set the action to take on web pages for each category. and provide searches for image. Choose from allow. or allow override. Allow web sites when a rating error occurs (HTTP only).Web Filter Web filter controls Table 37: Web filter and Protection Profile web URL filtering configuration Protection Profile web filtering options Web URL Filter Web Filter setting Web Filter > URL Filter Enable or disable web page filtering for HTTP Add URLs and URL patterns to exempt traffic based on the URL filter list. audio. Cookie Filter. FortiGuard Web Filtering > Local Categories | Local Ratings Web Filter setting FortiGuard Web Filtering > Overrides Enable FortiGuard Web Filtering (HTTP only). Provide details for blocked HTTP 4xx and 5xx errors (HTTP only. Java Applet Filter n/a Table 39: Web filter and Protection Profile web category filtering configuration Protection Profile web filtering options Enable FortiGuard Web Filtering Overrides (HTTP only). but can cause download interruptions. FortiGuard Web Filter > Configuration FortiGate Version 3. or block web pages from specific sources. block.

Select edit or Create New. select the edit icon for the list you want to see.Content block Web Filter To access protection profile web filter options 1 2 3 Go to Firewall > Protection Profile. For more information. To make a word or phrase case insensitive. Figure 259:Sample web content block list catalog The web content block list catalogue has the following icons and features: Add Name # Entries Profiles Comment Delete icon To add a new list to the catalog. Viewing the web content block list catalog You can add multiple web content block lists and then select the best web content block list for each protection profile. Wildcard patterns are not case sensitive. If a user-defined threshold value is exceeded. If enabled in the protection profile. To view the web content block list catalog. Content block Control web content by blocking specific words or patterns. New lists are empty by default. web filtering features are configured globally. Note: Perl regular expression patterns are case sensitive for Web Filter content block. Note: If virtual domains are enabled on the FortiGate unit. see “Web filtering options” on page 301. the FortiGate unit searches for words or patterns in on requested web pages. Optional description of each web content block list. The delete icon is only available if the web content block list is not selected in any protection profiles. list name. To view any individual web content block list. go to Web Filter > Content Block. If matches are found. The available web content block lists.0 MR3 Administration Guide 01-30003-0203-20061124 . values assigned to the words are totalled. enter a name and select Add. use the regular expression /i. /bad language/i blocks all instances of bad language regardless of case. Select Web Filtering or Web Category Filtering. Select to edit the web content block list. the web page is blocked Use Perl regular expressions or wildcards to add banned word patterns to the list. The number of content patterns in each web content block list. To access these features. Edit icon Select web content block lists in protection profiles. For example. The protection profiles each web content block list has been applied to. or list comment. Select to remove the web content block list from the catalog. 384 FortiGate Version 3. select Global Configuration on the main menu.

enter text in comment field and select OK. Select the edit icon of the web content block list you want to view. Select Create New. Select to add a pattern to the web content block list. To view the web content block list 1 2 Go to Web Filter > Content Block. if required. Figure 260:New Web Content Block list dialog box Name Comment Enter the name of the new list. The score for a pattern is applied only once even if it appears on the page multiple times. and if the total is greater than the threshold value set in the protection profile.0 MR3 Administration Guide 01-30003-0203-20061124 385 . Optional comment. edit text in the name field and select OK. The score value of each pattern appearing on the page is added. the page is blocked. To add or edit comment. To change the name. The web content block list has the following icons and features: Name Comment Create new Total Page up icon Web content block list name. Viewing the web content block list With web content block enabled.Web Filter Content block Creating a new web content block list To add a web content block list to the web content block list catalog 1 2 Go to Web Filter > Content Block. FortiGate Version 3. Figure 261:Sample web content block list Note: Enable Web Filtering > Web Content Block in a firewall Protection Profile to activate the content block settings. The number of patterns in the web content block list. Enter a comment to describe the list. Select to view the previous page. every requested web page is checked against the content block list.

Select to edit the following information: Banned Word. or Western. See “Using Perl regular expressions” on page 413. Delete icon Edit icon Configuring the web content block list Web content patterns can be one word or a text string up to 80 characters long. The character set to which the pattern belongs: Simplified Chinese. For a single word. the FortiGate unit checks all web pages for the entire phrase. Language. For a phrase in quotation marks. the FortiGate checks all web pages for any word in the phrase. Select to delete an entry from the list. The score values of all the matching patterns appearing on a page are added.0 MR3 Administration Guide 01-30003-0203-20061124 . For a phrase. Select to enable the pattern. and if the total is greater than the threshold value set in the protection profile. The pattern type used in the pattern list entry. the FortiGate checks all web pages for that word. Select a pattern type from the dropdown list: Wildcard or regular Expression. Select a language from the dropdown list. The maximum number of banned words in the list is 5000. Thai. Pattern Type Language Score Enable 386 FortiGate Version 3. A numerical weighting applied to the pattern. To add or edit a content block pattern 1 2 3 Go to Web Filter > Content Block. Enter a score for the pattern. Pattern Type. and Enable. Figure 262:New content block pattern Banned Word Enter the content block pattern. French. The current list of patterns. Traditional Chinese. the page is blocked. Korean. Select the check box to enable all the patterns in the list. Choose from wildcard or regular expression. Remove All Entries icon Banned word Pattern type Language Score Select to clear the table. Japanese. Select Create New or Select the edit icon of the web content block list you want to view.Content block Web Filter Page down icon Select to view the next page.

Select Create New. Figure 264:New Web Content Exempt list dialog box Name Comment Enter the name of the new list. Figure 263:Sample web content exempt list catalog The web content exempt list catalogue has the following icons and features: Add Name # Entries Profiles Comment Delete icon To add a new list to the catalog. The number of content patterns in each web content block list. list name. To view the web content block list catalog • Go to Web Filter > Content Block > Web Content Exempt. Select to edit the web content block list. Enter a comment to describe the list. To view any individual web content exempt list • Select the edit icon for the list you want to see. For more information.Web Filter Content block Viewing the web content exempt list catalog You can add multiple web content exempt lists and then select the best web content exempt list for each protection profile. Select to remove the web content block list from the catalog. The protection profiles each web content block list has been applied to.0 MR3 Administration Guide 01-30003-0203-20061124 387 . The available web content block lists. Optional description of each web content block list. enter a name and select Add. if required. FortiGate Version 3. New lists are empty by default. or list comment. Creating a new web content exempt list To add a web content exempt list to the web content exempt list catalog 1 2 Go to Web Filter > Content Block > Web Content Exempt. Edit icon Select web content block lists in protection profiles. see “Web filtering options” on page 301. The delete icon is only available if the web content block list is not selected in any protection profiles.

Select to clear the table. Select to edit the following information: Pattern. Thai. and Enable. To view the web content exempt list 1 2 Go to Web Filter > Content Block > Web Content Exempt. The number of patterns in the web content exempt list. Figure 265:Sample web content exempt list Note: Enable Web Filtering > Web Content Exempt in a firewall Protection Profile to activate the content exempt settings. Choose from wildcard or regular expression. the page will not be blocked even if the web content block feature would otherwise block it. Select to add a pattern to the web content exempt list. edit text in the name field and select OK. Page down icon Select to view the next page. If any patterns defined in the web content exempt list appear on a web page. Pattern Type. Korean. enter text in comment field and select OK. 388 FortiGate Version 3. Select the edit icon of the web content block list you want to view.0 MR3 Administration Guide 01-30003-0203-20061124 . To change the name. Optional comment. The web content exempt list has the following icons and features: Name Comment Create new Total Page up icon Remove All Entries icon Pattern Pattern type Language Delete icon Edit icon Web content exempt list name. Traditional Chinese. To add or edit comment. The pattern type used in the pattern list entry. Japanese. The current list of patterns. Language. Select the check box to enable all the patterns in the list.Content block Web Filter Viewing the web content exempt list Web content exempt allows overriding of the web content block feature. or Western. The character set to which the pattern belongs: Simplified Chinese. See “Using Perl regular expressions” on page 413. Select to delete an entry from the list. French. Select to view the previous page.

Web Filter URL filter Configuring the web content exempt list Web content patterns can be one word or a text string up to 80 characters long. Select create New. the FortiGate checks all web pages for that word. To add or edit a content block pattern 1 2 3 Go to Web Filter > Content Exempt. For example. Select a pattern type from the dropdown list: Wildcard or regular Expression. Select a language from the dropdown list. Viewing the URL filter list catalog You can add multiple URL filter lists and then select the best URL filter list for each protection profile. Instead. FortiGate Version 3. Add patterns using text and regular expressions (or wildcard characters) to allow or block URLs. Note: URL blocking does not block access to other services that users can access with a web browser. To view the URL filter list catalog • Go to Web Filter > URL Filter. the FortiGate unit checks all web pages for the entire phrase. For a single word. URL blocking does not block access to ftp://ftp. The maximum number of banned words in the list is 5000. Select to enable the pattern. Pattern Type Language Enable URL filter Allow or block access to specific URLs by adding them to the URL filter list.com.example. Figure 266:New content exempt pattern Pattern Word Enter the content exempt pattern. For a phrase in quotation marks. use firewall policies to deny FTP connections.0 MR3 Administration Guide 01-30003-0203-20061124 389 . Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the URL filter settings. For a phrase. the FortiGate checks all web pages for any word in the phrase. or Select the edit icon of the web content block pattern you want to view. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.

Figure 267:Sample URL filter list catalog The URL filter list catalogue has the following icons and features: Add Name # Entries Profiles Comment Delete icon To add a new list to the catalog. Edit icon Select URL filter lists in protection profiles. Creating a new URL filter list To add a URL filter list to the URL filter list catalog 1 2 Go to Web Filter> URL Filter. The protection profiles each URL filter list has been applied to. enter a name and select Add. Select to edit the URL filter list. if required. Add the following items to the URL filter list: • • • complete URLs IP addresses partial URLs to allow or block all sub-domains 390 FortiGate Version 3. New lists are empty by default.URL filter Web Filter To view any individual URL filter list 1 2 Go to Web Filter > URL Filter. Viewing the URL filter list Add specific URLs to block or exempt. list name. For more information. Select the edit icon for the list you want to see. Select to remove the URL filter list from the catalog. Optional description of each URL filter list.0 MR3 Administration Guide 01-30003-0203-20061124 . or list comment. The delete icon is only available if the URL filter list is not selected in any protection profiles. Figure 268:New URL Filter list dialog box Name Comment Enter the name of the new list. The available URL filter lists. Enter a comment to describe the list. see “Web filtering options” on page 301. The number of URL patterns in each URL filter list. Select Create New.

Configuring the URL filter list The URL filter list can have up to 5000 entries.0 MR3 Administration Guide 01-30003-0203-20061124 391 . Optional comment. The current list of blocked/exempt URLs. Select to open the Move URL Filter dialog box. Note: Type a top-level domain suffix (for example. Type in a URL or IP address. “com” without the leading period) to block access to all URLs with this suffix. To add a URL to the URL filter list 1 2 3 4 5 6 Go to Web Filter > URL Filter. and Enable. Figure 269:URL filter list The URL filter list has the following icons and features: Name Comment Create New Page up icon Page down icon Clear All URL Filters icon URL Type Action Delete icon Edit icon Move icon URL filter list name. Select to view the previous page. Select to view the next page. Action. Select to edit the following information: URL. enter text in comment field and select OK. To add or edit comment.Web Filter URL filter To view the URL filter list 1 2 Go to Web Filter > URL Filter. To change the name. Select Create New. Select to remove an entry from the list. The type of URL: Simple or Regex (regular expression). Select to add a URL to the URL block list. Block. Select the Enable check box FortiGate Version 3. Type. Select the edit icon of the URL filter list you want to view. The action taken when the URL matches: Allow. Select to clear the table. or Exempt. Select the check box to enable all the URLs in the list. edit text in the name field and select OK. Select the type of expression. Select the action to be taken.

example.com.144. and so on. example. add example.168.example.example. Type a top-level URL or IP address to control access to all pages on a web site.com. example. For example.155/news.com.144. Control access to all URLs that match patterns created using text and regular expressions (or wildcard characters). Specify the location for the URL.* matches example.com or 192. Figure 270:New URL Filter URL Type Action Enable Enter the URL. If users on the network download files through the FortiGate unit from trusted website. the entries can be moved to different positions in the list.URL filter Web Filter 7 Select OK. 392 FortiGate Version 3. For example.net and so on.155 controls access to all pages at this web site.finance.example. For example. Select to enable the URL.html controls the news page on this web site. Drag and drop a URL or select the Move icon to the right of the URL to be moved. www. To control access to all pages with a URL that ends with example. Enter a top-level URL followed by the path and filename to control access to a single page on a web site. www. adding example.html or 192. Note: URLs with an action set to exempt are not scanned for viruses.org.com controls access to www. FortiGate web pattern blocking supports standard regular expressions. example. www.com to the filter list. Do not include http:// Select a type from the dropdown list: Simple or Regex (regular expression).168. Select the Edit icon for the URL list. For example.example. To move a URL in the URL filter list 1 2 3 4 Go to Web Filter > URL Filter.com.com. mail. Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the web URL filter settings.0 MR3 Administration Guide 01-30003-0203-20061124 . add the URL of this website to the URL filter list with an action set to exempt so the FortiGate unit does not virus scan files downloaded from this URL. Select an action from the dropdown list: Block or Exempt.com/news. Moving URLs in the URL filter list To make the URL filter list easier to use.

FortiGate Version 3. block. block. For additional information. see “Configuring the FortiGate unit for FDN and FortiGuard services” on page 160. see “Configuring the FortiGate unit for FDN and FortiGuard services” on page 160. Categories may be added to. Use the procedure “FortiGuard-Web filtering options” on page 302 to configure FortiGuard category blocking in a protection profile. FortiGuard-Web sorts hundreds of millions of web pages into a wide range of categories users can allow. and new sites are quickly rated as required. The FortiGate unit accesses the nearest FortiGuard-Web Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface. Users can notify the FortiGuard-Web Service Points if they feel a web page is not categorized correctly. Configuring FortiGuard-Web filtering To configure the FortiGuard-Web service • Go to System > Maintenance > FortiGuard Center. an administrator can give the user the ability to override the block for a specified period of time. and human raters.Web Filter 5 Select OK. FortiGuard-Web ratings are performed by a combination of proprietary methods including text analysis. To make configuration simpler. To configure the FortiGuard Web service. or monitor. or monitor entire groups of categories. Figure 271:Move URL Filter Move to (URL) Select the location in the list to place the URL. Pages are sorted and rated into 56 categories users can allow. FortiGuard . block.Web Filter FortiGuard . In this case. FortiGuard-Web includes over 60 million individual ratings of web sites applying to hundreds of millions of pages.0 MR3 Administration Guide 01-30003-0203-20061124 393 . Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy. exploitation of the Web structure. Viewing the override list Users may require access to web sites that are blocked by a policy. Enter the URL before or after which the new URL is to be located in the list. or monitor. users can also choose to allow. as the Internet evolves. or updated.Web Filter FortiGuard-Web is a managed web filtering solution provided by Fortinet.

URL. The creator of the override rule. Select the information that corresponds with Scope. Does this override permit the user to access links from the category or URL being overridden. Authentication is based on user groups and can be performed for local. Select to remove the entry from the list. Set the duration of the override. Off-site URLs. domain name. Select the Type. Select to clear the table. The URL or category to which the override applies. Figure 272:Override list The override list has the following icons and features: Create New Page up icon Page down icon Clear All icon URL/Category Scope Off-site URLs Select to add a new override rule to the list. see “User group” on page 347. The total number of override rules in the list. The expiry date of the override rule. Select to view the previous page. A green check mark indicates off-site access is permitted. The user or user group who may use the override. To view the override list • Go to Web Filter > FortiGuard-Web Filter > Override. and LDAP users. To create an override rule for a directory or domain 1 2 3 4 5 6 7 Go to Web Filter > FortiGuard-Web Filter > Override. FortiGate Version 3. RADIUS. Select the Scope. Select Create New. User. For more information about authentication and configuring user groups. Initiator Expiry Date Delete icon Edit icon Configuring override rules Override rules can be configured to allow access to blocked web sites based on directory. Select to view the next page. and Override Duration. if override is enabled. A gray cross indicates off-site access is denied.0 MR3 Administration Guide 01-30003-0203-20061124 394 . Select to edit the following information: Type.FortiGuard . Select allow or Block for the off-site URLs. Scope. or category. a link appears on the block page directing the user to an authentication form. The user must provide a correct user name and password or the web site remains blocked.Web Filter Web Filter When a user attempts to access a blocked site.

When displayed in the override list. or Profile. Enter the name of the user selected in Scope. see “User group” on page 347.Web Filter FortiGuard .Web Filter 8 Select OK. This will allow the user to access links on the override web site. Figure 273:New Override Rule . Select a user group from the dropdown list. Select Allow or Block. a different option appears below Scope. Enter the IP address of the computer initiating the override. hours. User groups must be configured before FortiGuard-Web configuration. User User Group IP Profile Off-site URLs Override Duration To create an override for categories. Fore more information. and minutes. IP. Select one of the following: User. the expiry date of the override is calculated. Depending on the option selected. User Group.Directory or Domain Type URL Scope Select Directory or Domain.0 MR3 Administration Guide 01-30003-0203-20061124 395 . go to Web Filter > FortiGuard-Web Filter > Override. FortiGate Version 3. Enter the duration in days. Enter the URL or the domain name of the website. Select a protection profile from the dropdown list.

audio. Enter the duration in days. users can access web sites that provide content cache.FortiGuard . Local categories are also displayed. User Group. Select a user group from the dropdown list. This will allow the user to access links on the override web site.0 MR3 Administration Guide 01-30003-0203-20061124 . Depending on the option selected. the expiry date of the override is calculated. or Profile. Select the categories to which the override applies. When selected. Select Allow or Block. When displayed in the override list. and provide searches for image. Enter the IP address of the computer initiating the override. a different option appears below Scope. Enter the name of the user selected in Scope. Select one of the following: User. and video files. Select a protection profile from the dropdown list. Classifications Scope User User Group IP Profile Off-site URLs Override Duration 396 FortiGate Version 3.Web Filter Web Filter Figure 274:New Override Rule . A category group or a subcategory can be selected.Categories Type Categories Select Categories. IP. Select the classifications to which the override applies. hours. and minutes.

Enter search criteria to filter the list. The category or classification in which the URL has been placed. Select to clear the table. If the URL is rated in more than one category or classification. trailing dots appear. Figure 276:Local ratings list The local ratings list has the following icons and features: Create New Search 1 . Select to remove the entry from the list Viewing the local ratings list To view the local ratings list • Go to Web Filter > FortiGuard-Web Filter > Local Ratings. Select the green arrow to sort the list by URL. the funnel changes to green. The categories defined here appear in the global URL category list when configuring a protection profile. Select the gray funnel to open the Category Filter dialog box. Select to remove the entry from the list.0 MR3 Administration Guide 01-30003-0203-20061124 397 . Select to view the next page. The rated URL.Web Filter Creating local categories User-defined categories can be created to allow users to block groups of URLs on a per-profile basis. Figure 275:Local categories list Add Delete icon Enter the name of the category then select Add. Select to view the previous page.3 of 3 Page up icon Page down icon Clear All icon URL Category Select to add a rating to the list. When the list has been filtered. The total number of local ratings in the list. Users can rate URLs based on the local categories. Select to edit the following information: URL. Delete icon Edit icon FortiGate Version 3. and Classification Rating. Category Rating.Web Filter FortiGuard .

Select the blue arrow to expand the category. The local ratings override the FortiGuard server ratings and appear in reports as “Local Category”. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed. Configuring local ratings Users can create user-defined categories then specify the URLs that belong to the category. Select to enable the filter for the category or the individual subcategory. The classifications that can be filtered.FortiGuard .Web Filter Web Filter Figure 277:Category Filter Clear Filter Category Name Enable Filter Classification Name Enable Filter Select to remove all filters.0 MR3 Administration Guide 01-30003-0203-20061124 . 398 FortiGate Version 3. Select to enable the classification filter. To create a local rating • Go to Web Filter > FortiGuard-Web Filter > Local Ratings. This allows users to block groups of web sites on a per profile basis.

0 MR3 Administration Guide 01-30003-0203-20061124 399 .Web Filter FortiGuard . Category block CLI configuration Use the hostname keyword for the webfilter fortiguard command to change the default host name (URL) for the FortiGuard-Web Service Point. blocked. View reports for a range of hours or days. For more information. The FortiGate unit maintains statistics for allowed. Configure all FortiGuard-Web settings using the CLI. FortiGuard-Web Filter reports Note: FortiGuard Web Filter reports are only available on FortiGate units with a hard disk. see the FortiGate CLI Reference for descriptions of the webfilter fortiguard keywords. Select the blue arrow to expand the category. To create a web filter report • Go to Web Filter > FortiGuard-Web Filter > Reports. or view a complete report of all activity. and monitored web pages for each category. Select to enable the filter for the category or the individual subcategory. The FortiGuard-Web Service Point name cannot be changed using the web-based manager. Select to enable the classification filter. The classifications that can be filtered. FortiGate Version 3.Web Filter Figure 278:New Local Rating URL Category Name Enable Filter Classification Name Enable Filter Enter the URL to be rated. Generate a text and pie chart format report on FortiGuard-Web Filtering for any protection profile.

Get Report A generated report includes a pie chart and the following information: Category Allowed Blocked Monitored The category for which the statistic was generated. for an ‘hour’ report type with a range of 13 to 16. Select the time range (24 hour clock) or day range (from six days ago to today) for the report.FortiGuard . or all historical statistics. 400 FortiGate Version 3. Choose from hour. The number of monitored web addresses accessed in the selected time frame. The number of blocked web addresses accessed in the selected time frame. For example.Web Filter Web Filter Figure 279:Sample FortiGuard Web Filtering report The following table describes the options for generating reports: Profile Report Type Report Range Select the protection profile for which to generate a report. the result is a category block report for 3 days ago to today. For a ‘day’ report type with a range of 0 to 3. Select to generate the report. The number of allowed web addresses accessed in the selected time frame.0 MR3 Administration Guide 01-30003-0203-20061124 . day. Select the time frame for the report. the result is a category block report for 1 pm to 4 pm today.

0 MR3 Administration Guide 01-30003-0203-20061124 401 . and spam filtering tools. FortiGuard-Antispam is one of the features designed to manage spam. E-mail address BWL check Banned word check on email subject IP address BWL check (for IPs extracted from “Received” headers) Banned word check on email body Return e-mail DNS check. Order of Spam Filtering The order in which incoming mail is passed through the FortiGate Antispam filters is determined by the protocol used to transfer the mail: For SMTP 1 2 3 4 5 6 7 IP address BWL check on last hop IP RBL & ORDBL check on last hop IP. a URL black list. The FortiGuard Center accepts submission of spam email messages as well as well as reports of false positives. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. FortiGuard Anti Spam check.Antispam Antispam Antispam This section explains how to configure the spam filtering options associated with a firewall protection profile. FortiGuard is an antispam system from Fortinet that includes an IP address black list. FortiGuard-Antispam IP check on last hop IP. HELO DNS lookup MIME headers check. The following topics are included in this section: • • • • • Antispam Banned word Black/White List Advanced antispam configuration Using Perl regular expressions Antispam Antispam can be configured to manage unsolicited commercial email by detecting spam email messages and identifying spam transmissions from known or suspected spam servers. E-mail address BWL check Banned word check on email subject FortiGate Version 3. RBL & ORDBL check on public IP extracted from header For POP3 and IMAP 1 2 MIME headers check.

To avoid delays. HELO DNS lookup 402 FortiGate Version 3. Rejected SMTP email messages are substituted with a configurable replacement message. and IMAP Filters requiring a query to a server and a reply (FortiGuard Antispam Service and DNSBL/ORDBL) are run simultaneously. see “Configuring the FortiGate unit for FDN and FortiGuard services” on page 160 AntiSpam > Black/White List > IP Address Add to and edit IP addresses to the list. POP3. If the action in the filter is Mark as Reject. You can place an IP address anywhere in the list. Fortinet keeps the FortiGuardAntispam IP and URLs up-to-date as new spam source are found. You can configure the action to take as spam or reject for email identified as spam from each server (SMTP only). For more information. Enable or disable checking incoming IP addresses against the configured spam filter IP address list. Table 40 describes the Antispam settings and where to configure and access them. Table 40: AntiSpam and Protection Profile spam filtering configuration Protection Profile spam filtering options IP address FortiGuard-Antispam check Enable or disable Fortinet’s antispam service called FortiGuard-Antispam. If the action in the filter is Mark as Spam. The filter checks each IP address in sequence. For details. the FortiGate unit will tag or discard (SMTP only) the email according to the settings in the protection profile. RBL & ORDBL check For SMTP. or reject for each IP address. Each spam filter passes the email to the next if no matches or problems are found. queries are sent while other filters are running. Anti-spam filter controls Spam filters are configured for system-wide use. (SMTP only. DNSBL and ORDBL configuration can only be changed using the command line interface. (SMTP only. check the status of the FortiGuard-Antispam server. the email session is dropped. n/a DNSBL & ORDBL check Enable or disable checking email traffic against configured DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers. the email is exempt from any remaining filters. If the action in the filter is Mark as Clear. view the license type and expiry date. The first reply to trigger a spam action takes effect as soon as the reply is received.) AntiSpam setting System > Maintenance > FortiGuard Centre Enable FortiGuard-Antispam. but enabled on a per profile basis. clear. see the FortiGate CLI Reference.0 MR3 Administration Guide 01-30003-0203-20061124 . and configure the cache. FortiGuardAntispam is Fortinet’s own DNSBL server that provides spam IP address and URL blacklists. IP address BWL check Black/white list check.Antispam Antispam 3 4 5 IP BWL check Banned word check on email body Return e-mail DNS check. FortiGuard AntiSpam check.) Command line only Add or remove DNSBL and ORDBL servers to and from the list. You can configure the action to take as spam.

with the option of using wildcards and regular expressions. If the source domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken. regular expressions. You can place an email address anywhere in the list. see the FortiGate CLI Reference. Append to: Choose to append the tag to the subject or MIME header of the email identified as spam. Return e-mail DNS check Enable or disable checking incoming email return address domain against the registered IP address in the Domain Name Server. You can configure the action as spam or clear for each email address. If the return address domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken. or both. Command line only Add to and edit MIME headers. DNSBL and ORDBL configuration can only be changed using the command line interface. Choose Tagged or Discard for SMTP messages. Add event into the system log Enable or disable logging of spam actions to the event log. addresses against the configured spam filter with the option of using wildcards and email address list. You can configure the action to take as spam or clear for each word. You can configure the language and whether to search the email body. with the option of using wildcards and regular expressions. Append with: Enter a word or phrase (tag) to append to email identified as spam. The maximum length is 63 characters. POP3 and IMAP messages are tagged. MIME headers check Enable or disable checking source MIME headers against the configured spam filter MIME header list. AntiSpam > Banned Word Add to and edit banned words to the list. FortiGate Version 3. You can configure the action for each MIME header as spam or clear.Antispam Antispam Table 40: AntiSpam and Protection Profile spam filtering configuration (Continued) Protection Profile spam filtering options Enable or disable checking the source domain name against the registered IP address in the Domain Name Server. Spam Action The action to take on email identified as spam. subject. You can choose to log any spam action in the event log. The filter checks each email address in sequence. n/a n/a Banned word check Enable or disable checking source email against the configured spam filter banned word list. You can append a custom word or phrase to the subject or MIME header of tagged email. E-mail address BWL check AntiSpam > Black/White List > E-mail Address AntiSpam setting Enable or disable checking incoming email Add to and edit email addresses to the list.0 MR3 Administration Guide 01-30003-0203-20061124 403 . For more information.

Edit icon Select antispam banned word lists in protection profiles. 404 FortiGate Version 3. Note: Perl regular expression patterns are case sensitive for antispam banned words. use the regular expression /i. /bad language/i will block all instances of bad language regardless of case. To view the antispam banned word list catalog. the email message is passed along to the next filter. To view any individual antispam banned word list. the FortiGate unit searches for words or patterns in email messages. spam filtering features are configured globally. To access these features. Optional description of each antispam banned word list. Figure 280:Sample antispam banned word list catalog The antispam banned word list catalogue has the following icons and features: Add Name # Entries Profiles Comment Delete icon To add a new list to the catalog. New lists are empty by default. select Global Configuration on the main menu. edit or Create New.0 MR3 Administration Guide 01-30003-0203-20061124 . The available antispam banned word lists. Select to edit the antispam banned word list. If matches are found. Use Perl regular expressions or wildcards to add banned word patterns to the list. If no match is found. select the edit icon for the list you want to see. list name. If a user-defined threshold value is exceeded. To make a word or phrase case insensitive. Viewing the antispam banned word list catalog You can add multiple antispam banned word lists and then select the best antispam banned word list for each protection profile. The delete icon is only available if the antispam banned word list is not selected in any protection profiles. If enabled in the protection profile. go to AntiSpam > Banned Word. The number of entries in each antispam banned word list. Spam Filtering. enter a name and select Add. For more information. Wildcard patterns are not case sensitive. Select to remove the antispam banned word list from the catalog. the message is marked as spam. values assigned to the words are totalled. or list comment. For example.Banned word Antispam To access protection profile Antispam options go to Firewall > Protection Profile. see “Spam filtering options” on page 303. Banned word Control spam by blocking email messages containing specific words or patterns. Note: If virtual domains are enabled on the FortiGate unit. The protection profiles each antispam banned word list has been applied to.

Figure 281:New AntiSpam Banned Word list dialog box Name Comment Enter the name of the new list. Optional comment. The list of banned words. Enter a comment to describe the list. Add one or more banned words to sort email messages containing those words in the subject. if required. To add or edit comment. enter text in comment field and select OK. Viewing the antispam banned word list Each email message is checked against the antispam banned word list. Select to view the previous page. go to AntiSpam > Banned Word and select Create New.Antispam Banned word Creating a new antispam banned word list To add an antispam banned word list to the antispam banned word list catalog. The score for a pattern is applied only once even if it appears in the message multiple times. the message is processed according to the Spam Action setting in the protection profile. To change the name. Figure 282:Sample banned word List The banned word list has the following icons and features: Name Comment Create new Total Page up icon Remove All Entries icon Pattern Banned word list name. or both. edit text in the name field and select OK. go to AntiSpam > Banned Word and select the edit icon of the banned word list you want to view. and if the total is greater than the threshold value set in the protection profile.0 MR3 Administration Guide 01-30003-0203-20061124 405 . Select the check box to enable all the banned words in the list. The score value of each banned word appearing in the message is added. Page down icon Select to view the next page. Select to add a word or phrase to the banned word list. The number of items in the list. FortiGate Version 3. To view the banned word list. Select to clear the table. body.

go to AntiSpam > Banned Word. For more information. and Enable. and if the total is greater than the spamwordthreshold value set in the protection profile. Choose from: Chinese Simplified. or Western. the FortiGate unit blocks all email containing the word. Thai. French. smtp3-spamaction) is set to pass or tag in the protection profile. See “Using Perl regular expressions” on page 413. The location which the FortiGate unit searches for the banned word: subject. Choose from wildcard or regular expression. Where. Korean. Select the pattern type for the banned word. For a single word. Choose from wildcard or regular expression. A numerical weighting applied to the banned word. see “Using Perl regular expressions” on page 413. Select to edit the following information: Pattern. Select to enable scanning for the banned word.Banned word Antispam Pattern Type The pattern type used in the banned word list entry. Traditional Chinese. Select to remove the word from the list. Japanese. Japanese.g. the FortiGate unit blocks all email containing the exact phrase. Korean. Banned words can be one word or a phrase up to 127 characters long. or all.0 MR3 Administration Guide 01-30003-0203-20061124 . The score values of all the matching words appearing in an email message are added. the page is processed according to whether the spam action command for the mail traffic type (e. Language. body. Action. To add or edit a banned word. use Perl regular expressions. Chinese Traditional. Where Enable 406 FortiGate Version 3. Figure 283:Add Banned Word Pattern Pattern Type Language Enter the word or phrase you want to include in the banned word list. Thai. Select the location to search for the banned word. or Western. To block any word in a phrase. Select the character set for the banned word. The character set to which the banned word belongs: Simplified Chinese. or all. French. The score for a banned word is counted once even if the word appears multiple times on the web page. Choose from: subject. body. Language Where Score Delete icon Edit icon Configuring the antispam banned word list Words can be marked as spam or clear. For a phrase. Pattern Type.

enter a name and select Add. Optional description of each antispam IP address list. the FortiGate unit compares the IP address of the message’s sender to the IP address list in sequence. if enabled in the protection profile. Viewing the antispam IP address list catalogue You can add multiple antispam IP address lists and then select the best antispam IP address list for each protection profile. When doing an email list check. If no match is found. see “Spam filtering options” on page 303. The number of entries in each antispam IP address list. or list comment. Creating a new antispam IP address list To add an antispam IP address list to the antispam IP address list catalog. go to AntiSpam > Black/White List > IP Address. FortiGate Version 3. For more information. To view any individual antispam IP address list. If no match is found. New lists are empty by default. Figure 284:Sample antispam IP address list catalog The antispam IP address list catalogue has the following icons and features: Add Name # Entries Profiles Comment Delete icon To add a new list to the catalog. the message is passed to the next enabled spam filter. Select to remove the antispam IP address list from the catalog. the message is passed to the next enabled antispam filter. the action associated with the IP address is taken. select the edit icon for the list you want to see. The available antispam IP address lists. the FortiGate unit compares the email address of the message’s sender to the email address list in sequence. Select to edit the antispam IP address list. The protection profiles each antispam IP address list has been applied to.Antispam Black/White List Black/White List The FortiGate unit uses both an IP address list and an email address list to filter incoming email. The delete icon is only available if the antispam IP address list is not selected in any protection profiles. list name. If a match is found.0 MR3 Administration Guide 01-30003-0203-20061124 407 . Edit icon Select antispam banned word lists in protection profiles. When doing an IP address list check. To view the antispam IP address list catalog. go to AntiSpam > Black/White List and select Create New. the action associated with the email address is taken. If a match is found.

0 MR3 Administration Guide 01-30003-0203-20061124 . If an IP address is set to reject but mail is delivered from that IP address via POP3 or IMAP. Remove All Entries Select to clear the table. Actions are: Mark as Spam to apply the configured spam action. Mark as Clear to bypass this and remaining spam filters. Select to add an IP address to the antispam IP address list. or reject. Select to remove the address from the list. icon IP address/Mask Action The current list of IP addresses. Viewing the antispam IP address list Configure the FortiGate unit to filter email from specific IP addresses. To change the name. To view the antispam IP address list. go to AntiSpam > Black/White List > IP Address and select the edit icon of the antispam IP address list you want to view. enter text in comment field and select OK. edit text in the name field and select OK. The action to take on email from the configured IP address. Enter a comment to describe the list.Black/White List Antispam Figure 285:New AntiSpam IP Address list dialog box Name Comment Enter the name of the new list. To add or edit comment. Filter single IP addresses or a range of addresses at the network level by configuring an address and mask. Delete icon Edit icon 408 FortiGate Version 3. Select to view the next page. Action. or Mark as Reject (SMTP only) to drop the session. if required. and Enable. Select to edit address information: IP Address/Mask. Mark each IP address as clear. Select to view the previous page. The number if items in the list. spam. Figure 286:Sample IP address list The antispam IP address list has the following icons and features: Name Comment Create New Total Page up icon Page down icon Antispam IP address list name. Insert. the e-mail messages will be marked as spam. Optional comment. The FortiGate unit compares the IP address of the sender to the list in sequence.

Enable Viewing the antispam email address list catalog You can add multiple antispam email address lists and then select the best antispam email address list for each protection profile. for example. Mark as Clear to bypass this and remaining spam filters. or Mark as Reject (SMTP only) to drop the session.255. 62.x/x. go to AntiSpam > Black/White List > IP Address and select Create New. 62. select the edit icon for the list you want to see. list name.x.x. Select the position in the list to place the address. The protection profiles each antispam email address list has been applied to. Figure 288:Sample antispam email address list catalog The antispam email address list catalogue has the following icons and features: Add Name # Entries Profiles Comment Delete icon To add a new list to the catalog.x.x/x.100/24 Figure 287:Add IP Address IP Address/Mask Insert Action Enter the IP address and mask. The available antispam email address lists.x.69. for example. Select to remove the antispam email address list from the catalog. The delete icon is only available if the antispam email address list is not selected in any protection profiles. New lists are empty by default.x. To view the antispam email address list catalog.128.0 MR3 Administration Guide 01-30003-0203-20061124 409 . Select an action. Enable the address.128.0 x. Optional description of each antispam email address list. Edit icon FortiGate Version 3.Antispam Black/White List Configuring the antispam IP address list To add an IP address to the IP address list. go to AntiSpam > Black/White List > E-mail Address. Actions are: Mark as Spam to apply the spam action configured in the protection profile.x.255. Select to edit the antispam email address list.x. enter a name and select Add.69. or list comment. Enter an IP address and mask in one of two formats: • • x. To view any individual antispam email address list.100/255. The number of entries in each antispam email address list.

To change the name. For more information. Optional comment. Figure 289:New AntiSpam E-mail Address list dialog box Name Comment Enter the name of the new list.net). Enter a comment to describe the list. Figure 290:Sample email address list The antispam email address list has the following icons and features: Name Comment Create New Total Page up icon Page down icon Antispam email address list name. To add or edit comment. Add an email address to the email address list. see “Spam filtering options” on page 303. Mark each email address as clear or spam.0 MR3 Administration Guide 01-30003-0203-20061124 . go to AntiSpam > Black/White List > E-mail Address and select the edit icon of the antispam email address list you want to view.Black/White List Antispam Select antispam banned word lists in protection profiles. Viewing the antispam email address list The FortiGate unit can filter email from specific senders or all email from a domain (such as example. 410 FortiGate Version 3. To view the antispam email address list. enter text in comment field and select OK. if required. Creating a new antispam email address list To add an antispam email address list to the antispam email address list catalog. go to AntiSpam > Black/White List > E-mail Address and select Create New. The number of items in the list. View the next page. edit text in the name field and select OK. View the previous page.

Select an action: • To apply the spam action configured in the protection profile. Figure 291:Add E-mail Address E-Mail Address Pattern Type Insert Action Enter the email address. Actions are: Mark as Spam to apply the spam action configured in the protection profile. Action. go to AntiSpam > Black/White List > E-mail Address. and Enable. Insert. see “Using Perl regular expressions” on page 413.0 MR3 Administration Guide 01-30003-0203-20061124 411 . The action to take on email from the configured address. Choose from wildcard or regular expression. Select OK. Action Delete icon Edit icon Configuring the antispam email address list To add an email address or domain to the list. icon Email address Pattern Type The current list of email addresses. For more information. Select the action to take on email from the configured address or domain. Select the location in the list to insert the email address. • Select Mark as Clear to allow the email message bypass this and remaining spam filters. Select to remove the email address from the list. see “Using Perl regular expressions” on page 413. Enable Enable the email address. select before or after another email address in the list to place the new email address in the correct position. or Mark as Clear to let the email message bypass this and remaining spam filters. The pattern type used in the email address entry. For more information.Antispam Black/White List Remove All Entries Clear the table. Select Enable. Select to edit the following information: E-Mail Address. Select a pattern type: Wildcard or Regular Expression. Select a pattern type for the list entry. Pattern Type. select Mark as Spam. If required. 1 2 3 4 5 6 Enter the email address or pattern. FortiGate Version 3.

If no match is found. Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network. config spamfilter mheader Use this command to configure email filtering based on the MIME header. the corresponding action is taken.Advanced antispam configuration Antispam Advanced antispam configuration Advanced antispam configuration covers only command line interface (CLI) commands not represented in the web-based manager. Spammers often insert comments into header values or leave them blank. see “Options” on page 84. the email is passed on to the next spam filter. The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. The second part is called the value.0 MR3 Administration Guide 01-30003-0203-20061124 412 . These lists act as domain name servers that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass through. the corresponding action is taken. in sequence. Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. the email is passed on to the next spam filter. see the FortiGate CLI Reference. Some examples of MIME headers include: • • • • X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg The first part of the MIME header is called the header key. If a match is found. MIME (Multipurpose Internet Mail Extensions) headers are added to email to describe content type and content encoding. Some spammers use unsecured third party SMTP servers to send unsolicited bulk email. If no match is found. such as the type of text in the email body or the program that generated the email. or just header. There are several free and subscription servers available that provide reliable access to continually updated DNSBLs and ORDBLs. MIME header filtering is enabled within each protection profile. If a match is found. For complete descriptions and examples of how to use CLI commands. Mark the email as spam or clear for each header configured. For information on configuring DNS. FortiGate Version 3. Please check with the service being used to confirm the correct domain name for connecting to the server. also called Realtime Blackhole List (RBL). DNSBL and ORDBL filtering is enabled within each protection profile. it must be able to look up this name on the DNS server. Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server. These malformed headers can fool some spam and virus filters. The FortiGate unit compares the IP address or domain name of the sender to any database lists configured. config spamfilter rbl Use this command to configure email filtering using DNS-based Blackhole List (DNSBL). and Open Relay Database List (ORDBL) servers.

perl. Regular expression vs. For example: • To match fortinet. the regular expression “test” not only matches the word “test” but also any word that contains “test” such as “atest”. To make a word or phrase case insensitive. The notation “\b” specifies the word boundary. MIME headers list. the expression should be \btest\b.com but also fortinetacom. and the question mark (?). It is similar to the ‘?’ character in wildcard match pattern.com should therefore be fort. Perl regular expression formats Table 41 lists and describes some example Perl regular expression formats.com. use ‘.com not only matches fortinet.' and ‘*’ use the escape character ‘\’. The most commonly used wildcard characters are the asterisk (*). the ‘. ‘*’ means match 0 or more times of the character before it. FortiGate Version 3. To match a special character such as '. regardless of case. which typically represents zero or more characters in a string of characters.com In Perl regular expressions. See http://perldoc. “atestb”. For example. “mytest”. As a result: • fortinet.0 MR3 Administration Guide 01-30003-0203-20061124 413 . Case sensitivity Regular expression pattern matching is case sensitive in the web and antispam filters.com matches fortiiii.’ character refers to any single character.*\. fortinetccom. For example: • forti*. For example. use the regular expression /i. Word boundary In Perl regular expressions. the wildcard match pattern forti*. the pattern does not have an implicit word boundary. which typically represents any one character. For example. the regular expression should be: fortinet\. In Perl regular expressions.com but does not match fortinet.*’ where ‘. not 0 or more times of any character. and so on.com. “testimony”.html for detailed information about using Perl regular expressions.org/perlretut. fortinetbcom. To match exactly the word “test”. and banned word list entries can include wildcards or Perl regular expressions. wildcard match pattern A wildcard character is a special character that represents one or more other characters.Antispam Using Perl regular expressions Using Perl regular expressions Email address list.’ means any character and the ‘*’ means 0 or more times.com To match any character 0 or more times. /bad language/i will block all instances of “bad language”.

the '/' is treated as the delimiter. An error occurs If the second '/' is missing. /bad language/i blocks any instance of bad language regardless of case. If the first character in a pattern is forward slash '/'. 'x'. tabs. either “abc” or” ac” “a” followed by any single character (not newline) followed by a” c “ “a. The pattern between ‘/’ will be taken as a regular expressions.4}c ab{2. and anything after the second ‘/’ will be parsed as a list of regular expression options ('i'. In regular expressions. /x Example regular expressions To block any word in a phrase /block|any|word/ 414 FortiGate Version 3.c” exactly Any one of “a”.Using Perl regular expressions Antispam Table 41: Perl regular expression formats Expression abc ^abc abc$ a|b ^abc|abc$ ab{2. in “abc!” but not in “abcd”) “perl” when not followed by a word boundary (for example. “abba”. same as \d{2} Makes the pattern case insensitive. such as 42. “b” and “c” Either of “Abc” and “abc” Any (nonempty) string of “a”s. “b”s and “c”s (such as “a”. and “c” (such as “defg”) Any two decimal digits. Use this to break up a regular expression into (slightly) more readable parts. three or four “b”s followed by a “c” “a” followed by at least two “b”s followed by a “c” “a” followed by any number (zero or more) of “b”s followed by a “c” “a” followed by one or more b's followed by a c “a” followed by an optional “b” followed by a” c”. “b”. ”acbabcacaa”) Any (nonempty) string which does not contain any of “a”.0 MR3 Administration Guide 01-30003-0203-20061124 . in “perlert” but not in “perl stuff”) Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. The pattern must contain a second '/'.c a\. For example. A “word”: A nonempty sequence of alphanumeric characters and low lines (underscores).c [abc] [Aa]bc [abc]+ [^abc]+ \d\d /i \w+ 100\s*mk abc\b perl\B \x Matches “abc” (the exact character sequence. such as foo and 12bar8 and foo_1 The strings “100” and “mk” optionally separated by any amount of white space (spaces.}c ab*c ab+c ab?c a. the leading and trailing space is treated as part of the regular expression. Used to add regular expressions within other text. but anywhere in the string) “abc” at the beginning of the string “abc” at the end of the string Either of “a” and “b” The string “abc” at the beginning or at the end of the string “a” followed by two. newlines) “abc” when followed by a word boundary (for example. etc). that is.

*i.!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i To block common spam phrases The following phrases are some examples of common phrases found in spam messages.*$/i /cr[eéèêë][\+\\*=<>\.!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i FortiGate Version 3.Antispam Using Perl regular expressions To block purposely misspelled words Spammers often insert other characters between the letters of a word to fool spam blocking software..\.*o.*g.*v.0 MR3 Administration Guide 01-30003-0203-20061124 415 .\. /^.*r.. /try it for free/i /student loans/i /you’re already approved/i /special[\+\\*=<>\.*a.

0 MR3 Administration Guide 01-30003-0203-20061124 .Using Perl regular expressions Antispam 416 FortiGate Version 3.

Normally. it's the opposite. FortiGate systems allow you to set up user lists that either allow or block the use of applications. making it easy to control IM/P2P applications and to maximize productivity. FortiOS 3. but you do not want to block IM or P2P applications. Note: Applications in Table 42 on page 418 marked as bold can connect to multiple P2P networks. Turning on IM and P2P decoders and signatures will help improve IPS performance. FortiNet recognizes that IM/P2P applications are becoming part of doing business but also. IM and P2P protocols must be enabled in the active protection profile for the settings in this section to have any effect. to determine which applications are allowed and how much bandwidth can be used by the applications. FortiGate Version 3. There is no need to wait for firmware upgrade to stay ahead of the latest protocols.0 also provides ways for you to deal with unknown protocols even before upgrades are available.0 MR3 Administration Guide 01-30003-0203-20061124 417 .0. you should leave IM/P2P decoders and signatures enabled. By combining comprehensive protection policies and easy-to-view statistical reports. but for IM/P2P. The FortiOS 3. the applications associated with the decoders and the location of the decoders in the FortiGate interface.IM/P2P Overview IM/P2P IM/P2P provides IM user management tools and statistics for network IM and P2P usage. if you turn off other signatures. if you want to use IPS. Table 42 on page 418 lists the IM/P2P applications that are currently recognized by FortiOS 3. the performance will be better. The table includes the decoders.0 system comes with an impressive list of supported IM/P2P protocols and can be kept up-to-date with upgrades available for download from the FortiNet Distribution Network. if abused. The following topics are included in this section: • • • • Overview Configuring IM/P2P protocols Statistics User Overview FortiOS 3.0 provides comprehensive protection and control when it comes to IM/P2P applications. can seriously decrease productivity and network performance. For example. you can see which applications are being used and for what purpose.

Overview IM/P2P Table 42: IM/P2P applications covered by IPS in FortiOS 3.0 MR3 Administration Guide 01-30003-0203-20061124 .0 IPS Instant Messaging AIM (Firewall > Protection Profile > IM/P2P) ICQ (Firewall > Protection Profile > IM/P2P) MSN (Firewall > Protection Profile > IM/P2P) qq (Intrusion Protection > Signatures > Protocol decoder > im_decoder) Yahoo! (Firewall > Protection Profile > IM/P2P) msn_web_messenger (Intrusion Protection > Signatures > Protocol decoder > im_decoder) google_talk (Intrusion Protection > Signatures > Protocol decoder > im_decoder) rediff (Intrusion Protection > Signatures > Protocol decoder > im_decoder) P2P BitComet Bitspirit Azureus Shareaza eMule Overnet Edonkey2K Shareaza BearShare MLdonkey iMesh BearShare Shareaza LimeWire Xolox Swapper iMesh MLdonkey Gnucleus Morpheus Openext Mutella Qtella Qcquisition Acquisition NapShare gtk-gnutella KaZaA Skype WinNY Ares Galaxy DC++ AIM. AIM Triton ICQ MSN Messenger QQ Yahoo Messenger MSN web Messenger Google Instant Messenger Rediff Instant Messenger Applications BitTorrent (Firewall > Protection Profile > IM/P2P) eDonkey (Firewall > Protection Profile > IM/P2P) Gnutella (Firewall > Protection Profile > IM/P2P) KaZaA (Firewall > Protection Profile > IM/P2P) Skype (Firewall > Protection Profile > IM/P2P) WinNY (Firewall > Protection Profile > IM/P2P) ares (Intrusion Protection > Signatures > Protocol decoder > p2p_decoder) direct_connect (Intrusion Protection > Signatures > Protocol decoder > p2p_decoder) 418 FortiGate Version 3.

In the row that corresponds to the signature you want to edit. Select Apply. This section includes how to enable predefined signatures. custom signatures and unknown user policies. To set up the policy for unknown IM users 1 2 3 Go to IM/P2P > User > Config. or P2P. To enable predefined IM/P2P signatures in intrusion protection 1 2 3 4 5 6 7 Go to Intrusion Protection > Signatures > Predefined. For more detailed information on protection profiles. logging. Select Allow or Block for each of the four IM applications. Enter the signature. Set the action and severity. The following topics are included in this section: • • • • • How to enable and disable IM/P2P options How to configure IM/P2P options within a protection profile How to configure IM/P2P decoder log settings How to configure older versions of IM/P2P applications How to configure protocols that are not supported How to enable and disable IM/P2P options This section will tell you the four main locations to enable or disable the IM/P2P options. Enter a name for the signature. Enable logging for a signature by selecting the Logging box. please see the Firewall Profile chapter of this guide. Select OK. Enable the signature by selecting the Enable box. This section will show you where to access the configuration settings for each. How to configure IM/P2P options within a protection profile There are four main areas within a protection profile that deal with IM/P2P applications. Select OK.0 MR3 Administration Guide 01-30003-0203-20061124 419 . FortiGate Version 3. and FortiGuard web filtering. To create custom IM/P2P signatures for unknown protocols 1 2 3 4 5 Go to Intrusion Protection > Signature > Custom > Create New. content archive. The FortiGate unit allows you to configure your unit in the way that best serves your needs. Select the severity and what action to perform. The four areas are antivirus.IM/P2P Configuring IM/P2P protocols Configuring IM/P2P protocols Different organizations require different policies regarding IM/P2P. select the Edit icon. Select the blue arrow next to IM.

Set the action and severity. use the CLI command: For details see the FortiGate CLI Reference. Select the blue arrow for IM or P2P encoders. In the row that corresponds to the protocol decoder you want to edit. config imp2p old-version.Configuring IM/P2P protocols IM/P2P To configure protection profiles settings for IM/P2P applications 1 2 3 4 5 6 7 Go to Firewall > Protection Profile.0 and above AIM 5. select the blue arrow for Content Archive To control FortiGuard web filtering. How to configure IM/P2P decoder log settings This section will show you how to enable know protocol decoders for both IM and P2P applications as well as how to turn on the logging feature for the application.0 and above If you want to block a protocol that is older than the ones listed above. How to configure protocols that are not supported If you find a protocol that is not supported. Select Logging to log the protocol. If the IPS package is up to date and the protocol is still not supported you can use the custom signature. Supported IM protocols include: • • • • MSN 6.0 and above Yahoo 6. Select OK. Or select Create New. select the Edit icon. select the blue arrow for FortiGuard Web Filtering. Select OK. To enable and log known decoders for IM/P2P applications 1 2 3 4 5 6 7 Go to Intrusion Protection > Signature > Protocol Decoder. In the row that corresponds to the profile you want to edit. please ensure that the IPS package is up to date. select the blue arrow for Logging To control content archive settings. To control the antivirus settings. select the blue arrow for Antivirus. Select Enable to enable the protocol. select the Edit icon. To control Log settings. How to configure older versions of IM/P2P applications Some older versions of IM protocols are able to bypass file blocking because the message types are not recognized. 420 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .0 and above ICQ 4.

Enter the signature. Select apply. To view IM/P2P statistics. Enter a name for the signature.IM/P2P Statistics To create a custom signature 1 2 3 4 5 Go to Intrusion Protection > Signature > Custom > Create New. Statistics You can view instant messaging and peer to peer statistics to gain insight into how the protocols are being used within the network. Overview statistics are provided for all IM and P2P protocols. Detailed individual statistics are provided for each IM protocol. No firmware upgrade is needed. Figure 292:IM/P2P statistics Overview The IM/P2P Overview tab has the following icons and features: FortiGate Version 3. available through the FortiNet Distribution Network (FDN). you only need update the IPS package. select Global Configuration on the main menu. To access these features. Viewing overview statistics The Overview tab provides a summary of statistics for all IM and P2P protocols.0 MR3 Administration Guide 01-30003-0203-20061124 421 . The following topics are included in this section: • • Viewing overview statistics Viewing statistics by protocol Note: If virtual domains are enabled on the FortiGate unit. Note: To detect new IM/P2P applications or new versions of the existing applications. Use the drop down boxes to select an action and the severity for the signature. go to IM/P2P > Statistics > Overview. IM/P2P features are configured globally.

For each IM protocol. For each IM protocol.Statistics IM/P2P Automatic Refresh Interval Refresh Reset Stats Users Chat File Transfers Select the automatic refresh interval for statistics. For each IM protocol. You can log IM chat information and the limitations placed on it. Click to reset the statistics to zero. or Yahoo. and (Users) Blocked. Click to refresh the page with the latest statistics. go to IM/P2P > Statistics > Protocol. the following usage information is listed: Total Bytes transferred and Average Bandwidth. the following file transfer information is listed: (File transfers) Since Last Reset and (File transfers) Blocked. Figure 293:IM statistics by Protocol The IM/P2P Protocol tab has the following icons and features: Automatic Refresh Interval Protocol Users Select the automatic refresh interval for statistics.0 MR3 Administration Guide 01-30003-0203-20061124 . (Users) Since Last Reset. For the selected protocol. Set the interval from none to 30 seconds. For each P2P protocol. by enabling Archive full IM chat info to FortiAnalyzer in the protection profile. MSN. (Users) Since Last Reset. Select the protocol for which statistics are to be displayed: AIM. ICQ. the following user information is listed: Current Users. the following chat information is listed: Total Chat Sessions and Total Messages. 422 FortiGate Version 3. To view protocol statistics. the following user information is displayed: Current Users. Voice Chat P2P Usage Viewing statistics by protocol The protocol tab provides detailed statistics for individual IM protocols. For each IM protocol. Set the interval from none to 30 seconds. the following voice chat information is listed: (Voice chats) Since Last Reset and (Voice chats) Blocked. and (Users) Blocked.

(File transfers) Sent. A policy can be configured to deal with unknown users. To view current users. select Global Configuration on the main menu. MSN. and (Messages) Received. For the selected protocol. The name selected by the user when registering with an IM protocol. and Direct/Private Chat. IM features are configured globally. the following file transfer information is displayed: (File transfers) Since Last Reset. Figure 294:Current Users list The Current Users list has the following features: Protocol Filter the list by selecting the protocol for which to display current users: AIM. For the selected protocol. Group Chat. The same user name can be used for multiple IM protocols. Note: If virtual domains are enabled on the FortiGate unit. For the selected protocol. (File transfers) Received.0 MR3 Administration Guide 01-30003-0203-20061124 423 . ICQ. The protocol being used. or Yahoo. go to IM/P2P > Users > Current User. Server-based Chat. Messages File Transfers Voice Chat User After IM users connect through the firewall. the following message information is displayed: Total Messages. The following topics are included in this section: • • • • Viewing the Current Users list Viewing the User List Adding a new user to the User List Configuring a policy for unknown IM users Viewing the Current Users list The Current User list displays information about instant messaging users who are currently connected. The list can be filtered by protocol. and (File transfers) Blocked. All current users can also be displayed. To access these features. the FortiGate unit displays which users are connected in the Current Users list. the following voice chat information is displayed: (Voice chats) Since Last Reset and (Voice chats) Blocked. You can analyze the list and decide which users to allow or block. The Address from which the user initiated the IM session. (Messages) Sent. Each user name/protocol pair appears separately in the list. Protocol User Name Source IP FortiGate Version 3.IM/P2P User Chat For the selected protocol. the following chat information is displayed: Total Chat Sessions.

Figure 295:User List The user list has the following icons and features: Create New Protocol Policy Protocol Username Select to add a new user to the list. Deny.User IM/P2P Last Login Block The last time the current user used the protocol. Change the following user information: Protocol. Filter the list by selecting a policy: Allow. Each user name/protocol pair must be explicitly blocked by the administrator. Select to add the user name to the permanent black list. Yahoo. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list. The protocol associated with the user. or All. Figure 296:Edit User 424 FortiGate Version 3. The policy applied to the user when attempting to use the protocol: Block or Deny. Policy Edit icon Delete icon Adding a new user to the User List Add users to the User List to allow them to access instant messaging services or to block them from these services. Filter the list by selecting a protocol: AIM. Users can be added using Create New or from the temporary users list. Go to IM/P2P > User > User List and select Create New. or All. go to IM/P2P > Users > User List. MSN. ICQ. To view the User List. Viewing the User List The User List displays information about users who have been allowed access to (white list) or have been blocked from (black list) instant messaging services. Permanently remove users from the User List.0 MR3 Administration Guide 01-30003-0203-20061124 . The name selected by the user when registering with an IM protocol. and Policy. Username.

User information includes Protocol. Username. Select to add the user to the permanent black list. Select a protocol by which to filter the list of temporary users. To configure the IM policy. the list is cleared. The user remains online and is listed in IM/P2P > Users > User List.IM/P2P User Protocol Username Policy Select a protocol from the dropdown list: AIM.0 MR3 Administration Guide 01-30003-0203-20061124 425 . Figure 297:IM User policy Configure or view the following settings for the IM user policy: Automatically Allow Automatically Block List of Temporary Users Select the protocols that unknown users are allowed to use. go to IM/P2P > User > Config. Select a policy from the dropdown list: Allow or Block. The unknown users are added to a temporary white list. Protocol Username Policy Permanently Allow Permanently Block Apply FortiGate Version 3. You can later view the white and black lists and add the users to the user list. or blocked from using some or all of the IM protocols and added to a black list. Note: If the FortiGate unit is rebooted. Unknown users can be either allowed to use some or all of the IM protocols and added to a white list. Click to apply the global user policy. Configuring a policy for unknown IM users The User Policy determines the action to be taken with unknown users. and the Policy applied to the user. The unknown users are added to a temporary black list. Select the protocols to which unknown users are denied access. Select to add the user to the permanent white list. The user is listed in IM/P2P > Users > User List. The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. The policy applied to the user when attempting to use the protocol: Block or Deny. New users who have been added to the temporary white or black lists. ICQ. Each user name/protocol pair appears separately in the list. or Yahoo! Enter a name for the user. MSN.

User IM/P2P 426 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 .

The FortiGate unit can log system events and intrusion activities to the unit’s memory. viewing of log files and the viewing of reports available through the web-based manager. FortiGate units provide extensive logging capabilities for traffic. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse. The following topics are included in this section: • • • • • • • • • • FortiGate Logging Log severity levels Storing Logs High Availability cluster logging Log types Log Access Alert Email Content Archive Reports Viewing FortiAnalyzer reports from a FortiGate unit FortiGate Logging A FortiGate unit can log many different network activities and traffic including: • • • • • • • overall network traffic system-related events including system restarts.0 MR3 Administration Guide 01-30003-0203-20061124 427 . URL and HTTP content blocking signature and anomaly attack and prevention Spam filtering Instant Messaging and Peer-to-peer traffic You can customize the level that the FortiGate unit logs these events and where the FortiGate unit stores the logs. Network traffic is not logged because of the high volume of traffic log messages.Log&Report FortiGate Logging Log&Report This section provides information on how to enable logging. The FortiGate unit’s memory is limited and older messages are not saved. HA and VPN activity anti-virus infection and blocking web filtering. FortiGate Version 3. system and network protection functions.

to help identify security issues and reduce network misuse. on a FortiAnalyzer unit running firmware version 3.Critical 3 . 428 FortiGate Version 3. email filter. General information about system operations. analysis tools and data storage. The FortiGate unit can send all log message types. as well as quarantine files. NIDS attack log messages. DHCP Error messages not available. For example. email filter log messages. to a FortiAnalyzer unit for storage. you define the level of the messages logged. The FortiGate unit can send log messages to either a Syslog server or WebTrends server for storage and archival purposes. content log messages and other event log messages. Web filter. The FortiGate unit enables you to view log messages available in memory. the FortiGate unit can send log messages to a FortiAnalyzer™ unit. An error condition exists and functionality could be affected. Detailed log reports provide historical as well as current analysis of network and email activity. Web filter. Note: See the FortiGate CLI Reference for details on saving logs to the FortiGate unit hard disk. Web filter. Functionality is affected. Log severity levels For each location where the FortiGate unit saves log files. Information about normal events. if you select Error. Functionality could be affected. Critical.Alert 2 . The FortiAnalyzer unit can upload log files to an FTP server for archival purposes.0 MR3 Administration Guide 01-30003-0203-20061124 . Antivirus.0 or higher.Warning 5 .Notice 6 .Emergency 1 . or hard disk if available on the unit. and system event log messages. The FortiGate unit logs all messages at and above the logging severity level you select. See the FortiGate Log Message Reference for details and descriptions of log messages and formats. Table 43: Log severity levels Levels 0 .Information Description The system has become unstable. Alert and Emergency level messages. Antivirus. See “Logging to a FortiAnalyzer unit” on page 429 for details on configuring the FortiGate unit to send log messages to a FortiAnalyzer unit. the unit logs Error. You can configure the FortiGate unit to send log messages to its hard disk. Customizable filters enable you to easily locate specific information within the log files.Log severity levels Log&Report For better log storage and retrieval. and email filter log messages.Error 4 . FortiAnalyzer units are network appliances that provide integrated log collection. Antivirus. if available. Generated by Emergency messages not available. Immediate action is required.

For details on the logging levels.Log&Report Storing Logs Storing Logs The type and frequency of log messages you intend to save dictates the type of log storage to use. Note: If your FortiGate unit has a hard disk. Note: The FortiGate unit can log up to three FortiAnalyzer units. Figure 298:Configuring a connection to the FortiAnalyzer unit To configure the FortiGate unit to send logs to the FortiAnalyzer unit 1 2 3 4 Go to Log&Report > Log Config > Log Setting. may be better suited for your specific logging purposes. Select Apply.0 MR3 Administration Guide 01-30003-0203-20061124 429 . see Table 43. “Log severity levels. For more information. analysis tools and data storage. If you want to log traffic and content logs. This feature is only available through the CLI. This provides real-time backup protection in the event one of the FortiAnalyzer units fails. you can store a limited number of log messages in memory and older log messages are overwritten. Logging to a FortiAnalyzer unit FortiAnalyzer units are network appliances that provide integrated log collection. Detailed log reports provide historical as well as current analysis of network and email activity to help identify security issues and reduce network misuse and abuse. you can configure where the FortiGate unit stores logs. Storing log messages to one or more locations. Select FortiAnalyzer. use the CLI to enable logging to the FortiGate’s hard disk. For example. The FortiGate unit logs all messages at and above the logging severity level you select. Set the level of the log messages to send to the FortiAnalyzer unit. you need to configure logging to a FortiAnalyzer unit or Syslog server because the FortiGate unit’s system memory is unable to log these particular log files. see the FortiGate CLI Reference. Select the blue arrow to expand the FortiAnalyzer options. FortiGate Version 3.” on page 428. such as a FortiAnalyzer unit. See the FortiGate CLI Reference for more information before enabling logging to your FortiGate unit hard disk. 5 6 Enter the Server IP address of the FortiAnalyzer unit. The FortiGate unit sends logs to all three FortiAnalyzer units where the logs are stored on each of the FortiAnalyzer units. In Log&Report > Log Config > Log Setting.

Contact a FortiAnalyzer administrator to complete the configuration. and quarantine files between the FortiGate unit and the FortiAnalyzer unit. Select the blue arrow for FortiAnalyzer to expand the options. Select Automatic Discovery. To test the connection 1 2 3 4 Go to Log&Report > Log Config > Log Setting. Automatic discovery is a method of establishing a connection to a FortiAnalyzer unit. you can test the connection between the FortiGate unit and the FortiAnalyzer unit to ensure the connection is working correctly. Select Apply. to the FortiAnalyzer unit. Select the blue arrow for FortiAnalyzer to expand the options. The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units. Note: Make sure the FortiGate unit learns the IP address of the FortiAnalyzer unit before testing the connection between both units. Connecting to FortiAnalyzer using Automatic Discovery You can connect to a FortiAnalyzer unit by using the Automatic Discovery feature. if logging is configured for traffic and so on. The Automatic Discovery feature is disabled by default. reports. The FortiAnalyzer unit requires FortiAnalyzer 3. Select Test Connectivity. 5 6 Select a FortiAnalyzer unit from the Connect To list.0 MR3 Administration Guide 01-30003-0203-20061124 . the FortiGate unit automatically enables logging to the FortiAnalyzer unit and begins sending log data. the FortiAnalyzer unit needs to be configured to receive logs sent from the FortiGate unit. This enables you to see the connection between the FortiGate unit and the FortiAnalyzer unit including the settings specified for transmitting and receiving logs. 430 FortiGate Version 3. Testing the FortiAnalyzer configuration After configuring FortiAnalyzer settings.Storing Logs Log&Report Note: After configuring the log settings on the FortiGate unit.0 firmware to use the feature. When you select Automatic Discovery. Select Discover. To enable automatic discovery 1 2 3 4 Go to Log&Report > Log Config > Log Setting. the FortiGate unit uses HELLO packets to locate any FortiAnalyzer units available on the network within the same subnet. Select the blue arrow to expand the FortiAnalyzer options. content archive. A false test report failure may occur if you select Test Connectivity before the FortiGate unit learns the IP address of the FortiAnalyzer unit. Note: The Automatic Discovery feature needs to be enabled on the FortiAnalyzer unit so the feature works properly. When the FortiGate unit discovers the FortiAnalyzer unit.

The registration status of the FortiGate unit. Total Free The amount of unused space. • Rx indicates the FortiGate unit is allowed to view reports and logs stored on the FortiAnalyzer unit. Privileges Logging to memory The FortiGate system memory has a limited capacity for log messages.” on page 428. The FortiGate unit does not store Traffic and Content logs in the memory due to their size and frequency of log entries. Space Used Space The amount of used space. All log entries are cleared when the FortiGate unit restarts. Select the blue arrow to expand the Memory options. For details on the logging levels. An X indicates the FortiGate unit is not allowed to send or view log information. • Tx indicates the FortiGate unit is configured to transmit log packets to the FortiAnalyzer unit. FortiGate Version 3. It displays the most recent log entries. Allocated The amount of space designated for logs.Log&Report Storing Logs Figure 299:Test Connectivity with FortiAnalyzer FortiAnalyzer (Hostname) FortiGate (Device ID) Registration Status Connection Status Disk Space The name of the FortiAnalyzer unit. The serial number of the FortiGate unit. A check mark indicates the FortiGate unit has permissions to send or view log information and reports. Space Displays the permissions of the device for sending and viewing logs and reports. Select Memory. When the memory is full. The FortiGate unit logs all messages at and above the logging severity level you select. To configure the FortiGate unit to save logs in memory 1 2 3 4 Go to Log&Report > Log Config > Log Setting. for example.0 MR3 Administration Guide 01-30003-0203-20061124 431 . Select the severity level. A checkmark indicates there is a connection and an X indicates there is no connection. see Table 43. the FortiGate unit overwrites the oldest messages. The connection status between FortiGate and FortiAnalyzer units. The default name of a FortiAnalyzer unit is its product name. “Log severity levels. FortiAnalyzer-400.

For details on the logging levels. Logging to WebTrends WebTrends is a remote computer running a NetIQ WebTrends firewall reporting server. By default. If you do not enable CSV format the FortiGate unit produces plain text files.0 MR3 Administration Guide 01-30003-0203-20061124 . Select the blue arrow to expand the Syslog options.Storing Logs Log&Report Logging to a Syslog server The syslog is a remote computer running a syslog server. Note: If more than one Syslog server is configured. Syslog is an industry standard used to capture log information provided by network devices. Select Syslog. “Log severity levels. FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with NetIQ WebTrends Security Reporting Center and Firewall Suite 4. the FortiGate unit produces the log in Comma Separated Value (CSV) format.” on page 428. enter the following commands: config log webtrends setting set server <address_ipv4> set status {disable | enable} end 432 FortiGate Version 3. Set the following syslog options and select Apply: Name/IP Port Level The domain name or IP address of the syslog server. FortiGate reports Facility as local7. Figure 300:Logging to a Syslog server To configure the FortiGate unit to send logs to a syslog server 1 2 3 4 Go to Log&Report > Log Config > Log Setting. see Table 43. You may want to change Facility to distinguish log messages from different FortiGate units. Facility indicates to the syslog server the source of a log message.1. Use the command line interface to configure the FortiGate unit to send log messages to WebTrends. The FortiGate unit logs all messages at and above the logging severity level you select. Only multiple Syslog servers display. the Syslog servers and their settings display on the Log Settings page. After logging into the CLI. typically port 514. The port number for communication with the syslog server. Facility Enable CSV Format If you enable CSV format.

FortiGate Version 3. disable Example This example shows how to enable logging to a WebTrends server and to set an IP address for the server. the connection is between the FortiAnalyzer unit and the HA cluster primary unit. config log webtrends setting set status enable set server 220. and the primary unit sends all logs to the FortiAnalyzer unit or Syslog server. The settings will apply to the subordinate units. Default No default. .The subordinate units send the log messages to the primary unit. Enter enable to enable logging to a WebTrends server. High Availability cluster logging When configuring logging with a High Availability (HA) cluster.190 end See the Log chapter in the FortiGate CLI Reference for details on setting the options for the types of logs sent to WebTrends.0 MR3 Administration Guide 01-30003-0203-20061124 433 . If you configured a secure connection via an IPSec VPN tunnel between a FortiAnalyzer unit and a HA cluster. See the FortiGate High Availability User Guide for more information.200.Log&Report High Availability cluster logging Keywords and variables server <address_ipv4> status {disable | enable} Description Enter the IP address of the WebTrends server that stores the logs. configure the primary unit to send logs to a FortiAnalyzer unit or a Syslog server. .210.

Select the blue arrow to expand the policy list for a policy. create a new firewall policy by selecting Create.0 MR3 Administration Guide 01-30003-0203-20061124 . You can apply the following filters: Allowed traffic Violation traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. Select the Edit icon for an interface. To enable firewall policy traffic logging 1 2 3 4 5 Go to Firewall > Policy.Log types Log&Report Log types The FortiGate unit provides a wide range of logging options for monitoring your network. Select OK. You can configure logging of traffic controlled by firewall policies and for traffic between any source and destination addresses. The FortiGate unit logs all traffic that violates the firewall policy settings. Select Log Allowed Traffic. Enabling traffic logging Traffic logging records any traffic to or from the interface or VLAN subinterface. Enabling firewall policy traffic logging Firewall policy traffic logging records the traffic that is both permitted and denied by the firewall policy. This section describes each log type and how to enable the log. If required. Note: You need to set the logging severity level to Notification when configuring a logging location to record traffic log messages. Select the Edit icon. Traffic log The Traffic Log records all the traffic to and through the FortiGate interfaces. To enable traffic logging for an interface or VLAN subinterface 1 2 3 4 Go to System > Network > Interface. Select Log. Traffic log messages generally have a severity level no higher than Notification. 434 FortiGate Version 3. You need to set the logging severity level to Notification or lower to record traffic logs. based on the protection profile. See “Storing Logs” on page 429 for more information. Note: Configure the device where you want to store the log files before recording any logs. Select OK.

Firewall The FortiGate unit logs all firewall-related events. The FortiGate unit logs all DHCP-events. timeouts. or blocks an oversized file or email that is logged. member. The FortiGate unit logs all instances of blocked files. FTP. The FortiGate unit logs all administrative events. blocks a file type. when the FortiGate unit detects an infected file. such as the request and response log. logging out and timeout due to inactivity. Pattern update event The FortiGate unit logs all pattern update events. verifications and so on. such as user logins. such as antivirus and IPS pattern updates and update failures.0 MR3 Administration Guide 01-30003-0203-20061124 435 . resets. or VPN and High Availability (HA) events occur. The FortiGate unit logs all instances of viruses. blocked files. and state information. such as link. and IM traffic. To enable the event logs 1 2 Go to Log&Report > Log Config > Event Log. SSL VPN user The FortiGate unit logs all user authentication events for an SSL authentication event VPN connection. SSL VPN session event The FortiGate unit logs all session activity such as application launches and blocks. such as progress and error reports. The FortiGate unit logs all IPSec negotiation events. The FortiGate unit logs all high availability events. such as manager and socket creation processes. such as logging in. and oversized files and email. FTP. This applies to HTTP. such as user authentication event authentication. when a configuration has changed. Select from the following logs: System Activity event IPSec negotiation event DHCP service event L2TP/PPTP/PPPoE service event Admin event HA activity event The FortiGate unit logs all system-related events. administrator event such as SSL configuration and CA certificate loading and removal. For example.Log&Report Log types Event log The Event Log records management and activity events. and configuration updates. an antivirus log is recorded. SMTP. For example. The FortiGate unit logs all instances of files and email messages exceeding defined thresholds. FortiGate Version 3. such as ping server failure and gateway status. The FortiGate unit logs all protocol-related events. IMAP. Antivirus log The Antivirus Log records virus incidents in Web. 3 Select Apply. POP3. and email traffic. SSL VPN The FortiGate unit logs all administrator events related to SSL VPN. You can apply the following filters: Viruses Blocked Files Oversized Files/ Emails AV Monitor The FortiGate unit logs all virus infections.

and the action taken by the FortiGate unit. 436 FortiGate Version 3. Select the FortiGuard Web Filtering Log rating errors (HTTP only). Select the antivirus events you want logged. to log FortiGuard filtering. Web filter log The Web Filter Log records HTTP FortiGuard log rating errors including web content blocking actions. Select OK. Attack log The Attack Log records attacks detected and prevented by the FortiGate unit. Ensure any custom signatures also have the logging option set. Select the blue arrow to expand the Logging options. To enable web filter logs 1 2 3 4 5 6 Go to Firewall > Protection Profile. The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns.Log types Log&Report To enable antivirus logs 1 2 3 4 5 Go to Firewall > Protection Profile. The logging options for the signatures included with the FortiGate unit are set by default. Select OK. and the action taken by the FortiGate unit. Select the Edit icon beside the protection profile to enable logging of antivirus events. see “Intrusion Protection” on page 369. Select the blue arrow to expand the Logging options. The FortiGate unit logs the following: Attack Signature Attack Anomaly The FortiGate unit logs all detected and prevented attacks based on the attack signature. Select edit for a protection profile. Select the blue arrow to expand the Logging options. Select edit for a protection profile. Select the web filtering events to log. For details. To enable the attack logs 1 2 3 4 5 Go to Firewall > Protection Profile. Select Log Intrusions Select OK.0 MR3 Administration Guide 01-30003-0203-20061124 . Note: Make sure attack signature and attack anomaly settings are enabled to log the attack.

Select Log IM Activity Select Log P2P Activity Select OK. To enable IM and P2P logs 1 2 3 4 5 6 Go to Firewall > Protection Profile. Select edit for a protection profile.Log&Report Log types Spam filter log The Spam Filter Log records blocking of email address patterns and content in SMTP. IMAP and POP3 traffic. FortiGate Version 3. IM and P2P log The Instant Message (IM) and Peer-to-Peer (P2P) log records instant message text and audio communications. the type of IM application used and the content of the transmission. Select OK. the time the transmission was attempted.0 MR3 Administration Guide 01-30003-0203-20061124 437 . Select edit for a protection profile. Select the blue arrow to expand the Logging options. To enable the Spam log 1 2 3 4 5 Go to Firewall > Protection Profile. Select the blue arrow to expand the Logging options. file transfers attempted by users. Select the Log Spam.

0.Log Access Log&Report Log Access The FortiGate unit enables you to view the logs stored in memory. remove log messages within files.0 or higher so the FortiGate unit can view logs that are located on a FortiAnalyzer unit.0 MR3 Administration Guide 01-30003-0203-20061124 . Note: The FortiAnalyzer unit must be running firmware version 3. see “Logging to a FortiAnalyzer unit” on page 429. and download the log file in either plain text or CSV format. hard disk or stored on a FortiAnalyzer unit running FortiAnalyzer 3. Select the Memory tab. Select the log type you want to view. To access log files on the FortiAnalyzer unit 1 2 3 Go to Log&Report > Log Access. Accessing logs stored on the FortiAnalyzer unit You can view. For details on configuring the FortiGate unit to send log files to the FortiAnalyzer unit. Select the log type from the Log Type list. you can search and filter log messages. Note: Traffic logs are not stored in memory because of the volume and the amount of space required to log them. Note: The FortiAnalyzer unit must be running firmware version 3. you can delete log files. Figure 301:Viewing log files stored on the FortiAnalyzer unit View Icon 438 FortiGate Version 3. For logs stored on the FortiAnalyzer unit. and download logs saved to the FortiAnalyzer unit. Within the log viewer. The log messages appear on the Log Access page. Select the FortiAnalyzer tab. navigate.0 or higher to view logs from the FortiGate unit. Accessing log messages stored in memory To view log messages in the FortiGate memory buffer 1 2 3 Go to Log&Report > Log Access.

where n is the number of rolled logs. and year a log message packet was last sent to by the FortiGate unit. day. The number following the slash (“/”) is the total number of lines in the log. month. Raw or Formatted Select Raw to switch to an unformatted log message display. File name Size Last access time The day of the week. Viewing log information The log viewer provides a display of the log message information. Select to view the next page in the log file. Type the line number of the first line you want to display. The columns that appear reflect the content found in the log file. The size of the log file in bytes. Clear All Filters Select to remove applied filtering options for the log file. such as the traffic log.log. and locate specific information. cannot be stored to memory due to the volume of information logged. the current attack log is alog. Select to add or remove log information columns to display. Select Formatted to switch to a log message display organized into columns. Some log files. and starts a new log file with the same name. The top portion of the Log Access page includes navigational features to help you move through the log messages. View icon Display the log file through the web-based manager. Select the number of log messages displayed on each page. Figure 302:Viewing log messages Previous Page icon Next Page icon Column Settings icon Previous page icon Next page icon View per page Line Column settings icon Select to view the previous page in the log file. When a log file reaches its maximum size.0 MR3 Administration Guide 01-30003-0203-20061124 439 . FortiGate Version 3.Log&Report Log Access Log Type Select the type of log you want to view. For example.n. Any subsequent saved logs appear as alog. the FortiAnalyzer unit saves the log files with an incremental number. time. The name(s) of the log file(s) of that type stored on the FortiAnalyzer hard disk.

Select the Column Settings icon. Memory or FortiAnalyzer. 440 FortiGate Version 3. Select the tab to view logs from.0 MR3 Administration Guide 01-30003-0203-20061124 . Select the View icon if you are viewing a log file on a FortiAnalyzer unit. Move the selected field up one position in the Show these fields list.Log Access Log&Report Column settings Customize and filter the log messages display using the Column Settings icon. Select the log type from the Log Type list. Figure 303:Column settings for viewing log messages To customize the columns 1 2 3 4 5 6 Go to Log&Report > Log Access. The column settings apply when viewing the formatted (not raw) log messages. 7 Select OK. Filtering provides a form of advanced search for each column of information in the log. Select the left arrow to move selected fields from the Show these fields in this order list to the Available fields list. uir Filtering log messages You can filter the contents of the logs to find specific information within a large log file or many log messages. Select a column name and select one of the following to change the views of the log information: -> <Move up Move down Select the right arrow to move selected fields from Available fields list to Show these fields in this order list. Note: The Detailed Information column provides the entire raw log entry and is only needed if the log contains information not available in any of the other columns. Move the selected field down one position in the Show these fields list.

Before viewing content archives. destination port. time.0 MR3 Administration Guide 01-30003-0203-20061124 441 .Log&Report Content Archive Figure 304:Log filters Column filter Filter in use The filter settings you apply remains for the duration of the time you are logged in to the web-based manager. You can filter log messages using the Column Settings icon when in formatted type. To filter log messages 1 2 3 4 5 6 Go to Log&Report > Log Access. Select OK. Email. Enter the line number you want to view in the Line field. Content Archive The Content Archive menu enables you to view archived logs stored on the FortiAnalyzer unit from the FortiGate unit’s web-based manager. FortiGate Note: The filters can only be used when viewing log contents in the formatted view. and IM where you can view each of these archived log types. To enable content archiving for your FortiGate unit 1 2 3 4 5 6 Go to Firewall > Protection Profile. or several parts of the log. Select the log type from the Log Type list. FTP. Select the check boxes you require for HTTP. for example the date. IMAP. Note: NNTP options will be supported in future releases. HTTP. you need to enable this feature on your FortiGate unit. Select Raw if you want to view all files in an unformatted format. Select the tab to view logs from. Memory or FortiAnalyzer. source port. Select the Edit icon beside a protection profile. Select Archiving email to FortiAnalyzer. or SMTP. you can view only the message of the log. The log filters are reset when you log out of the web-based manager. With the Column Settings icon. IM. POP3. and ID. if required. FortiGate Version 3. Select the View icon if you are viewing a log file on a FortiAnalyzer unit. See “Column settings” on page 440 for more information. The line number you entered is shown along with all lines that come after it. Content archiving is enabled from within a protection profile. FTP. Select the blue triangle to expand the Content Archive option. The Content Archive menu has four tabs.

you can configure an alert email that is sent whenever an administrator(s) logs in and out. Alert Email The Alert Email feature enables the FortiGate unit to monitor logs for log messages. you must configure at least one DNS server.Alert Email Log&Report To view content archives 1 2 Go to Log&Report > Content Archive. notifying by email of a specific activity or event logged. To configure alert email 1 2 Go to Log&Report > Log Config > Alert E-mail. Select the tab of the archived log type to view. select Raw beside Column Settings icon. 442 FortiGate Version 3. Set the following options and select Apply. For example. This feature sends out an alert email based on the severity level logged as well.0 MR3 Administration Guide 01-30003-0203-20061124 . If you require to view logs in Raw format. Figure 305:Alert Email options Configuring Alert Email When configuring alert email. and must look up this name on your DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server. if you require notification about administrator(s) logging in and out. See “Column settings” on page 440 for more information about the Column Settings icon.

You only need to do this if you selected SMTP authentication. 6 7 Select the minimum severity level in the Minimum severity level list. Select if you require an alert email message based on any changes made to the FortiGate configuration. SSL VPN login failure Select if you require an alert email message based on any SSL VPN logins that failed. Enter a number for the percentage of disk usage that an alert email will be sent. Enter the number of days for notification of FDS license expiry time. Enter the password for logging on to the SMTP server to send alert email. FortiGate Version 3. Select Apply.Log&Report Alert Email SMTP Server Email from Email To Authentication Enable SMTP user The name/address of the SMTP email server. Firewall Select if you require an alert email message based on firewall authentication device authentication. The SMTP user name. Select if you require an alert email message based on whether there is an error in the IPSec tunnel configuration. 5 Select Send an alert based on severity if you require sending an alert email based on log severity level. Web access blocked Select if you require an alert email message based on blocked web sites that were accessed. Enter the user name for logging on to the SMTP server to send alert email messages. Password 3 4 Select Test Connectivity to receive a test email message to the email account you configured in the above step. You only need to do this if you have enabled the SMTP authentication. HA status changes Violation traffic detected Select if you require an alert email message based on HA status changes. Select if you require an alert email message based on errors that occurred in L2TP. PPTP. Select Send alert email for the following if you require sending an email based on one or all of the following: Interval Time Intrusion detected Virus detected Enter the number of minutes before an alert email is sent to the recipient. Administrator login/logout IPSec tunnel errors L2TP/PPTP/PPPoE errors Configuration changes FDS license expiry time (in days) Disk usage in percent Select if you require an alert email message based on whether the administrator(s) logs in and logs out. Select if you require an alert email message based on intrusion detection. Select if you require an alert email message based on violated traffic the FortiGate unit detects. or PPPoE. Select the Authentication Enable check box to enable SMTP authentication. This enables the FortiGate unit to send an alert email whenever a specific log level appears in the log.0 MR3 Administration Guide 01-30003-0203-20061124 443 . Enter up to three email recipients for the alert email message. Select if you require an alert email message based on virus detection.

From the Log&Report menu. the data is erased. The charts show the bytes used for the service traffic. view the report. and print the report. You can view logs from Log&Report > Report Access > Memory. Note: If the FortiGate unit collects more than one log message before an interval is reached.Reports Log&Report Note: The default minimum log severity level is Alert.0 MR3 Administration Guide 01-30003-0203-20061124 . Basic traffic reports The FortiGate unit uses collected log information and presents it in graphical format to show network usage for a number of services. You can configure basic traffic reports from the Log&Report menu. the FortiGate unit combines the messages and sends out one alert email. You can even view content archive logs stored on the FortiAnalyzer unit. Figure 306:Viewing the Bandwidth Per Service graph 444 FortiGate Version 3. you can configure a simple FortiAnalyzer report. Note: The data used to present the graphs is stored in memory. Basic traffic reports use the log information stored in your FortiGate unit’s memory to present basic traffic information in a graphical format. When the FortiGate unit is reset or rebooted. Reports The FortiAnalyzer unit’s reporting features are now more integrated with the FortiGate unit.

See “Configuring a FortiAnalyzer report” on page 446 if you require a simple FortiAnalyzer report. The FortiAnalyzer unit can generate over 140 different reports providing you with more options than the FortiGate unit provides. If you want to configure a report using the CLI interface. Select the time period to include in the graph from the Time Period list. Configuring the graphical view The FortiGate basic traffic report includes a wide range of services you can monitor. • • • • • • • • Browsing DNS Email FTP Gaming Instant Messaging Newsgroups P2P • • • • • • • Streaming TFTP VoIP Generic TCP Generic UDP Generic ICMP Generic IP Services The report is not updated in real-time. FortiGate Version 3. The Top Protocols Ordered by Total Volume graph does not change. one week or one month. Deselect the services to not include in the graph. You can choose from one day. When you refresh your browser or go to a different menu. or if the FortiAnalyzer unit is not running firmware 3. See the FortiAnalyzer Administration Guide for details on how to add and configure additional report profiles. three days. The default is one day. see the FortiGate CLI Reference for more details. Deselect the services you don’t want included in the graphical analysis. Select Apply.0 or higher. configure a report from the FortiAnalyzer unit’s web-based manager or CLI. All services are selected by default.Log&Report Reports Time Period Select a time range to view for the graphical analysis. To change the graphical information 1 2 3 4 Go to Log&Report > Report Access > Memory. the settings revert to default. Note: If you require a more specific and detailed report. For example. By default all services are selected. all services revert to default settings. FortiAnalyzer reports You can configure a simple FortiAnalyzer report from the FortiGate unit’s logs in the web-based manager or CLI. you can view only email services for the last three days. You can refresh the report by selecting the Memory tab. The graph refreshes and displays with the content you specified in the above procedure.0 MR3 Administration Guide 01-30003-0203-20061124 445 . Also. when you refresh your browser or go to a different menu. Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a FortiAnalyzer unit.

enter 1. for example. See “Configuring the report format” on page 449 for more information. Configuring the report schedule Set a schedule for when the FortiAnalyzer unit generates the reports. Figure 307:Report configuration schedule Not Scheduled Daily These Days These Dates Select to not generate a daily report. See “Configuring the report schedule” on page 446 for more information. to generate the report on the first and fifteenth of every month. or monthly. Select the types of reports to include. if required. Select to generate the report every day at the same time. Select the blue arrow next to the options you need to configure: Schedule Configure when the FortiAnalyzer unit runs the report.15. To configure the FortiAnalyzer report profile 1 2 3 4 Go to Log&Report > Report Config. to generate weekly reports on mail traffic. For example. Select the type of results to include in the report. Report Scope Report Types Report Format Output Customization 5 Select OK. See “Configuring the report scope” on page 447 for more information. Select the time of the day when the FortiAnalyzer generates the report. See “Configuring the customization of the report” on page 450 for more information. weekly. Select the file format for the reports. See “Configuring the report output” on page 449 for more information. Select to resolve host names or rank reports using variables.0 MR3 Administration Guide 01-30003-0203-20061124 . Use this setting when you want to run the report as needed. you can edit the scheduled report. Enter a title for the report and a description of what the report includes. See “Editing scheduled FortiAnalyzer reports” on page 451 to edit a scheduled report. Time 446 FortiGate Version 3. Choose a recurring schedule for example. Select Create New.Reports Log&Report Configuring a FortiAnalyzer report You can configure a FortiAnalyzer report from the Report Config menu. Select to customize the header and footer and include the company name. See “Configuring the report types” on page 449 for more information. After configuring a FortiAnalyzer report. Select specific days of the week to generate the report. Select specific days of the month to generate the report.

a field will appear.Log&Report Reports Configuring the report scope Select the time period and/or log filters for the report. Select the matching criteria for the filter. Select all to include logs in the report that match all filter settings. for example. You can select different time periods. for last n of hours. For example. greater than or equal to the priority level. 2005. Select the check box to enable the priority level filter options. 2005 at 13:00. When you select last n hours. Select any to include logs in the report that match any of the filter settings. Enter a number in the field. If information within a log does not match all the criteria. days of weeks. and set whether the information should be less than. Figure 308:Report configuration report scope Time Period Select the time period for the report. Set the priority level to look for in the logs. Priority FortiGate Version 3. Select to configure the end date of the report. you may want to begin the report on May 5. Select Custom to apply filters to the log report. The hours are in the 24-hour format. the log the FortiAnalyzer unit includes the log in the report. even one filter setting. 2005 to September 9. matches information in a log file. for example. if you want the report to include log files from July 31. Select to configure the start date of the report. From Date To Date Figure 309:Report configuration data log filter Filter logs Include logs that match Select None to not apply a filter to the logs in the report. If any of the filter content. days or weeks. the FortiAnalyzer unit will not include the log in the report.0 MR3 Administration Guide 01-30003-0203-20061124 447 . eight.

The report will include the traffic information from the FortiGate firewall policies in the logs. Separate multiple user names with a comma. Select Not to exclude the service from the report.140.0 to 172.110. do not include any information from a specific source IP address in the log report.0/255. do not include any information from a specific VDOM in the log report. Enter specific services to include in the report.0 MR3 Administration Guide 01-30003-0203-20061124 .110.0. Separate multiple interface names with a comma.0 or 172. For example. including subnets to report on groups within the company. Select Not to exclude the interface information from the report.255.0 to 172.20.20. For example. For example. do not include any information from a specific interface in the log report. do not include any information from a specific destination IP address in the log report. do not include any information from a specific service in the log report. For example. Enter the firewall policy ID numbers to include in the report. For example: • 172.0/24 subnet • • 172.20.20. Separate multiple VDOMs with a comma.20.20. For example. Use a comma to separate multiple sources.255.255) Destination(s) Interface(s) Enter the interface you want to include in the report.255þ filters all IP addresses from 172.16. Users Virtual Domain(s) Policy IDs Service(s) Messages Day of the Week 448 FortiGate Version 3. You can filter IP ranges. Enter specific email messages you want the report to include from the email reports.16. Enter the virtual domains (VDOM) to include in the report. Enter the user names to include in the report. Select Not to exclude the VDOM from the report. Separate multiple services with a comma.0.20.255 172.255. Use a comma to separate multiple sources.255. Enter the destination IP address for the matching criteria. Separate multiple policy IDs with a comma. Select Not to exclude the source IP address from the report. Select the days of the week that the information is pulled from the log files to include in the report.Reports Log&Report Source(s) Enter the source IP address for the matching criteria. Separate multiple messages with a comma.0-255 filters all IP addresses in the 172.110.255 filters all IP addresses from 172.0-20. Select Not to exclude the destination IP address from the report.110.0-140.110.

HTTP rather than port 80.Log&Report Reports Configuring the report types Select the type of information you want to include in the report: • • • Select Basic to include the most common report types. Configuring the report output Select a destination and format(s) for the report. When configuring the FortiAnalyzer unit to email a report. Configuring the report format Select to resolve service names. you must configure the mail server on the FortiAnalyzer unit. For example.0 MR3 Administration Guide 01-30003-0203-20061124 449 . You can also select a different format for file output and email output. host names or rank the top items for the report using variables. see the FortiAnalyzer Administration Guide or contact a FortiAnalyzer administrator. These reports have “Top” in their name. Select the blue arrow to expand the report categories and select individual reports.” Select Custom to select the reports you want to include. Reports that do not include “Top” in their name will always show all information. Figure 310:Report configuration formats Resolve Service Select to display network service names rather than port numbers. and will always show only the top number of entries. For example. including Text format. and their email client does not support HTML. Changing the values for top field will not affect these reports. For example. they will see the HTML code for each report in the message body. Note: If you are emailing HTML reports to a user. you can set the top ranked items for the report. For details on configuring IP address host names see the FortiAnalyzer Administration Guide. You can select from several different formats. For some report types. that report will appear with the message “No matching log data for this report. For details. Sally_Accounting. Select All to include all report types. Names Resolve Host Names In 'Ranked Reports' show top Select to display host names by a recognizable name rather than IP addresses. report on the most active mail clients within the organization rather than all mail clients. If data does not exist for a report type. FortiGate Version 3.

Select to delete the report files from the FortiAnalyzer hard disk once the FortiAnalyzer unit completes the upload to the FTP server. a header comment or a footer for the report. Server IP address Username Password Upload report(s) in gzipped format Delete file(s) after uploading Enter the IP address of the FTP server. Enter the password to log onto the FTP server. Configuring the customization of the report Enter your company’s name. Add multiple recipients by pressing Enter on your keyboard after each email address. Select the file formats for the generated reports that the FortiAnalyzer unit sends as an email attachment. Enter the user name to log onto the FTP server. Enter to customize the subject line of the email. Upload Report to FTP Select to upload completed report files to an FTP server. Figure 312:Report customization options 450 FortiGate Version 3. These are optional. Enter the email addresses of the recipients of the report.Reports Log&Report Figure 311:Report configuration output File output Email output Customize Subject Email list Select the file format for the generated reports that are saved to the FortiAnalyzer hard disk.0 MR3 Administration Guide 01-30003-0203-20061124 . Select to compress the report files as gzip files before uploading to the FTP server.

Select the report name to view the report.html.html. or on demand. Note: The FortiAnalyzer report that appears on the FortiAnalyzer page may not be the report you want to view. The FortiAnalyzer tab enables you to edit the report. Use the above procedure for viewing other sections of a report. and run these reports at scheduled times. and if the Report Engine is active or inactive.html. Viewing parts of a FortiAnalyzer report You can view different parts of a FortiAnalyzer report in the web-based manager. Select the blue arrow to expand the report. Select the Edit icon beside the report you want to edit. instead of selecting MailFilter Activity. Select Historical Reports. To edit a scheduled FortiAnalyzer report 1 2 3 4 Go to Log&Report > Report Config > FortiAnalyzer. You can view this information from the FortiAnalyzer page. You can view and edit scheduled reports from the FortiAnalyzer tab.0MR2 or higher.Log&Report Viewing FortiAnalyzer reports from a FortiGate unit Editing scheduled FortiAnalyzer reports When a scheduled FortiAnalyzer report is configured and generated. Select MailFilter Activity. Viewing FortiAnalyzer reports from a FortiGate unit The FortiAnalyzer unit can generate a number of specific reports for a FortiGate unit. when the next scheduled report will be generated. To view Mail Filter Activity in a report 1 2 3 4 Go to Log&Report > Report Access > FortiAnalyzer. Select OK. Edit the settings you want for the scheduled report. and information about other scheduled FortiAnalyzer reports. To view FortiAnalyzer reports 1 2 3 Go to Log&Report > Report Access > FortiAnalyzer. The following procedure enables you to view the Mail Activity section of a report. If you are using a FortiGate unit with FortiOS 3. Always select Historical Reports to find the report you want to view. For example. Select Historical Reports. select Content_Activity. FortiGate Version 3. From the FortiAnalyzer tab you can view if there is a report currently being generated by the FortiAnalyzer unit. you can then edit the report from the Report Config menu. you can view any report generated from the FortiAnalyzer unit for that FortiGate unit on the Report Access page.0 MR3 Administration Guide 01-30003-0203-20061124 451 .

Select Print.Viewing FortiAnalyzer reports from a FortiGate unit Log&Report Printing your FortiAnalyzer report After the FortiAnalyzer unit generates the report. Select Historical Reports. Note: Make sure to check the Report Title of the report displayed on the FortiAnalyzer page before printing. 452 FortiGate Version 3. You can print your report(s) from the web-based manager in the Report Access menu.0 MR3 Administration Guide 01-30003-0203-20061124 . To print a FortiAnalyzer report 1 2 3 4 Go to Log&Report > Report Access > FortiAnalyzer. In the list of FortiAnalyzer reports. you may want to print the report to have as a hardcopy reference or for a presentation. select the report you want to print.

3ad aggregate interface creating 74 alert email enabling 442 options 442 alert mail messages 136 Alert Message Console clearing messages 56 allow inbound firewall policy 251 ipsec policy 251 allow outbound firewall policy 251 allow web sites when a rating error occurs protection profile 302 allowed web category report 400 amount. 378 scan 378 source session limit 378 traffic 378 antispam port 53 163 port 8888 163 antivirus 355 adware grayware 366 av_failopen 367 BHO grayware 366 CLI configuration 367 configure antivirus heuristic 367 dial grayware 366 download grayware 366 file block 357 file block list 359 game grayware 366 grayware 164. comfort clients protection profile 300 anomaly destination session limit 378 flooding 378 list 376. viewing 191 access policy. viewing 190 accessing logs 438 action firewall policy 239 protection profile P2P option 307 Spam filter banned word 406 Spam filter IP address 408 action type Spam filter email address 411 active sessions HA statistics 123 ActiveX filter protection profile 301 add signature to outgoing email protection profile 300 address firewall address group 261 list 260 address group 261 adding 262 create new 262 list 261 Address Name firewall address 261 firewall policy option 243 administrative access interface settings 70.Index Index Numerics 802. predefined service 264 FortiGate Version 3. monitoring 153 ADSL 73 adware grayware category 366 age limit quarantine 364 aggregate interface creating 74 AH. 82. 365 heuristics 367 hijacker grayware 366 joke grayware 366 keylog grayware 366 log 435 misc grayware 366 NMT grayware 366 optimize 367 P2P grayware 366 plugin grayware 367 quarantine 360 quarantine files list 361 RAT grayware 367 scanning large files 368 spy grayware 367 system global av_failopen 367 A accept action firewall policy 244 access control access policies. 147 trusted host 147 administrators. configuring 190 client profiles.0 MR3 Administration Guide 01-30003-0203-20061124 453 . 177 monitoring logins 153 administrative distance 202 administrator account netmask 146.1X authentication 195 802. configuring 192 client profile. 73.

108 BGP AS 226 flap 227 graceful restart 227 MED 227 RFC 1771 226 service 264 stabilizing the network 227 BHO grayware category 366 blades chassis monitoring 172 block audio (IM) protection profile 307 block file transfers (IM) protection profile 306 block login (IM) protection profile 306 blocked web category report 400 bookmark online help icon 35 Boot Strap Router (BSR) 228 BOOTP 115 C catalog banned word 404 content block 384 content exempt 387 email address back/white list 409 file pattern 358 IP address black/white list 407 URL filter 389 category protection profile 303 web category report 400 category block configuration options 393 reports 399 Certificate Name 335 IPSec interface mode 313 B back to HA monitor HA statistics 122 backup (redundant) mode modem 87 backup mode modem 90 454 FortiGate Version 3. 322 Authentication Key. Manual Key IPSec interface mode 322 Authentication Method IPSec interface mode 313 authentication. 802. 247 RIP 218 Authentication Algorithm.0 MR3 Administration Guide 01-30003-0203-20061124 .Index antivirus (continued) system global optimize 367 toolbar grayware 367 view virus list 364 virus list 364 antivirus options protection profile 299 antivirus updates 165 through a proxy server 165 ANY service 264 AOL service 264 append to protection profile 305 append with protection profile 305 archive content meta-information protection profile 306 archive IM summary information protection profile 306 area border routers 223 ARP 275 proxy ARP 275 AS OSPF 218 ATM 74 attack updates scheduling 165 through a proxy server 165 authentication firewall policy 245. 406 pattern type 406 where 406 banned word check protection profile 304 beacon interval wireless setting 107. 388 banned word (Spam filter) action 406 language 406 list 405 pattern 405. Manual Key IPSec interface mode 321.1X 195 Auto Key list IPSec VPN 310 Autokey Keep Alive IPSec interface mode 318 Autonomous System (AS) 226 AutoSubmit quarantine 364 autosubmit list configuring 362 enabling uploading 362 quarantine files 362 av_failopen antivirus 367 bandwidth guaranteed 251 maximum 251 banned word adding words to the Spam filter banned word list 406 catalog 404 web content block 386.

CLI command for IPS 380 connect to server 74 contact information SNMP 125 content archive options protection profile 305 content block catalog 384 web filter 384 content exempt catalog 387 content streams. replacement messages 135 contents online help icon 36 cookie filter protection profile 301 CPU usage HA statistics 123 Create New firewall policy 239 IPSec interface mode 320 IPSec tunnel mode 323 custom service adding 267 adding a TCP or UDP custom service 267 list 266 custom signature IPS 374 customer service 31 D dashboard 51 date quarantine files list 361 DC quarantine files list 361 Dead Peer Detection IPSec interface mode 316 default gateway 205 delete after upload report 450 deny action firewall policy 244 Designated Routers (DR) 228 dest firewall policy 239 destination firewall policy 243 destination network address translation virtual IPs 277 destination port 267 destination port. wireless setting FortiWiFi-60 106 FortiWiFi-60A 107 chassis monitoring 171 blades 172 FortiGate-5000 modules 172 SMC 171 temperature 173 voltage 173 clear session predefined signature action 373 CLI configuration antivirus 367 web category block 399 cluster member 120 cluster members list 121 priority 121 role 121 cluster unit connect to a cluster 124 disconnect from a cluster 124 code 268 column settings 440 comfort clients protection profile 300 comments firewall policy 246 on documentation.0 MR3 Administration Guide 01-30003-0203-20061124 455 .Index channel. IPSec tunnel mode 322 list 322 name 323 options 323 config antivirus heuristic CLI command 367 config limit. custom services 267 destination session limit anomaly type 378 device priority HA 119 subordinate unit 123 DH Group IPSec interface mode 318 Phase 1 IPSec interface mode 315 DHCP and IP Pools 245 service 264 DHCP-IPSec IPSec interface mode 318 dial grayware category 366 dialup VPN monitor 324 disk space quarantine 364 display content meta-information on dashboard protection profile option 306 DNAT virtual IPs 277 DNS service 264 documentation commenting on 31 Fortinet 29 download grayware category 366 quarantine files list 361 drop predefined signature action 372 drop sessiondrop predefined signature action 373 duplicates quarantine files list 362 FortiGate Version 3. sending 31 Concentrator.

Spam filter 410 pattern type 411 email blocked as spam 136 Enable category block (HTTP only) protection profile 302 Enable FortiGuard-web filtering overrides protection profile 302 Enable perfect forward secrecy (PFS) IPSec interface mode 318 Enable replay detection IPSec interface mode 318 enable session pickup HA 119. 259. 275. 259.Index Dynamic DNS IPSec interface mode 312 monitor 324 on network interface 80 VPN IPSec monitor 324 dynamic IP pool NAT option firewall policy 245 dynamic policy 193 dynamic routing 213 OSPF 218 PIM 228 F fail open 380 FDN disruption in traffic 165 FortiGuard Distribution Network 159 HTTPS 164 override server 162 port 443 164 port 53 163 port 8888 163 port forwarding connection 166 proxy server 165 push update 162. 271. 297 policies for switch ports 246 policy list 238 policy matching 238 predefined services 263 recurring schedule 272 virtual IP list 278 firewall address adding 261 address group 261 address name 261 create new 260 IP range/subnet 261 list 260 name 260 subnet 261 firewall address group adding 262 available addresses 262 group name 262 members 262 firewall IP pool list 294 firewall IP pool options 295 E ECMP 204 email online help icon 35 email address action type 411 adding to the email address list 411 back/white list catalog 409 BWL check. 263. 263. protection profile 304 list. 271. 259. Manual Key IPSec interface mode 322 Encryption Key. 297 address list 260 configuring 237. Manual Key IPSec interface mode 322 end IP IP pool 295 EOA 73. 275. 165 troubleshooting 164 update center 160 FDN. 297 custom service list 266 one-time schedule 271 overview 237. 263. antivirus 359 pattern 359 protection profile 300 file name quarantine files list 361 file pattern catalog 358 quarantine autosubmit list 362 filter quarantine files list 361 filter logs 440 FINGER service 264 firewall 237.0 MR3 Administration Guide 01-30003-0203-20061124 . 271. 120 Encryption Algorithm IPSec interface mode 320 Encryption Algorithm. attack updates 141 FDS FortiGuard Distribution Server 159 file block antivirus 357 default list of patterns 360 list. 275. 74 Equal Cost Multipath (ECMP) 204 ESP service 264 Ethernet over ATM 74 exclude range adding to DHCP server 115 expire system status 63 Expired 161 external interface virtual IP 279 external IP address virtual IP 279 external service port virtual IP 280 456 FortiGate Version 3.

243 traffic priority 251 traffic shaping 246.0 MR3 Administration Guide 01-30003-0203-20061124 457 .Index firewall policy accept action 244 action 239 adding 240 adding a protection profile 308 Address Name 243 allow inbound 251 allow outbound 251 authentication 245. 247 changing the position in the policy list 240 comments 246 configuring 240 create new 239 deleting 240 deny action 244 dest 239 destination 243 dynamic IP pool NAT option 245 fixed port NAT option 245 guaranteed bandwidth 251 ID 239 inbound NAT 251 insert policy before 239 Interface/Zone 243 ipsec action 244 log traffic 245 maximum bandwidth 251 modem 91 move to 239 moving 240 outbound NAT 251 protection profile 245 schedule 239. 429 report scope 446 viewing logs on 438 FortiBridge 25 FortiClient 25 FortiGate 4000 68 FortiGate documentation commenting on 31 FortiGate MIB 127 FortiGate SNMP event 127 FortiGate traps 128 FortiGate unit registering 34. 244 source 239. 159 FortiGate-5000 chassis monitoring 171 FortiGate-5001FA2 introduction 19 FortiGate-5001SX introduction 19 FortiGate Version 3. 244 service 239. 248 firewall protection profile default protection profiles 298 list 298 options 298 firewall service AH 264 ANY 264 AOL 264 BGP 264 DHCP 264 DNS 264 ESP 264 FINGER 264 FTP 264 FTP_GET 264 FTP_PUT 264 GOPHER 264 GRE 264 H323 264 HTTP 264 HTTPS 264 ICMP_ANY 265 IKE 265 IMAP 265 INFO_ADRESS 265 INFO_REQUEST 265 Internet-Locator-Service 265 firewall service (continued) IRC 265 L2TP 265 LDAP 265 NetMeeting 265 NFS 265 NNTP 265 NTP 265 OSPF 265 PC-Anywhere 265 PING 265 POP3 265 PPTP 265 QUAKE 265 RAUDIO 265 RIP 265 RLOGIN 266 SAMBA 266 SIP 266 SIP-MSNmessenger 266 SMTP 266 SNMP 266 SSH 266 SYSLOG 266 TALK 266 TCP 266 TELNET 266 TFTP 266 TIMESTAMP 266 UDP 266 UUCP 266 VDOLIVE 266 WAIS 266 WINFRAME 266 X-WINDOWS 266 firmware upgrading to a new version 59 fixed port firewall policy NAT option 245 IP pool 294 flooding anomaly type 378 formatted logs 439 FortiAnalyzer 25.

120 subordinate unit device priority 123 subordinate unit host name 123 VDOM partitioning 120 viewing HA statistics 122 HA statistics active sessions 123 back to HA monitor 122 CPU usage 123 intrusion detected 123 memory usage 123 monitor 122 network utilization 123 refresh every 122 serial no 122 FortiGate Version 3. 121 cluster member 121 cluster members list 120 configuration 117 connect a cluster unit 124 device priority 119 disconnect a cluster unit 124 enable session pickup 119. 120 group name 119 heartbeat interface 120 host name 121 mode 119 out of band management 68 password 119 port monitor 120 router monitor 234 routes 234 session pickup 119.Index FortiGate-5002FB2 introduction 19 FortiGate-5020 chassis 18 FortiGate-5050 chassis 18 FortiGate-5140 chassis 18 FortiGuard 25 changing the host name 399 CLI configuration 399 configuration options 393 configuring 160 licensing 160 report allowed 400 report blocked 400 report category 400 report profiles 400 report range 400 report type 400 reports 399 service points 159 FortiGuard Antispam email checksum check 304 IP address check 304 Service Point 160 spam submission 304 URL check 304 FortiGuard Distribution Network 159 FortiGuard Distribution Network (FDN) 164 FortiGuard Distribution Server 159 FortiMail 25 FortiManager 25 Fortinet customer service 31 Fortinet documentation 29 Fortinet Family Products 25 Fortinet Knowledge Center 30 Fortinet MIB 130 FortiReporter 25 fragmentation threshold wireless setting 107 from IP system status 63 from port system status 63. 107 GOPHER service 264 graceful restart 227 458 . 84 FTP service 264 FTP_GET service 264 FTP_PUT service 264 grayware 164 adware 366 antivirus 365 BHO 366 dial 366 download 366 game 366 hijacker 366 joke 366 keylog 366 misc 366 NMT 366 P2P 366 plugin 367 RAT 367 spy 367 toolbar 367 GRE 218 service 264 group name HA 119 grouping services 268 groups user 347 guaranteed bandwidth firewall policy 251 traffic shaping 251 H H323 service 264 HA 117.0 MR3 Administration Guide 01-30003-0203-20061124 G game grayware category 366 geography wireless setting 106.

11a. protection profile 305 custom signatures 374 options. 82. HA interface 120 HELO DNS lookup protection profile 304 help navigate using keyboard shortcuts 36 searching the online help 36 heuristics antivirus 367 quarantine 367 high availability See HA 117 hijacker grayware category 366 hostname cluster members list 121 HTTP service 264 virus scanning large files 368 HTTPS 33. 378 anomaly. 176 IP pool 295 jumbo frames 71 interface (continued) MTU 71 proxy ARP 275 WAN ports 176 WLAN 103 Interface/Zone firewall policy 243 internet browsing IPSec VPN configuration 319 Internet-Locator-Service service 265 interval.11g.0 MR3 Administration Guide 01-30003-0203-20061124 459 . Spam filter 408 Spam filter 407 IP custom service 268 protocol number 268 protocol type 268 IP pool 245 adding 295 configuring 295 create new 295 DHCP 245 end IP 295 fixed port 294 interface 295 IP range/subnet 295 list 294 name 295 options 295 PPPoE 245 proxy ARP 275 start IP 295 IP range/subnet firewall address 261 IP pool 295 IPOA 73 IPS anomaly list 376. protection profile 304 list. protection profile 305 traffic anomaly list 378 IPSec 218 ipsec action firewall policy 244 FortiGate Version 3.Index HA statistics (continued) status 122 total bytes 123 total packets 123 up time 122 virus detected 123 heartbeat. channels 104 IEEE 802. see IPS IP virtual IP 279 IP address Action. 141 service 264 I ICMP custom service 268 code 268 protocol type 268 type 268 ICMP_ANY service 265 ID firewall policy 239 IEEE 802. protection profile 305 predefined signature action 372 predefined signature list 371 signature 371 signature. comfort clients protection profile 300 inter-VDOM 48 introduction Fortinet documentation 29 intrusion detected HA statistics 123 intrusion prevention system. Antispam 408 antispam black/white list catalog 407 Auto-Key Phase 1 interface mode 312 BWL check. channels 105 IGMP Snooping 187 IKE service 265 IMAP service 265 inbound NAT firewall policy 251 index online help icon 36 INFO_ADDRESS service 265 INFO_REQUEST service 265 insert policy before firewall policy 239 inspect non-standard port (IM) protection profile 307 instant message log 437 interface administrative access 70. 73. 177 administrative status 69.

388 web-based manager 153 LDAP service 265 license FortiGuard 160 license key 169 limit (P2P) protection profile 307 Local certificate list 333 options 334 Local Gateway IP IPSec interface mode 314 Local ID IPSec interface mode 315 Local Interface IPSec Phase 1 interface mode 312 Local SPI. 204 IRC service 265 ISP 73 log antivirus log 435 attack anomaly 436 attack signature 436 column settings 440 filter 440 formatted 439 instant message log 437 messages 439 P2P log 437 raw 439 spam filter log 437 to FortiAnalyzer 429 traffic. Manual Key IPSec interface mode 321 M MAC address wireless setting 106.Index ipsec policy allow inbound 251 inbound NAT 251 outbound NAT 251 IPSec VPN authentication for user group 348 Auto Key 310 monitor 324 remote gateway 348 IPv6 101. switch creating an entry 198 viewing 197 management VDOM 47 manual key IPSec VPN interface mode configuration 321 Manual Key list IPSec interface mode 320 Manual Key options IPSec interface mode 321 map to IP virtual IP 279 map to port virtual IP 279. 280 matching policy 238 max filesize to quarantine quarantine 364 460 FortiGate Version 3. 318 keylog grayware category 366 L L2TP 348 service 265 language Spam filter banned word 406 web content block 386. firewall policy 245 viewing 438 web filter log 436 log traffic firewall policy 245 logging ActiveX filter 307 blocked files 307 content block 307 cookie filter 307 IM activity 308 intrusions 307 java applet filter 307 oversized files/emails 307 P2P activity 308 predefined signature 372 rating errors 307 spam 307 URL block 307 viruses 307 logs search 440 low disk space quarantine 364 J java applet filter protection profile 301 joke grayware category 366 jumbo frames 71 K Keepalive Frequency IPSec interface mode 316 key wireless setting 106 Key Size 335 Key Type 335 keyboard shortcut online help 36 Keylife IPSec interface mode 315.0 MR3 Administration Guide 01-30003-0203-20061124 . 107 MAC filter wireless 108 MAC table.

107 optimize antivirus 367 OSPF advanced options 222 area ID 224 AS 221 authentication 224. log 439 mheader 412 MIB 127. 226 Dead Interval 226 Dead interval 226 dead packets 226 GRE 225 Hello Interval 226 interface definition 225 IPSec 225 link-state 218 LSA 226 metrics for redistributing routes 222 multiple interface parameter sets 225 neighbor 218 Network 221 network address space 226 NSSA 223 regular area 223 service 265 settings 220 stub 223 virtual lan 225 virtual link 223 VLAN 225 OSPF AS 218 defining 219 out of band 68 N Name IP pool 295 IPSec Phase 1 interface mode 312 IPSec Phase 2 interface mode 317 Manual Key interface mode 321 NAT inbound 251 ipsec policy 251 outbound 251 push update 166 NAT device port forwarding 166 virtual IP 166 Nat-traversal IPSec interface mode 316 netmask administrator account 146.Index maximum bandwidth 251 firewall policy 251 traffic shaping 251 MD5 OSPF authentication 224. 130 FortiGate 127 RFC 1213 127 RFC 2665 127 misc grayware category 366 Mode HA 119 IPSec interface mode 312 modem adding firewall policies 91 backup mode 90 configuring settings 88 redundant (backup) mode 87 standalone mode 87. 91 monitor administrator logins 153 HA statistics 122 IPSec VPN 324 routing 233 monitoring 196 access results 196 MAC table 197 quarantine information 197 move to firewall policy 239 MTU 71 jumbo frames 71 MTU size 83. 147 NetMeeting service 265 FortiGate Version 3.0 MR3 Administration Guide 01-30003-0203-20061124 461 . 226 Members IPSec tunnel mode 323 memory usage HA statistics 123 messages. 182 Multi-Exit Discriminator (MED) 227 network utilization HA statistics 123 next online help icon 35 NFS service 265 NMT grayware category 366 NNTP service 265 Not Registered 161 Not-so-stubby Area (NSSA) 223 NTP service 265 O one-time schedule adding 272 configuring 272 create new 271 list 271 start 272 stop 272 online help keyboard shortcuts 36 search 36 Operation Mode 140 operation mode wireless setting 106.

247 changing the position in the policy list 240 comments 246 configuring 240 create new 239 deleting 240 deny action 244 dest 239 dynamic IP pool NAT option 245 fixed port NAT option 245 guaranteed bandwidth 251 ID 239 inbound NAT 251 insert policy before 239 Interface/Zone 243 ipsec action 244 list 238 log traffic 245 matching 238 maximum bandwidth 251 move 240 move to 239 outbound NAT 251 protection profile 245 schedule 239. 406 pattern type Spam filter banned word 406 Spam filter email address 411 web content block 386. 248 policy-based routing 208 POP3 service 265 port 53 163 port 8888 163 port 9443 166 port address translation virtual IPs 278 port monitor HA 120 port monitoring 182 port quarantine 189 PPPoE and IP Pools 245 RFC 2516 79 PPTP 348 service 265 predefined services 263 predefined signature action 372 actions 372 clear session action 373 drop action 372 drop session action 373 list 371 logging 372 pass action 372 462 FortiGate Version 3. 244 service 239.Index outbound NAT firewall policy 251 ipsec policy 251 output for report 449 oversized file/email protection profile 300 P P1 Proposal Phase 1 IPSec interface mode 315 P2 Proposal Phase 2 IPSec interface mode 317 P2P grayware category 366 log 437 pass predefined signature action 372 pass fragmented email protection profile 300 pass sessiondrop predefined signature action 373 password HA 119 PAT virtual IPs 278 pattern default list of file block patterns 360 file block 359 Spam filter banned word 405. 388 PC-Anywhere service 265 PDF document 449 Peer option IPSec interface mode 313 Perl regular expressions Spam filter 413 Phase 1 IPSec interface mode 311 IPSec Phase 2 interface mode 317 Phase 1 advanced options IPSec interface mode 314 Phase 2 IPSec interface mode 316 Phase 2 advanced options IPSec interface mode 317 PIM BSR 228 dense mode 228 DR 228 RFC 2362 228 RFC 3973 228 RP 228 sparse mode 228 PING service 265 plugin grayware category 367 policy accept action 244 action 239 adding 240 Address Name 243 allow inbound 251 allow outbound 251 authentication 245.0 MR3 Administration Guide 01-30003-0203-20061124 . 244 source 239 traffic priority 251 traffic shaping 246.

0 MR3 Administration Guide 01-30003-0203-20061124 protection profile (continued) logging. ActiveX filter 307 logging. 325 proxy server 165 push updates 165 pTx Power wireless setting 107 push update 162. java applet filter 307 logging. intrusions 307 logging. 165 configuring 165. comfort clients 300 IP address BWL check 304 IPS anomaly 305 IPS options 305 IPS signature 305 java applet filter 301 limit (P2P) 307 list 298 logging. web content block 301 unfiltered (default protection profile) 298 virus scan 300 web (default protection profile) 298 web content block 301 web content exempt 301 web filtering options 301 web resume download block 301 web URL block 301 protocol number. rating errors 307 logging. URL block 307 logging. banned word check 304 threshold. P2P activity 308 logging. cookie filter 307 logging. family 25 profile category block reports 400 protection profile action (P2P) 307 ActiveX 301 add signature to outgoing email 300 adding to a firewall policy 308 allow web sites when a rating error occurs 302 amount. IM activity 308 logging. viruses 307 options 298 oversized file/email 300 pass fragmented email 300 provide details for blocked HTTP errors 302 quarantine 300 rate images by URL 302 rate URLs by domain and IP address 303 return email DNS check 304 scan (default protection profile) 298 spam action 305 spam filtering options 303 strict (default protection profile) 298 strict blocking (HTTP only) 302 threshold. comfort clients 300 antivirus options 299 append to 305 append with 305 archive content meta-information 306 archive IM summary information 306 banned word check 304 block audio (IM) 307 block file transfers (IM) 306 block login (IM) 306 category 303 comfort clients 300 content archive options 305 cookie filter 301 default protection profiles 298 display content meta-information on dashboard 306 email address BWL check 304 enable category block (HTTP only) 302 enable FortiGuard-web filtering overrides 302 file block 300 firewall policy 245 FortiGuard Antispam IP address check 304 FortiGuard Antispam URL check 304 FortiGuard email checksum check 304 FortiGuard spam submission 304 HELO DNS lookup 304 inspect non-standard port (IM) 307 interval. custom service 268 service 264 system status 63 type. blocked files 307 logging. 166 external IP address changes 166 interface 166 IP addresses change 166 management IP address changes 166 463 . oversized file/email 300 threshold. spam 307 logging. oversized files/emails 307 logging.Index predefined signature (continued) pass session action 373 reset action 372 reset client action 373 reset server action 373 revision 372 Pre-shared Key IPSec interface mode 313 wireless setting 106 previous online help icon 35 print online help icon 35 priority cluster members 121 product registration 34. 268 virtual IP 280 Protocol Independent Multicast (PIM) 228 protocol type 268 provide details for blocked HTTP errors protection profile 302 proxy ARP 275 FortiGate interface 275 IP pool 275 virtual IP 275 Proxy ID Destination IPSec interface mode 325 Proxy ID Source IPSec interface mode 324. 159 products. custom service 267. content block 307 FortiGate Version 3.

configuring 193 protection profile 300 quarantine files list antivirus 361 apply 361 date 361 DC 361 download 361 duplicates 362 file name 361 filter 361 service 361 sort by 361 status 361 status description 361 TTL 361 upload status 361 Quick Mode Selector IPSec interface mode 319 R RADIUS server name wireless setting 106 range web category reports 400 RAT grayware category 367 rate images by URL protection profile 302 rate URLs by domain and IP address protection profile 303 RAUDIO service 265 raw logs 439 read & write access level administrator account 58. 141 Remote Gateway IPSec manual key setting 322 IPSec phase 1 setting 312 VPN IPSec monitor field 324 Remote gateway VPN IPSec monitor field 325 remote peer manual key interface mode 321 Remote SPI. 145. category block 400 types 449 upload to FTP 450 web category block 399 reset predefined signature action 372 reset client predefined signature action 373 reset server predefined signature action 373 reset to factory default 57 resolve host names reports 449 resolve service names reports 449 restarting 159 return email DNS check protection profile 304 RFC 228 RFC 1058 213 FortiGate Version 3. 156 read only access level administrator account 58. 159 remote administration 82. 145. viewing 193 policy.Index push update (continued) NAT device 166 through a NAT device 166 through a proxy server 165 Q QoS 187 CoS-Map settings 188 DSCP-Map settings 188 rate limits 188 Qos global settings 187 QUAKE service 265 quarantine age limit 364 antivirus 360 autosubmit list 362 autosubmit list file pattern 362 configuration 363 configuring the autosubmit list 362 dynamic policy 193 enable AutoSubmit 364 enabling uploading autosubmit file patterns 362 heuristics 367 low disk space 364 max filesize to quarantine 364 monitoring 197 options 364 policies. FortiAnalyzer 446 type. FortiAnalyzer 446 scope. 146 reading log messages 439 reboot 57 recurring schedule adding 273 configuring 273 create new 272 list 272 select 273 start 273 stop 273 refresh every HA statistics 122 register FortiGate unit 34. Manual Key IPSec interface mode 321 Rendezvous Point (RP) 228 report 444 delete after upload 450 FortiGuard 399 gzip 450 output 449 resolve host names 449 resolve service names 449 schedule.0 MR3 Administration Guide 01-30003-0203-20061124 464 .

0 MR3 Administration Guide 01-30003-0203-20061124 465 .Index RFC 1213 124. 244 FTP 264 FTP_GET 264 FTP_PUT 264 GOPHER 264 GRE 264 group 268 H323 264 HTTPS 264 ICMP_ANY 265 IKE 265 IMAP 265 INFO_ADDRESS 265 INFO_REQUEST 265 Internet-Locator-Service 265 IRC 265 L2TP 265 LDAP 265 NetMeeting 265 NFS 265 NNTP 265 NTP 265 organizing services into groups 269 OSPF 265 PC-Anywhere 265 PING 265 POP3 265 PPTP 265 predefined 263 QUAKE 265 quarantine files list 361 RAUDIO 265 RIP 265 RLOGIN 266 SAMBA 266 service name 264 SIP 266 SIP-MSNmessenger 266 SMTP 266 SNMP 266 SSH 266 SYSLOG 266 TALK 266 TCP 266 TELNET 266 TFTP 266 TIMESTAMP 266 UDP 266 UUCP 266 VDOLIVE 266 FortiGate Version 3. 127 RFC 1215 128 RFC 1771 226 RFC 2132 115 RFC 2362 228 RFC 2453 213 RFC 2516 79 RFC 2665 124. 127 RFC 3973 228 RIP authentication 218 hop count 214 RFC 1058 213 RFC 2453 213 service 265 version 1 213 version 2 213 RLOGIN service 266 role cluster members 121 route HA 234 router monitor HA 234 routing configuring 87 ECMP 204 monitor 233 static 204 routing table 233 RTF document 449 RTS threshold wireless setting 107 S SAMBA service 266 scan anomaly type 378 default protection profile 298 schedule automatic antivirus and attack definition updates 165 firewall policy 239. 244 FortiAnalyzer reports 446 one-time schedule list 271 recurring schedule list 272 scheduled antivirus and attack updates 165 scheduled updates through a proxy server 165 scheduling 165 search online help 36 online help icon 36 online help wildcard 36 searching logs 440 security mode wireless setting 106 select recurring schedule 273 serial no HA statistics 122 server log webtrends setting 433 service AH 264 ANY 264 AOL 264 BGP 264 custom service list 266 DHCP 264 DNS 264 ESP 264 FINGER 264 firewall policy 239.

91 start one-time schedule 272 recurring schedule 273 start IP IP pool 295 static IP monitor 324 static route adding 208 adding policy 210 administrative distance 202 concepts 201 creating 204 default gateway 205 default route 205 editing 204 overview 201 policy 208 policy list 209 selecting 202 table building 202 FortiGate Version 3. 128 sort by quarantine files list 361 source firewall policy 239. traps 127.0 MR3 Administration Guide 01-30003-0203-20061124 466 . MIB 127. event 127 SNMP. queries 127 SNMP. 243 source port 267 source session limit anomaly type 378 spam filter log 437 spam action protection profile 305 Spam filter 401 adding an email address or domain to the email address list 411 adding words to the Spam filter banned word list 406 banned word list 405 email address list 410 FortiGuard Antispam Service Point 160 IP address 407 IP address list 408 Perl regular expressions 413 spam filtering options protection profile 303 SPAN 182 Spanning-Tree Protocol 183 global configuration 183 VLAN configuration 185 VLAN port settings 186 spy grayware category 367 SSH 141 service 266 SSID wireless setting 106 SSID broadcast wireless setting 106 SSL service definition 264 SSL VPN checking client certificates 330 configuration settings 329 monitoring sessions 331 setting the cipher suite 330 specifying server certificate 330 specifying timeout values 331 terminating sessions 331 tunnel IP range 330 SSL VPN login message 139 Standalone mode modem 87. 130 SNMP.Index service (continued) WAIS 266 WINFRAME 266 X-WINDOWS 266 service group 268 adding 269 create new 269 list 268 service point FortiGuard 159 service port virtual IP 279 session pickup HA 119. 120 shelf manager chassis monitoring 171 shelf monitoring shelf manager 171 Shortest Path First (SPF) 219 show in contents online help icon 36 show navigation online help icon 35 shutdown 57 signature custom IPS signatures 374 IPS 371 SIP service 266 SIP-MSNmessenger service 266 SMC chassis monitoring 171 SMTP service 266 SNMP contact information 125 MIBs 127 RFC 12123 127 RFC 1215 128 RFC 2665 127 service 266 traps 128 SNMP Agent 125 SNMP communities 125 SNMP community. configuring 125 SNMP manager 124 SNMP managers 125 SNMP.

176 log webtrends setting 433 quarantine files list 361 status description quarantine files list 361 stop one-time schedule 272 recurring schedule 273 Strict default protection profile 298 strict blocking (HTTP only) protection profile 302 stub OSPF area 223 Subject Information 335 subnet firewall address 261 Subscription Expired 161 Not Registered 161 Valid license 161 summaries 444 switch overview 175 switch-LAN configuring ports 178. 179 VLAN 180 VLAN. 325 TIMESTAMP service 266 to IP system status 63 toolbar grayware category 367 total bytes HA statistics 123 total packets HA statistics 123 traffic anomaly 378 list 378 Traffic Priority 251 traffic priority firewall policy 251 traffic shaping 251 traffic shaping firewall policy 246. protection profile 301 Timeout IPSec interface mode 324.Index static route (continued) table priority 203 table sequence 203 statistics viewing HA statistics 122 statistics. 248 guaranteed bandwidth 251 maximum bandwidth 251 traffic priority 251 transmission options 431 Transparent mode VLANs 97 traps SNMP 128 trusted host administrator account 147 Administrators options 146 security issues 147 TTL quarantine files list 361 Tunnel Name IPSec interface mode 320 Tx Power wireless setting 107 TXT document 449 type 268 virtual IP 279 types 434 U UDP custom service 267 adding 267 destination port 267 protocol type 267 source port 267 UDP service 266 FortiGate Version 3. configuring 181 syn interval 58 SYSLOG service 266 system chassis monitoring 171 system configuration 117 system global av_failopen antivirus 367 system global optimize antivirus 367 system idle timeout 141 T TALK service 266 TCP service 266 TCP custom service 267 adding 267 destination port 267 protocol type 267 source port 267 technical support 31 TELNET service 266 temperature chassis monitoring 173 FortiGate-5000 module 173 TFTP service 266 threshold banned word check. switch viewing 198 status HA statistics 122 interface 69. protection profile 304 oversized file/email. protection profile 300 web content block.0 MR3 Administration Guide 01-30003-0203-20061124 467 .

configuring 181 WAN 176 VLANs WAN port 176 voltage chassis monitoring 173 FortiGate-5000 module 173 VPN IPSEC Interface 309 VPNs 327. 388 language 386. 292 destination network address translation 277 DNAT 277 external interface 279 external IP address 279 external service port 280 IP 279 list 278 map to IP 279 map to port 279. 388 pattern type 386. update 364 468 . 280 PAT 278 port address translation 278 protocol 280 service port 279 type 279 virus detected HA statistics 123 virus list 364 view.0 MR3 Administration Guide 01-30003-0203-20061124 V Valid license 161 VDOLIVE service 266 VDOM configuration settings 44 license key 169 management VDOM 47 multiple VDOMs 46 NAT/Route 43 Transparent 43 VDOM partitioning HA 120 Virtual Circuit Identification (VCI) 74 Virtual Domain Configuration 46 virtual domains (VDOM) 448 virtual IP 275 configuring 279 create new 279. 166 update center 160 upgrade firmware 59 upload status quarantine files list 361 URL block add a URL to the web filter block list 391 web filter 389 URL filter catalog 389 usage trends 444 user groups configuring 347 Username IPSec interface mode 324 UUCP service 266 virus name 138 virus protection See also antivirus 355 virus scan protection profile 300 virus-infected attachments 136 VLAN jumbo frames 72 OSPF 225 overview 92 switch VLAN 180 switch VLAN. 388 protection profile 301 web filter 386 web content block list web filter 385 web content exempt protection profile 301 Web Filter URL category 163 web filter 381 add a URL to the web URL block list 391 configuring the web content block list 386 configuring the web URL block list 391 content block 384 URL block 389 web content block list 385 web URL block list 390 web filter log 436 FortiGate Version 3.Index Unfiltered default protection profile 298 up time HA statistics 122 update push 165. 333 IPSec interface mode 309 W WAIS service 266 WAN configuring ports 176 VLAN configuration 176 VLANs 176 Web default protection profile 298 web category block changing the host name 399 CLI configuration 399 configuration options 393 report allowed 400 report blocked 400 report category 400 report profiles 400 report range 400 report type 400 reports 399 web content block banned word 386.

SSID 106 WLAN interface 103 interface.Index web filtering options protection profile 301 web filtering service 137 web resume download block protection profile 301 web site. creating on WiFi-60 106 interface. web filter 390 protection profile 301 web-based manager language 153 WEP 106 where Spam filter banned word 406 wildcard online help search 36 WINFRAME service 266 wireless advanced settings 107 beacon interval 107. geography 106 wireless. content category 137 web URL block configuring the web URL block list 391 list 390 list. FortiWiFi-60A 107 configuration 103 fragmentation threshold 107 geography 106. 107 MAC filter 108 operation mode 106. 108 channel. 107 pre-shared key 106 RADIUS server name 106 RTS threshold 107 security mode 106 settings 107 settings for WiFi-60 106 settings for WiFi-60A or WiFi-60AM 107 SSID 106 SSID broadcast 106 Tx power 107 Wireless. FortiWiFi-60 106 channel. security 106 Wireless.0 MR3 Administration Guide 01-30003-0203-20061124 469 . creating on WiFi-60A 76 WPA 106 X XAuth IPSec interface mode 316 X-WINDOWS service 266 FortiGate Version 3. 107 key 106 MAC address 106.

0 MR3 Administration Guide 01-30003-0203-20061124 .Index 470 FortiGate Version 3.

fortinet.www.com .

www.com .fortinet.

Sign up to vote on this title
UsefulNot useful