Fortinet Network Card FortiGate 800 User Manual

FortiGate 800  
Installation and  
Configuration Guide  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
FortiGate User Manual Volume 1  
Version 2.50  
January 15 2004  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
Table of Contents  
FortiGate-800 Installation and Configuration Guide  
3
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
4
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
FortiGate-800 Installation and Configuration Guide  
5
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
6
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
FortiGate-800 Installation and Configuration Guide  
7
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
8
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
FortiGate-800 Installation and Configuration Guide  
9
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
10  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
FortiGate-800 Installation and Configuration Guide  
11  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
12  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
FortiGate-800 Installation and Configuration Guide  
13  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
14  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Introduction  
FortiGate Antivirus Firewalls support network-based deployment of application-level  
services, including antivirus protection and full-scan content filtering. FortiGate  
Antivirus Firewalls improve network security, reduce network misuse and abuse, and  
help you use communications resources more efficiently without compromising the  
performance of your network. FortiGate Antivirus Firewalls are ICSA-certified for  
firewall, IPSec, and antivirus services.  
The FortiGate Antivirus Firewall is a dedicated easily managed security device that  
delivers a full suite of capabilities that include:  
application-level services such as virus protection and content filtering,  
network-level services such as firewall, intrusion detection, VPN, and traffic  
shaping.  
The FortiGate Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content  
Analysis System (ABACAS™) technology, which leverages breakthroughs in chip  
design, networking, security, and content analysis. The unique ASIC-based  
architecture analyzes content and behavior in real-time, enabling key applications to  
be deployed right at the network edge, where they are most effective at protecting  
your networks. The FortiGate series complements existing solutions, such as host-  
based antivirus protection, and enables new applications and services while greatly  
lowering costs for equipment, administration, and maintenance.  
The FortiGate-800 model provides the  
levels of performance, reliability, and  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
flexibility demanded by large enterprises.  
With high throughput, a total of 8 network  
connections (4 user-defined), 802.1Q VLAN support, and stateful failover HA, the  
FortiGate-800 is the choice for mission critical applications. The flexibility, reliability,  
and easy management of the FortiGate-800 makes it a natural choice for enterprise  
applications.  
FortiGate-800 Installation and Configuration Guide  
15  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Antivirus protection  
Introduction  
Antivirus protection  
FortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP),  
and email (SMTP, POP3, and IMAP) content as it passes through the FortiGate unit. If  
a virus is found, antivirus protection removes the file containing the virus from the  
content stream and forwards a replacement message to the intended recipient.  
For extra protection, you can configure antivirus protection to block specified file types  
from passing through the FortiGate unit. You can use the feature to stop files that  
might contain new viruses.  
If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined.  
The FortiGate administrator can download quarantined files so that they can be virus  
scanned, cleaned, and forwarded to the intended recipient. You can also configure the  
FortiGate unit to automatically delete quarantined files after a specified time.  
The FortiGate unit can send email alerts to system administrators when it detects and  
removes a virus from a content stream. The web and email content can be in normal  
network traffic or encrypted IPSec VPN traffic.  
ICSA Labs has certified that FortiGate Antivirus Firewalls:  
detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),  
detect viruses in compressed files using the PKZip format,  
detect viruses in email that has been encoded using uuencode format,  
detect viruses in email that has been encoded using MIME encoding,  
log all actions taken while scanning.  
Web content filtering  
FortiGate web content filtering can scan all HTTP content protocol streams for URLs  
or web page content. If there is a match between a URL on the URL block list, or a  
web page contains a word or phrase that is in the content block list, the FortiGate unit  
blocks the web page. The blocked web page is replaced with a message that you can  
edit using the FortiGate web-based manager.  
You can configure URL blocking to block all or some of the pages on a web site. Using  
this feature, you can deny access to parts of a web site without denying access to it  
completely.  
To prevent unintentionally blocking legitimate web pages, you can add URLs to an  
exempt list that overrides the URL blocking and content blocking lists.  
Web content filtering also includes a script filter feature that can block unsecure web  
content such as Java applets, cookies, and ActiveX.  
You can use the Cerberian URL blocking to block unwanted URLs.  
16  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Introduction  
Email filtering  
Email filtering  
FortiGate email filtering can scan all IMAP and POP3 email content for unwanted  
senders or unwanted content. If there is a match between a sender address pattern  
on the email block list, or an email contains a word or phrase in the banned word list,  
the FortiGate adds an email tag to the subject line of the email. The recipient can use  
the mail client software to filter messages based on the email tag.  
You can configure email blocking to tag email from all or some senders within  
organizations that are known to send spam email. To prevent unintentionally tagging  
email from legitimate senders, you can add sender address patterns to an exempt list  
that overrides the email block and banned words lists.  
Firewall  
The FortiGate ICSA-certified firewall protects your computer networks from Internet  
threats. ICSA has granted FortiGate firewalls version 4.0 firewall certification,  
providing assurance that FortiGate firewalls successfully screen and secure corporate  
networks against a range of threats from public or other untrusted networks.  
After basic installation of the FortiGate unit, the firewall allows users on the protected  
network to access the Internet while blocking Internet access to internal networks. You  
can configure the firewall to put controls on access to the Internet from the protected  
networks and to allow controlled access to internal networks.  
FortiGate policies include a range of options that:  
control all incoming and outgoing network traffic,  
control encrypted VPN traffic,  
apply antivirus protection and web content filtering,  
block or allow access for all policy options,  
control when individual policies are in effect,  
accept or deny traffic to and from individual addresses,  
control standard and user defined network services individually or in groups,  
require users to authenticate before gaining access,  
include traffic shaping to set access priorities and guarantee or limit bandwidth for  
each policy,  
include logging to track connections for individual policies,  
include Network Address Translation (NAT) mode and Route mode policies,  
include mixed NAT and Route mode policies.  
The FortiGate firewall can operate in NAT/Route mode or Transparent mode.  
FortiGate-800 Installation and Configuration Guide  
17  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
VLANs and virtual domains  
Introduction  
NAT/Route mode  
In NAT/Route mode, you can create NAT mode policies and Route mode policies.  
NAT mode policies use network address translation to hide the addresses in a  
more secure network from users in a less secure network.  
Route mode policies accept or deny connections between networks without  
performing address translation.  
Transparent mode  
Transparent mode provides the same basic firewall protection as NAT mode. Packets  
that the FortiGate unit receives are forwarded or blocked according to firewall policies.  
The FortiGate unit can be inserted in the network at any point without having to make  
changes to your network or its components. However, VPN and some advanced  
firewall features are available only in NAT/Route mode.  
VLANs and virtual domains  
Fortigate Antivirus Firewalls support IEEE 802.1Q-compliant virtual LAN (VLAN) tags.  
Using VLAN technology, a single FortiGate unit can provide security services to, and  
control connections between, multiple security domains according to the VLAN IDs  
added to VLAN packets. The FortiGate unit can recognize VLAN IDs and apply  
security policies to secure network and IPSec VPN traffic between each security  
domain. The FortiGate unit can also apply authentication, content filtering, and  
antivirus protection to VLAN-tagged network and VPN traffic.  
The FortiGate unit supports VLANs in NAT/Route and Transparent mode. In  
NAT/Route mode, you enter VLAN subinterfaces to receive and send VLAN packets.  
In Transparent mode, you create virtual domains and then add VLAN subinterfaces to  
those virtual domains.  
Network intrusion detection  
The FortiGate Network Intrusion Detection System (NIDS) is a real-time network  
intrusion detection sensor that detects and prevents a variety of suspicious network  
activity. NIDS uses attack signatures to identify more than 1000 attacks. You can  
enable and disable the attacks that the NIDS detects. You can also write user-defined  
detection attack signatures.  
NIDS prevention detects and prevents many common denial of service and packet-  
based attacks. You can enable and disable prevention attack signatures and  
customize attack signature thresholds and other parameters.  
To notify system administrators of the attack, the NIDS records the attack and any  
suspicious traffic to the attack log, and can be configured to send alert emails.  
Fortinet updates NIDS attack definitions periodically. You can download and install  
updated attack definitions manually or you can configure the FortiGate unit to  
automatically check for and download attack definition updates.  
18  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Introduction  
VPN  
VPN  
Using FortiGate virtual private networking (VPN), you can provide a secure  
connection between widely separated office networks or securely link telecommuters  
or travellers to an office network. Service providers can also use the FortiGate unit to  
provide VPN services for their clients.  
FortiGate VPN features include the following:  
Industry standard and ICSA-certified IPSec VPN, including:  
IPSec, ESP security in tunnel mode,  
DES, 3DES (triple-DES), and AES hardware accelerated encryption,  
HMAC MD5 and HMAC SHA1 authentication and data integrity,  
AutoIKE key based on pre-shared key tunnels,  
IPSec VPN using local or CA certificates,  
Manual Keys tunnels,  
Diffie-Hellman groups 1, 2, and 5,  
Aggressive and Main Mode,  
Replay Detection,  
Perfect Forward Secrecy,  
XAuth authentication,  
Dead peer detection.  
PPTP for easy connectivity with the VPN standard supported by the most popular  
operating systems.  
L2TP for easy connectivity with a more secure VPN standard, also supported by  
many popular operating systems.  
Firewall policy based control of IPSec VPN traffic.  
IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT  
can connect to an IPSec VPN tunnel.  
VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from  
one tunnel to another through the FortiGate unit.  
IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a  
remote network.  
High availability  
High Availability (HA) provides failover between two or more FortiGate units. Fortinet  
achieves HA by using redundant hardware: matching FortiGate models running in  
NAT/Route mode. You can configure the FortiGate units for either active-passive (A-P)  
or active-active (A-A) HA.  
Both A-P and A-A HA use similar redundant hardware configurations. High availability  
software guarantees that if one of the FortiGate units in the HA group fails, all  
functions, established firewall connections, and IPSec VPN sessions are maintained.  
FortiGate-800 Installation and Configuration Guide  
19  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Secure installation, configuration, and management  
Introduction  
Secure installation, configuration, and management  
The first time you power on the FortiGate unit, it is already configured with default IP  
addresses and security policies. Connect to the web-based manager, set the  
operating mode, and use the Setup wizard to customize FortiGate IP addresses for  
your network, and the FortiGate unit is ready to protect your network. You can then  
use the web-based manager to customize advanced FortiGate features.  
You can also create a basic configuration using the FortiGate front panel control  
buttons and LCD.  
Web-based manager  
Using HTTP or a secure HTTPS connection from any computer running Internet  
Explorer, you can configure and manage the FortiGate unit. The web-based manager  
supports multiple languages. You can configure the FortiGate unit for HTTP and  
HTTPS administration from any FortiGate interface.  
You can use the web-based manager to configure most FortiGate settings. You can  
also use the web-based manager to monitor the status of the FortiGate unit.  
Configuration changes made using the web-based manager are effective immediately  
without resetting the firewall or interrupting service. Once you are satisfied with a  
configuration, you can download and save it. The saved configuration can be restored  
at any time.  
Figure 1: The FortiGate web-based manager and setup wizard  
20  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Introduction  
Secure installation, configuration, and management  
Command line interface  
You can access the FortiGate command line interface (CLI) by connecting a  
management computer serial port to the FortiGate RS-232 serial console connector.  
You can also use Telnet or a secure SSH connection to connect to the CLI from any  
network that is connected to the FortiGate unit, including the Internet.  
The CLI supports the same configuration and monitoring functionality as the  
web-based manager. In addition, you can use the CLI for advanced configuration  
options that are not available from the web-based manager.  
This Installation and Configuration Guide contains information about basic and  
advanced CLI commands. For a more complete description about connecting to and  
using the FortiGate CLI, see the FortiGate CLI Reference Guide.  
Logging and reporting  
The FortiGate unit supports logging for various categories of traffic and configuration  
changes. You can configure logging to:  
report traffic that connects to the firewall,  
report network services used,  
report traffic that was permitted by firewall policies,  
report traffic that was denied by firewall policies,  
report events such as configuration changes and other management events, IPSec  
tunnel negotiation, virus detection, attacks, and web page blocking,  
report attacks detected by the NIDS,  
send alert email to system administrators to report virus incidents, intrusions, and  
firewall or VPN events or violations.  
Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting  
Center and Firewall Suite server using the WebTrends enhanced log format. Some  
models can also save logs to an optional internal hard drive. If a hard drive is not  
installed, you can configure most FortiGate units to log the most recent events and  
attacks detected by the NIDS to the system memory.  
FortiGate-800 Installation and Configuration Guide  
21  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Document conventions  
Introduction  
Document conventions  
This guide uses the following conventions to describe CLI command syntax.  
angle brackets < > to indicate variable keywords  
For example:  
execute restore config <filename_str>  
You enter restore config myfile.bak  
<xxx_str>indicates an ASCII string variable keyword.  
<xxx_integer>indicates an integer variable keyword.  
<xxx_ip>indicates an IP address variable keyword.  
vertical bar and curly brackets {|}to separate alternative, mutually exclusive  
required keywords  
For example:  
set system opmode {nat | transparent}  
You can enter set system opmode nator set system opmode  
transparent  
square brackets [ ]to indicate that a keyword is optional  
For example:  
get firewall ipmacbinding [dhcpipmac]  
You can enter get firewall ipmacbinding or  
get firewall ipmacbinding dhcpipmac  
Fortinet documentation  
Information about FortiGate products is available from the following FortiGate User  
Manual volumes:  
Volume 1: FortiGate Installation and Configuration Guide  
Describes installation and basic configuration for the FortiGate unit. Also describes  
how to use FortiGate firewall policies to control traffic flow through the FortiGate  
unit and how to use firewall policies to apply antivirus protection, web content  
filtering, and email filtering to HTTP, FTP, and email content passing through the  
FortiGate unit.  
Volume 2: FortiGate VPN Guide  
Contains in-depth information about FortiGate IPSec VPN using certificates, pre-  
shared keys and manual keys for encryption. Also contains basic configuration  
information for the Fortinet Remote VPN Client, detailed configuration information  
for FortiGate PPTP and L2TP VPN, and VPN configuration examples.  
Volume 3: FortiGate Content Protection Guide  
Describes how to configure antivirus protection, web content filtering, and email  
filtering to protect content as it passes through the FortiGate unit.  
22  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Introduction  
Customer service and technical support  
Volume 4: FortiGate NIDS Guide  
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate  
unit from network-based attacks.  
Volume 5: FortiGate Logging and Message Reference Guide  
Describes how to configure FortiGate logging and alert email. Also contains the  
FortiGate log message reference.  
Volume 6: FortiGate CLI Reference Guide  
Describes the FortiGate CLI and contains a reference to all FortiGate CLI  
commands.  
The FortiGate online help also contains procedures for using the FortiGate web-based  
manager to configure and manage the FortiGate unit.  
Comments on Fortinet technical documentation  
You can send information about errors or omissions in this document, or any Fortinet  
technical documentation, to [email protected].  
Customer service and technical support  
For antivirus and attack definition updates, firmware updates, updated product  
documentation, technical support information, and other resources, please visit the  
Fortinet technical support web site at http://support.fortinet.com.  
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and  
change your registration information at any time.  
Fortinet email support is available from the following addresses:  
[email protected] For customers in the United States, Canada, Mexico, Latin  
America and South America.  
[email protected] For customers in Japan, Korea, China, Hong Kong, Singapore,  
Malaysia, all other Asian countries, and Australia.  
For customers in the United Kingdom, Scandinavia, Mainland  
Europe, Africa, and the Middle East.  
For information on Fortinet telephone support, see http://support.fortinet.com.  
When requesting technical support, please provide the following information:  
Your name  
Company name  
Location  
Email address  
Telephone number  
FortiGate unit serial number  
FortiGate model  
FortiGate FortiOS firmware version  
Detailed description of the problem  
FortiGate-800 Installation and Configuration Guide  
23  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Customer service and technical support  
Introduction  
24  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Getting started  
This chapter describes unpacking, setting up, and powering on a FortiGate Antivirus  
Firewall unit. When you have completed the procedures in this chapter, you can  
proceed to one of the following:  
If you are going to operate the FortiGate unit in NAT/Route mode, go to  
If you are going to operate the FortiGate unit in Transparent mode, go to  
If you are going to operate two or more FortiGate units in HA mode, go to “High  
This chapter describes:  
FortiGate-800 Installation and Configuration Guide  
25  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Package contents  
Getting started  
Package contents  
The FortiGate-800 package contains the following items:  
FortiGate-800 Antivirus Firewall  
one orange crossover ethernet cable  
one grey regular ethernet cable  
one RJ-45 serial cable  
one RJ-45 to DB-9 convertor  
one power cable  
two 19-inch rack mount brackets  
FortiGate-800 QuickStart Guide  
CD containing Fortinet user documentation  
Figure 2: FortiGate-800 package contents  
Front  
Ethernet Cables:  
Orange - Crossover  
Grey - Straight-through  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
RJ-45 Serial Cable  
LCD  
Control  
Buttons  
Internal,External,DMZ  
HA Interface  
1 to 4  
Interface  
Serial  
Port  
USB  
(future)  
RJ-45 to DB-9 Convertor  
Power Cable  
Back  
Rack-Mount Brackets  
FortiGate-800  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
QuickStart Guide  
Power Power  
Connection Switch  
Copyright 2003 Fortinet Incorporated. All rights reserved.  
Trademarks  
Products mentioned in this document are trademarks.  
Documentation  
Mounting  
The FortiGate-800 unit can be mounted in a standard 19-inch rack. It requires 1 U of  
vertical space in the rack.  
The FortiGate-800 unit can also be installed as a free-standing appliance on any  
stable surface. For free-standing installation, make sure that the appliance has at least  
1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.  
Dimensions  
16.75 x 12 x 1.75 in. (42.7 x 30.5 x 4.5 cm)  
Weight  
10 lb. (4.5 kg)  
26  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Getting started  
Powering on  
Power requirements  
Power dissipation: 300 W (max)  
AC input voltage: 100 to 240 VAC  
AC input current: 6 A  
Frequency: 50 to 60 Hz  
Environmental specifications  
Operating temperature: 41 to 95°F (5 to 35°C)  
Storage temperature: -4 to 176°F (-20 to 80°C)  
Humidity: 10 to 90% non-condensing  
Powering on  
To power on the FortiGate-800 unit  
1
2
3
4
Make sure that the power switch on the back is turned off.  
Connect the power cable to the power connection on the back of the FortiGate unit.  
Connect the power cable to a power outlet.  
Turn on the power switch.  
After a few seconds, SYSTEM STARTING appears  
on the LCD.  
MAIN MENU appears on the LCD when the system  
is running.  
Table 1: FortiGate-500 LED indicators  
LED  
State  
Green  
Off  
Description  
Power  
The FortiGate unit is powered on.  
The FortiGate unit is powered off.  
Internal  
External  
DMZ  
Amber  
The correct cable is in use and the connected equipment has  
power.  
Flashing  
amber  
Network activity at this interface.  
HA  
1 to 4  
Green  
The interface is connected. Internal, External, DMZ and HA  
connect at up to 1000 Mbps. Interfaces 1, 2, 3 and 4 connect at  
up to 100 Mbps.  
Off  
No link established.  
FortiGate-800 Installation and Configuration Guide  
27  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Connecting to the web-based manager  
Getting started  
Connecting to the web-based manager  
Use the following procedure to connect to the web-based manager for the first time.  
Configuration changes made with the web-based manager are effective immediately  
without resetting the firewall or interrupting service.  
To connect to the web-based manager, you need:  
a computer with an ethernet connection,  
Internet Explorer version 4.0 or higher,  
a crossover cable or an ethernet hub and two ethernet cables.  
Note: You can use the web-based manager with recent versions of most popular web browsers.  
The web-based manager is fully supported for Internet Explorer version 4.0 or higher.  
To connect to the web-based manager  
1
2
3
Set the IP address of the computer with an ethernet connection to the static IP  
address 192.168.1.2 and a netmask of 255.255.255.0.  
Using the crossover cable or the ethernet hub and cables, connect the internal  
interface of the FortiGate unit to the computer ethernet connection.  
Start Internet Explorer and browse to the address https://192.168.1.99 (remember to  
include the “s” in https://).  
The FortiGate login is displayed.  
4
Type admin in the Name field and select Login.  
The Register Now window is displayed. Use the information in this window to register  
your FortiGate unit so that Fortinet can contact you for firmware updates. You must  
also register to receive updates to the FortiGate virus and attack definitions.  
Figure 3: FortiGate login  
28  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Getting started  
Connecting to the command line interface (CLI)  
Connecting to the command line interface (CLI)  
As an alternative to the web-based manager, you can install and configure the  
FortiGate unit using the CLI. Configuration changes made with the CLI are effective  
immediately without resetting the firewall or interrupting service.  
To connect to the FortiGate CLI, you need:  
a computer with an available communications port,  
the RJ-45 serial cable included in your FortiGate package,  
the RJ-45 to DB-9 convertor included in your FortiGate package (if required),  
terminal emulation software such as HyperTerminal for Windows.  
Note: The following procedure describes how to connect to the CLI using Windows  
HyperTerminal software. You can use any terminal emulation program.  
To connect to the CLI  
1
Connect the RJ-45 serial cable to the communications port of your computer and to  
the FortiGate Console port.  
Use the RJ-45 to DB-9 convertor if your PC communications port requires a DB-9  
connector.  
2
3
4
Make sure that the FortiGate unit is powered on.  
Start HyperTerminal, enter a name for the connection, and select OK.  
Configure HyperTerminal to connect directly to the communications port on the  
computer to which you have connected the null modem cable and select OK.  
5
Select the following port settings and select OK.  
Bits per second 9600  
Data bits  
Parity  
8
None  
1
Stop bits  
Flow control  
None  
6
7
Press Enter to connect to the FortiGate CLI.  
The following prompt is displayed:  
FortiGate-800 login:  
Type adminand press Enter twice.  
The following prompt is displayed:  
Type ? for a list of commands.  
For information about how to use the CLI, see the FortiGate CLI Reference Guide.  
FortiGate-800 Installation and Configuration Guide  
29  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Factory default FortiGate configuration settings  
Getting started  
Factory default FortiGate configuration settings  
The FortiGate unit is shipped with a factory default configuration. The default  
configuration allows you to connect to and use the FortiGate web-based manager to  
configure the FortiGate unit onto the network. To configure the FortiGate unit onto the  
network you add an administrator password, change network interface IP addresses,  
add DNS server IP addresses, and configure routing, if required.  
If you plan to operate the FortiGate unit in Transparent mode, you can switch to  
Transparent mode from the factory default configuration and then configure the  
FortiGate unit onto the network in Transparent mode.  
Once the network configuration is complete, you can perform additional configuration  
tasks such as setting system time, configuring virus and attack definition updates, and  
registering the FortiGate unit.  
The factory default firewall configuration includes a single network address translation  
(NAT) policy that allows users on your internal network to connect to the external  
network, and stops users on the external network from connecting to the internal  
network. You can add more policies to provide more control of the network traffic  
passing through the FortiGate unit.  
The factory default content profiles can be used to apply different levels of antivirus  
protection, web content filtering, and email filtering to the network traffic that is  
controlled by firewall policies.  
Factory default NAT/Route mode network configuration  
When the FortiGate unit is first powered on, it is running in NAT/Route mode and has  
the basic network configuration listed in Table 2. This configuration allows you to  
connect to the FortiGate unit web-based manager and establish the configuration  
required to connect the FortiGate unit to the network. In Table 2 HTTPS management  
access means you can connect to the web-based manager using this interface. Ping  
management access means this interface responds to ping requests.  
Table 2: Factory default NAT/Route mode network configuration  
User name:  
Password:  
admin  
Administrator  
account  
(none)  
IP:  
192.168.1.99  
255.255.255.0  
HTTPS, Ping  
Internal interface  
Netmask:  
Management Access:  
30  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Getting started  
Factory default FortiGate configuration settings  
Table 2: Factory default NAT/Route mode network configuration (Continued)  
IP:  
192.168.100.99  
255.255.255.0  
192.168.100.1  
207.194.200.1  
207.194.200.129  
Ping  
Netmask:  
Default Gateway:  
Primary DNS Server:  
Secondary DNS Server:  
Management Access:  
IP:  
External interface  
10.10.10.1  
255.255.255.0  
HTTPS, Ping  
0.0.0.0  
DMZ interface  
HA interface  
Interface 1  
Interface 2  
Interface 3  
Interface 4  
Netmask:  
Management Access:  
IP:  
Netmask:  
0.0.0.0  
Management Access:  
IP:  
Ping  
0.0.0.0  
Netmask:  
0.0.0.0  
Management Access:  
IP:  
Ping  
0.0.0.0  
Netmask:  
0.0.0.0  
Management Access:  
IP:  
Ping  
0.0.0.0  
Netmask:  
0.0.0.0  
Management Access:  
IP:  
Ping  
0.0.0.0  
Netmask:  
0.0.0.0  
Management Access:  
Ping  
Factory default Transparent mode network configuration  
If you switch the FortiGate unit to Transparent mode, it has the default network  
configuration listed in Table 3.  
Table 3: Factory default Transparent mode network configuration  
Administrator  
account  
User name:  
admin  
Password:  
(none)  
IP:  
10.10.10.1  
255.255.255.0  
207.194.200.1  
207.194.200.129  
Management IP  
DNS  
Netmask:  
Primary DNS Server:  
Secondary DNS Server:  
FortiGate-800 Installation and Configuration Guide  
31  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Factory default FortiGate configuration settings  
Getting started  
Table 3: Factory default Transparent mode network configuration (Continued)  
Internal  
HTTPS, Ping  
Ping  
External  
DMZ  
HTTPS, Ping  
Ping  
Management access  
Interface 1  
Interface 2  
Interface 3  
Interface 4  
Ping  
Ping  
Ping  
Factory default firewall configuration  
The factory default firewall configuration is the same in NAT/Route and Transparent  
mode.  
Table 4: Factory default firewall configuration  
IP: 0.0.0.0  
Represents all of the IP addresses on the internal  
network.  
Internal  
Address  
Internal_All  
External_All  
DMZ_All  
Mask: 0.0.0.0  
IP: 0.0.0.0  
Represents all of the IP addresses on the external  
network.  
External  
Address  
Mask: 0.0.0.0  
IP: 0.0.0.0  
Represents all of the IP addresses on the DMZ  
network.  
DMZ  
Address  
Mask: 0.0.0.0  
Recurring Always  
Schedule  
The schedule is valid at all times. This means that  
the firewall policy is valid at all times.  
Firewall  
Policy  
Internal->External  
Firewall policy for connections from the internal  
network to the external network.  
Source  
Internal_All  
The policy source address. Internal_All means that  
the policy accepts connections from any internal IP  
address.  
Destination External_All The policy destination address. External_All means  
that the policy accepts connections with a  
destination address to any IP address on the  
external network.  
Schedule  
Service  
Action  
Always  
ANY  
The policy schedule. Always means that the policy  
is valid at any time.  
The policy service. ANY means that this policy  
processes connections for all services.  
ACCEPT  
The policy action. ACCEPT means that the policy  
allows connections.  
; NAT  
NAT is selected for the NAT/Route mode default  
policy so that the policy applies network address  
translation to the traffic processed by the policy.  
NAT is not available for Transparent mode policies.  
Traffic Shaping  
Traffic shaping is not selected. The policy does not  
apply traffic shaping to the traffic controlled by the  
policy. You can select this option to control the  
maximum or minimum amount of bandwidth  
available to traffic processed by the policy.  
32  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Getting started  
Factory default FortiGate configuration settings  
Table 4: Factory default firewall configuration (Continued)  
Authentication  
Authentication is not selected. Users do not have to  
authenticate with the firewall before connecting to  
their destination address. You can configure user  
groups and select this option to require users to  
authenticate with the firewall before they can  
connect through the firewall.  
; Antivirus & Web Filter Antivirus & Web Filter is selected.  
Content  
Profile  
Scan  
The scan content profile is selected. The policy  
scans all HTTP, FTP, SMTP, POP3, and IMAP  
traffic for viruses. See “Scan content profile” on  
content profile. You can select one of the other  
content profiles to apply different levels of content  
protection to traffic processed by this policy.  
Log Traffic  
Log Traffic is not selected. This policy does not  
record messages to the traffic log for the traffic  
processed by this policy. You can configure  
FortiGate logging and select Log Traffic to record all  
connections through the firewall that are accepted  
by this policy.  
Factory default content profiles  
You can use content profiles to apply different protection settings for content traffic  
that is controlled by firewall policies. You can use content profiles for:  
Antivirus protection of HTTP, FTP, IMAP, POP3, and SMTP network traffic  
Web content filtering for HTTP network traffic  
Email filtering for IMAP and POP3 network traffic  
Oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP network  
traffic  
Passing fragmented emails in IMAP, POP3, and SMTP email traffic  
Using content profiles, you can build protection configurations that can be applied to  
different types of firewall policies. This allows you to customize types and levels of  
protection for different firewall policies.  
For example, while traffic between internal and external addresses might need strict  
protection, traffic between trusted internal addresses might need moderate protection.  
You can configure policies for different traffic services to use the same or different  
content profiles.  
Content profiles can be added to NAT/Route mode and Transparent mode policies.  
Strict content profile  
Use the strict content profile to apply maximum content protection to HTTP, FTP,  
IMAP, POP3, and SMTP content traffic. You do not need to use the strict content  
profile under normal circumstances, but it is available if you have extreme problems  
with viruses and require maximum content screening protection.  
FortiGate-800 Installation and Configuration Guide  
33  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Factory default FortiGate configuration settings  
Getting started  
Table 5: Strict content profile  
Options  
HTTP  
;
FTP  
;
IMAP  
;
POP3  
SMTP  
;
Antivirus Scan  
;
;
;
File Block  
;
;
;
;
Quarantine  
;
;
;
;
Web URL Block  
Web Content Block  
Web Script Filter  
Web Exempt List  
Email Block List  
Email Exempt List  
Email Content Block  
Oversized File/Email Block  
Pass Fragmented Emails  
;
;
;
;
;
;
;
;
;
;
block  
block  
block  
block  
block  
Scan content profile  
Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP, POP3,  
and SMTP content traffic. Quarantine is also selected for all content services. On  
FortiGate models with a hard drive, if antivirus scanning finds a virus in a file, the file is  
quarantined on the FortiGate hard disk. If required, system administrators can recover  
quarantined files.  
Table 6: Scan content profile  
Options  
HTTP  
;
FTP  
;
IMAP  
;
POP3  
;
SMTP  
;
Antivirus Scan  
File Block  
Quarantine  
;
;
;
;
;
Web URL Block  
Web Content Block  
Web Script Filter  
Web Exempt List  
Email Block List  
Email Exempt List  
Email Content Block  
Oversized File/Email Block  
Pass Fragmented Emails  
pass  
pass  
pass  
pass  
pass  
34  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Getting started  
Factory default FortiGate configuration settings  
Web content profile  
Use the web content profile to apply antivirus scanning and web content blocking to  
HTTP content traffic. You can add this content profile to firewall policies that control  
HTTP traffic.  
Table 7: Web content profile  
Options  
HTTP  
;
FTP  
IMAP  
POP3  
SMTP  
Antivirus Scan  
File Block  
Quarantine  
;
Web URL Block  
Web Content Block  
Web Script Filter  
Web Exempt List  
Email Block List  
Email Exempt List  
Email Content Block  
Oversized File/Email Block  
Pass Fragmented Emails  
;
;
pass  
pass  
pass  
pass  
pass  
Unfiltered content profile  
Use the unfiltered content profile if you do not want to apply content protection to  
traffic. You can add this content profile to firewall policies for connections between  
highly trusted or highly secure networks where content does not need to be protected.  
Table 8: Unfiltered content profile  
Options  
HTTP  
FTP  
IMAP  
POP3  
SMTP  
Antivirus Scan  
File Block  
Quarantine  
Web URL Block  
Web Content Block  
Web Script Filter  
Web Exempt List  
Email Block List  
Email Exempt List  
Email Content Block  
Oversized File/Email Block  
Pass Fragmented Emails  
;
;
;
pass  
pass  
pass  
;
pass  
;
pass  
;
FortiGate-800 Installation and Configuration Guide  
35  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Planning the FortiGate configuration  
Getting started  
Planning the FortiGate configuration  
Before you configure the FortiGate unit, you need to plan how to integrate the unit into  
the network. Among other things, you must decide whether you want the unit to be  
visible to the network, which firewall functions you want it to provide, and how you  
want it to control the traffic flowing between its interfaces.  
Your configuration plan depends on the operating mode that you select. The FortiGate  
unit can be configured in one of two modes: NAT/Route mode (the default) or  
Transparent mode.  
NAT/Route mode  
In NAT/Route mode, the unit is visible to the network. Like a router, all its interfaces  
are on different subnets. The following interfaces are available in NAT/Route mode:  
External is the interface to the external network (usually the Internet).  
Internal is the interface to the internal network.  
DMZ is the interface to the DMZ network.  
HA is the interface used to connect to other FortiGate-500s if you are installing an  
HA cluster  
Interfaces 1 to 4 can be connected to other networks.  
You can add security policies to control whether communications through the  
FortiGate unit operate in NAT or Route mode. Security policies control the flow of  
traffic based on the source address, destination address, and service of each packet.  
In NAT mode, the FortiGate unit performs network address translation before it sends  
the packet to the destination network. In Route mode, there is no translation.  
By default, the FortiGate unit has a NAT mode security policy that allows users on the  
internal network to securely download content from the external network. No other  
traffic is possible until you have configured further security policies.  
You typically use NAT/Route mode when the FortiGate unit is operating as a gateway  
between private and public networks. In this configuration, you would create NAT  
mode policies to control traffic flowing between the internal, private network and the  
external, public network (usually the Internet).  
If you have multiple internal networks, such as a DMZ network in addition to the  
internal, private network, you could create route mode policies for traffic flowing  
between them.  
Figure 4: Example NAT/Route mode network configuration  
Internal network  
192.168.1.3  
Internal  
192.168.1.99  
FortiGate-800 Unit  
in NAT/Route mode  
External  
204.23.1.5  
Route mode policies  
controlling traffic between  
internal networks.  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
Internet  
8
DMZ  
10.10.10.1  
DMZ network  
NAT mode policies controlling  
traffic between internal and  
external networks.  
10.10.10.2  
36  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Getting started  
Planning the FortiGate configuration  
NAT/Route mode with multiple external network connections  
In NAT/Route mode, you can configure the FortiGate unit with multiple redundant  
connections to the external network (usually the Internet). For example, you could  
create the following configuration:  
External is the default interface to the external network (usually the Internet).  
Interface 1 is the redundant interface to the external network.  
Internal is the interface to the internal network.  
DMZ is the interface to the DMZ network.  
You must configure routing to support redundant Internet connections. Routing can be  
used to automatically redirect connections from an interface if its connection to the  
external network fails.  
Otherwise, security policy configuration is similar to a NAT/Route mode configuration  
with a single Internet connection. You would create NAT mode policies to control traffic  
flowing between the internal, private network and the external, public network (usually  
the Internet).  
If you have multiple internal networks, such as a DMZ network in addition to the  
internal, private network, you could create route mode policies for traffic flowing  
between them.  
Figure 5: Example NAT/Route multiple internet connection configuration  
Internal network  
192.168.1.3  
FortiGate-800 Unit  
in NAT/Route mode  
Internal  
192.168.1.1  
External  
204.23.1.5  
Route mode policies  
controlling traffic between  
internal networks.  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
Internet  
P
W
R
8
Port 1  
64.83.32.45  
DMZ  
10.10.10.2  
DMZ network  
NAT mode policies controlling  
traffic between internal and  
external networks.  
10.10.10.23  
Transparent mode  
In Transparent mode, the FortiGate unit is invisible to the network. Similar to a  
network bridge, all FortiGate interfaces must be on the same subnet. You only have to  
configure a management IP address so that you can make configuration changes.  
The management IP address is also used for antivirus and attack definition updates.  
You typically use the FortiGate unit in Transparent mode on a private network behind  
an existing firewall or behind a router. The FortiGate unit performs firewall functions as  
well as antivirus and content scanning but not VPN.  
FortiGate-800 Installation and Configuration Guide  
37  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Planning the FortiGate configuration  
Getting started  
Figure 6: Example Transparent mode network configuration  
FortiGate-800 Unit  
in Transparent mode  
Gateway to  
public network  
Internal network  
204.23.1.5  
10.10.10.2  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
Internet  
8
10.10.10.3  
External  
(firewall, router)  
10.10.10.1  
Management IP  
Internal  
Transparent mode policies  
controlling traffic between  
internal and external networks  
You can connect up to 8 network segments to the FortiGate unit to control traffic  
between these network segments.  
External can connect to the external firewall or router.  
Internal can connect to the internal network.  
HA can connect to another network or to other FortiGate-800s if you are installing  
an HA cluster.  
DMZ and interfaces 1 to 4 can connect to other network segments.  
Configuration options  
Once you have selected Transparent or NAT/Route mode operation, you can  
complete the configuration plan and begin to configure the FortiGate unit.  
You can use the web-based manager setup wizard, the control buttons and LCD, or  
the command line interface (CLI) for the basic configuration of the FortiGate unit.  
Setup wizard  
If you are configuring the FortiGate unit to operate in NAT/Route mode (the default),  
the setup wizard prompts you to add the administration password and the internal and  
external interface addresses. Using the wizard, you can also add DNS server IP  
addresses and a default route for the external interface.  
In NAT/Route mode you can also configure the FortiGate to allow Internet access to  
your internal Web, FTP, or email servers.  
If you are configuring the FortiGate unit to operate in Transparent mode, you can  
switch to Transparent mode from the web-based manager and then use the setup  
wizard to add the administration password, the management IP address and gateway,  
and the DNS server addresses.  
CLI  
If you are configuring the FortiGate unit to operate in NAT/Route mode, you can add  
the administration password and all interface addresses. Using the CLI, you can also  
add DNS server IP addresses and a default route for the external interface.  
If you are configuring the FortiGate unit to operate in Transparent mode, you can use  
the CLI to switch to Transparent mode, Then you can add the administration  
password, the management IP address and gateway, and the DNS server addresses.  
38  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Getting started  
FortiGate model maximum values matrix  
Front keypad and LCD  
If you are configuring the FortiGate unit to operate in NAT/Route mode, you can use  
the control buttons and LCD to add the IP address of the FortiGate interfaces as well  
as the external default gateway.  
If you are configuring the FortiGate unit to operate in Transparent mode, you can use  
the control buttons and LCD to switch to Transparent mode. Then you can add the  
management IP address and default gateway.  
FortiGate model maximum values matrix  
Table 9: FortiGate maximum values matrix  
FortiGate model  
50  
60  
100  
500  
500  
200  
500  
500  
300  
500  
500  
400  
500  
500  
500  
500  
500  
800  
500  
500  
1000  
500  
3000  
500  
3600  
500  
4000  
500  
Routes  
500  
500  
500  
500  
Policy routing  
gateways  
500  
500  
500  
500  
Administrative  
users  
500  
N/A  
500  
N/A  
500  
N/A  
500  
500  
500  
500  
500  
500  
500  
500  
500  
VLAN  
4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096*  
subinterfaces  
Zones  
N/A  
N/A  
32  
N/A  
N/A  
32  
N/A  
N/A  
32  
100  
16  
100  
32  
100  
64  
100  
64  
100  
64  
200  
128  
32  
300  
512  
32  
500  
512  
32  
500  
512  
32  
Virtual domains  
DHCP address  
scopes  
32  
32  
32  
32  
32  
DHCP reserved  
IP/MAC pairs  
10  
20  
30  
30  
50  
50  
100  
100  
200  
200  
200  
200  
Firewall policies  
200  
500  
500  
500  
1000  
500  
2000  
500  
5000  
3000  
5000  
3000  
20000 20000 50000 50000 50000 50000  
Firewall  
addresses  
6000  
500  
500  
500  
256  
256  
500  
50  
6000  
500  
500  
500  
256  
256  
500  
50  
10000 10000 10000 10000  
Firewall address  
groups  
500  
500  
500  
500  
500  
500  
256  
256  
500  
50  
500  
500  
500  
256  
256  
500  
50  
500  
500  
500  
256  
256  
500  
50  
500  
500  
500  
256  
256  
500  
50  
500  
500  
500  
256  
256  
500  
50  
500  
500  
500  
256  
256  
500  
50  
500  
500  
500  
256  
256  
500  
50  
500  
500  
500  
256  
256  
500  
50  
500  
500  
500  
256  
256  
500  
50  
Firewall custom  
services  
Firewall service  
groups  
Firewall recurring 256  
schedules  
Firewall onetime  
schedules  
256  
500  
Firewall virtual  
IPs  
Firewall IP pools 50  
* Includes the number of physical interfaces.  
FortiGate-800 Installation and Configuration Guide  
39  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Next steps  
Getting started  
Table 9: FortiGate maximum values matrix  
FortiGate model  
50  
60  
100  
200  
300  
400  
500  
800  
1000  
3000  
3600  
4000  
IP/MAC binding  
table entries  
500  
500  
500  
500  
500  
500  
500  
500  
500  
500  
500  
500  
Firewall content  
profiles  
32  
32  
32  
32  
32  
32  
32  
32  
32  
32  
32  
32  
User names  
20  
6
500  
6
1000  
6
1000  
6
1000  
6
1000  
6
1000  
6
1000  
6
1000  
6
1000  
6
1000  
6
1000  
6
Radius servers  
LDAP servers  
User groups  
6
6
6
6
6
6
6
6
6
6
6
6
100  
300  
100  
300  
100  
300  
100  
300  
100  
300  
100  
300  
100  
300  
100  
300  
100  
300  
100  
300  
100  
300  
100  
300  
Total number of  
user group  
members  
IPSec remote  
gateways  
20  
50  
80  
200  
1500  
1500  
3000  
3000  
5000  
5000  
5000  
5000  
(Phase 1)  
IPSec VPN  
tunnels (Phase 2)  
20  
50  
80  
200  
500  
1500  
500  
1500  
500  
3000  
500  
3000  
500  
5000  
500  
5000  
500  
5000  
500  
5000  
500  
IPSec VPN  
500  
500  
500  
concentrators  
PPTP users  
L2TP users  
500  
500  
500  
500  
100  
500  
500  
100  
500  
500  
100  
500  
500  
100  
500  
500  
100  
500  
500  
100  
500  
500  
100  
500  
500  
100  
500  
500  
100  
500  
500  
100  
500  
500  
100  
NIDS user-defined 100  
signatures  
Antivirus file  
56  
56  
56  
56  
56  
56  
56  
56  
56  
56  
56  
56  
block patterns  
Web filter and  
email filter lists  
Limit varies depending on available system memory. Fortinet recommends limiting total size of web and  
email filter lists to 4 Mbytes or less. If you want to use larger web filter lists, consider using Cerberian web  
filtering.  
Log setting traffic 50  
50  
50  
50  
50  
50  
50  
50  
50  
50  
50  
50  
filter entries  
* Includes the number of physical interfaces.  
Next steps  
Now that your FortiGate unit is operating, you can proceed to configure it to connect to  
networks:  
If you are going to operate the FortiGate unit in NAT/Route mode, go to  
If you are going to operate the FortiGate unit in Transparent mode, go to  
If you are going to operate two or more FortiGate units in HA mode, go to “High  
40  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
FortiGate-800 Installation and Configuration Guide Version 2.50  
NAT/Route mode installation  
This chapter describes how to install the FortiGate unit in NAT/Route mode. For  
information about installing a FortiGate unit in Transparent mode, see “Transparent  
mode installation” on page 59. For information about installing two or more FortiGate  
units in HA mode, see “High availability” on page 73. For more information about  
installing the FortiGate unit in NAT/Route mode, see “Planning the FortiGate  
This chapter describes:  
Preparing to configure NAT/Route mode  
Use Table 10 to gather the information that you need to customize NAT/Route mode  
settings.  
FortiGate-800 Installation and Configuration Guide  
41  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Preparing to configure NAT/Route mode  
NAT/Route mode installation  
Table 10: NAT/Route mode settings  
Administrator Password:  
IP:  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
Internal interface  
Netmask:  
IP:  
Netmask:  
External interface  
Default Gateway:  
Primary DNS Server:  
Secondary DNS Server:  
Web Server:  
SMTP Server:  
POP3 Server:  
IMAP Server:  
FTP Server:  
Internal servers  
If you provide access from the Internet to a web server, mail server,  
IMAP server, or FTP server installed on an internal network, add the IP  
addresses of the servers here.  
Advanced NAT/Route mode settings  
Use Table 11 to gather the information that you need to customize advanced  
FortiGate NAT/Route mode settings.  
Table 11: Advanced FortiGate NAT/Route mode settings  
If your Internet Service Provider (ISP) supplies you with  
an IP address using DHCP, no further information is  
required.  
DHCP:  
External  
interface  
User name:  
Password:  
PPPoE:  
If your ISP supplies you with an IP address using PPPoE, record your  
PPPoE user name and password.  
Starting IP:  
Ending IP:  
Netmask:  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
DHCP server  
Default Route: _____._____._____._____  
DNS IP: _____._____._____._____  
The FortiGate unit includes a DHCP server that you can configure to  
automatically set the addresses of the computers on your internal network.  
42  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
NAT/Route mode installation  
Using the setup wizard  
DMZ and user-defined interfaces  
Use Table 12 to record the IP addresses and netmasks of the FortiGate DMZ and  
user-defined interfaces if you are configuring them during installation. The HA  
interface is configured during HA installation.  
.
Table 12: DMZ and user-defined interfaces (Optional)  
DMZ IP: _____._____._____._____  
Netmask: _____._____._____._____  
Netmask: _____._____._____._____  
Netmask: _____._____._____._____  
Netmask: _____._____._____._____  
Netmask: _____._____._____._____  
1
2
3
4
IP: _____._____._____._____  
IP: _____._____._____._____  
IP: _____._____._____._____  
IP: _____._____._____._____  
Using the setup wizard  
From the web-based manager, you can use the setup wizard to do the initial  
configuration of the FortiGate unit. For information about connecting to the web-based  
Starting the setup wizard  
1
In the web-based manager, select Easy Setup Wizard (the middle button in the upper-  
right corner of the web-based manager).  
2
3
Select the Next button to step through the wizard pages.  
Use the information that you gathered in Table 10 on page 42 to fill in the wizard fields.  
You can also use the information in Table 11 on page 42.  
4
Confirm the configuration settings, and then select Finish and Close.  
Note: If you use the setup wizard to configure internal server settings, the FortiGate unit adds  
port forwarding virtual IPs and firewall policies for each server. For example, for each server  
located on the Internal network the FortiGate unit adds an External->Internal firewall policy.  
Reconnecting to the web-based manager  
If you changed the IP address of the internal interface while you were using the setup  
wizard, you must reconnect to the web-based manager using a new IP address.  
Browse to https:// followed by the new IP address of the internal interface. Otherwise,  
you can reconnect to the web-based manager by browsing to https://192.168.1.99.  
You are now finished the initial configuration of your FortiGate unit, and can proceed  
FortiGate-800 Installation and Configuration Guide  
43  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Using the front control buttons and LCD  
NAT/Route mode installation  
Using the front control buttons and LCD  
As an alternative to the setup wizard, use the information that you recorded in  
Table 10 on page 42 and Table 12 on page 43 to complete the following procedure.  
Starting with Main Menu displayed on the LCD, use the front control buttons and LCD:  
1
2
Press Enter three times to configure the internal  
interface IP address.  
Set the internal interface IP address.  
Use the up and down arrow keys to increase or decrease the value of each IP address  
digit. Press Enter to move to the next digit. Press Esc to move to the previous digit.  
Note: When you enter an IP address, the LCD always shows three digits for each part of the  
address. For example, the IP address 192.168.100.1 appears on the LCD as 192.168.100.001.  
The IP address 192.168.23.45 appears as 192.168.023.045.  
3
4
5
6
7
8
After you set the last digit of the IP address, press Enter.  
Use the down arrow to highlight Netmask.  
Press Enter and set the internal Netmask.  
After you set the last digit of the Netmask, press Enter.  
Press Esc to return to the Main Menu.  
Repeat these steps to configure the external interface, external default gateway, and  
DMZ interface if required.  
You have now completed the initial configuration of your FortiGate unit and you can  
Using the command line interface  
As an alternative to using the setup wizard, you can configure the FortiGate unit using  
the command line interface (CLI). For information about connecting to the CLI, see  
Configuring the FortiGate unit to operate in NAT/Route mode  
Use the information that you gathered in Table 10 on page 42 to complete the  
following procedure.  
Configuring NAT/Route mode IP addresses  
1
2
Make sure that you are logged into the CLI.  
Set the IP address and netmask of the internal interface to the internal IP address and  
netmask that you recorded in Table 10 on page 42. Enter:  
set system interface internal mode static ip <IP_address>  
<netmask>  
Example  
set system interface internal mode static ip 192.168.1.1  
255.255.255.0  
44  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
NAT/Route mode installation  
Using the command line interface  
3
Set the IP address and netmask of the external interface to the external IP address  
and netmask that you recorded in Table 10 on page 42.  
set system interface external mode static ip <IP_address>  
<netmask>  
Example  
set system interface external mode static ip 204.23.1.5  
255.255.255.0  
To set the external interface to use DHCP, enter:  
set system interface external mode dhcp connection enable  
To set the external interface to use PPPoE, enter:  
set system interface external mode pppoe username <user name>  
password <password> connection enable  
Example  
set system interface external mode pppoe username  
[email protected] password mypass connection enable  
4
5
Optionally, set the IP address and netmask of the DMZ interface to the DMZ IP  
address and netmask that you recorded in Table 12 on page 43. Enter:  
set system interface dmz mode static ip <IP_address> <netmask>  
Example  
set system interface dmz mode static ip 10.10.10.2  
255.255.255.0  
Set the IP address and netmask of interfaces 1 to 4 to the IP addresses and netmasks  
that you recorded in Table 12 on page 43.  
set system interface <interface_name> mode static ip  
<IP_address> <netmask>  
Example  
To set the IP address of interface 3 to 192.45.56.73 and netmask to 255.255.255.0,  
enter  
set system interface port3 mode static ip 192.45.56.73  
255.255.255.0  
6
7
Confirm that the addresses are correct. Enter:  
get system interface  
The CLI lists the IP address, netmask, and other settings for each of the FortiGate  
interfaces.  
Set the primary DNS server IP addresses. Enter  
set system dns primary <IP address>  
Example  
set system dns primary 293.44.75.21  
8
Optionally, set the secondary DNS server IP addresses. Enter  
set system dns secondary <IP address>  
Example  
set system dns secondary 293.44.75.22  
FortiGate-800 Installation and Configuration Guide  
45  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Connecting the FortiGate unit to your networks  
NAT/Route mode installation  
9
Set the default route to the Default Gateway IP address (not required for DHCP and  
PPPoE).  
set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1  
<gateway_ip>  
Example  
set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2  
Connecting the FortiGate unit to your networks  
After you complete the initial configuration, you can connect the FortiGate unit  
between your internal network and the Internet. You can also connect networks to the  
user-defined interfaces that you configured.  
There are 4 10/100/1000 Base-TX connectors on the FortiGate-800:  
Internal for connecting to your internal network,  
External for connecting to your public switch or router and the Internet,  
DMZ for connecting to a DMZ network,  
HA for connecting to another FortiGate-800 for high availability (see “High  
There are 4 10/100 Base-TX connectors on the FortiGate-800:  
user-defined interfaces 1 to 4 for connecting up to four additional networks to your  
FortiGate unit.  
Note: You can also create redundant connections to the Internet by connecting two interfaces  
to separate Internet connections. For example, you could connect the external interface and the  
DMZ interface or any available user-defined interface to different Internet connections, each  
provided by a different service provider. See “Configuration example: Multiple connections to  
To connect the FortiGate unit running in NAT/Route mode  
Connect the Internal interface to the hub or switch connected to your internal network.  
Connect the External interface to your public switch or router.  
Optionally, connect the DMZ interface to your DMZ network.  
1
2
3
You can use a DMZ network to provide access from the Internet to a web server or  
other server without installing the servers on your internal network.  
46  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
NAT/Route mode installation  
Connecting the FortiGate unit to your networks  
Figure 7: FortiGate-800 NAT/Route mode connections  
Internal Network  
DMZ Network  
Web Server  
Mail Server  
Hub or Switch  
Internal  
DMZ  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
External  
FortiGate-800  
Public Switch  
or Router  
Internet  
To connect to FortiGate-800 user-defined interfaces  
1
2
Connect the user-defined interface to the hub or switch connected to the intended  
network.  
Repeat for all user-defined interfaces that you have configured.  
The example in Figure 8 shows an internal network connected to user-defined  
interface 1 and an external network connected to user-defined interface 4.  
FortiGate-800 Installation and Configuration Guide  
47  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Configuring your networks  
NAT/Route mode installation  
Figure 8: Example FortiGate-800 user-defined interface connections  
Internal Network  
Hub or Switch  
User-defined  
Interface 1  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
User-defined  
Interface 4  
FortiGate-800  
Public Switch or Router  
Internet  
Configuring your networks  
If you are running the FortiGate unit in NAT/Route mode, your networks must be  
configured to route all Internet traffic to the IP address of the FortiGate interface to  
which they are connected.  
Make sure that the connected FortiGate unit is functioning properly by connecting to  
the Internet from a computer on your internal network. You should be able to connect  
to any Internet address.  
48  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
NAT/Route mode installation  
Completing the configuration  
Completing the configuration  
Use the information in this section to complete the configuration of the FortiGate unit.  
Configuring the DMZ interface  
Use the following procedure to configure the DMZ interface:  
1
2
3
4
5
Log into the web-based manager.  
Go to System > Network > Interface.  
Choose the dmz interface and select Modify  
.
Change the IP address and Netmask as required.  
Select Apply.  
Configuring interfaces 1 to 4  
Use the following procedure to configure the eight user-defined interfaces:  
1
2
3
Log into the web-based manager.  
Go to System > Network > Interface.  
Choose a user-defined interface and select Modify  
Select from port1 to port4.  
.
4
5
Change the IP address and Netmask as required.  
Select Apply.  
Setting the date and time  
For effective scheduling and logging, the FortiGate system date and time must be  
accurate. You can either manually set the system date and time or configure the  
FortiGate unit to automatically keep its time correct by synchronizing with a Network  
Time Protocol (NTP) server.  
For information about setting the FortiGate system date and time, see “Setting system  
Changing antivirus protection  
To change how antivirus protection to protects users on your internal network from  
downloading a virus from the Internet:  
1
2
3
4
Go to Firewall > Policy > Internal->External.  
Select Edit  
to edit this policy.  
Select Anti-Virus & Web filter to enable antivirus protection for this policy.  
Select a different Content Profile to change how antivirus protection is applied for this  
policy.  
For a description of each of the content profiles, see “Content profiles” on page 218.  
Select OK to save the changes.  
5
FortiGate-800 Installation and Configuration Guide  
49  
Download from Www.Somanuals.com. All Manuals Search And Download.  
               
Configuration example: Multiple connections to the Internet  
NAT/Route mode installation  
Registering your FortiGate unit  
After purchasing and installing a new FortiGate unit, you can register the unit by going  
to the System Update Support page, or using a web browser to connect to  
http://support.fortinet.com and selecting Product Registration.  
To register, enter your contact information and the serial numbers of the FortiGate  
units that you or your organization have purchased. You can register multiple  
FortiGate units in a single session without re-entering your contact information.  
For more information about registration, see “Registering FortiGate units” on  
Configuring virus and attack definition updates  
You can go to the System Update page to configure the FortiGate unit to automatically  
check whether new versions of the virus definitions and attack definitions are  
available. If it finds new versions, the FortiGate unit automatically downloads and  
installs the updated definitions.  
The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate  
external interface must have a path to the FortiResponse Distribution Network (FDN)  
using port 8890.  
For information about configuring automatic virus and attack updates, see “Updating  
Configuration example: Multiple connections to the Internet  
This section describes some basic routing and firewall policy configuration examples  
for a FortiGate unit with multiple connections to the Internet (see Figure 9). In this  
topology, the organization operating the FortiGate unit uses two Internet service  
providers to connect to the Internet. The FortiGate unit is connected to the Internet  
using the external and DMZ interfaces. The external interface connects to gateway 1,  
operated by ISP1 and the DMZ interface connects to gateway 2, operated by ISP2.  
You can add ping servers to interfaces and configure routing to control how traffic  
uses each Internet connection. With this routing configuration, you can create firewall  
policies to support multiple Internet connections.  
This section provides some examples of routing and firewall configurations for the  
FortiGate unit for multiple Internet connections. To use the information in this section,  
you should be familiar with FortiGate routing (see “Configuring routing” on page 153)  
and FortiGate firewall configuration (see “Firewall configuration” on page 185).  
The examples below show how to configure destination-based routing and policy  
routing to control different traffic patterns.  
50  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
NAT/Route mode installation  
Configuration example: Multiple connections to the Internet  
Figure 9: Example multiple Internet connection configuration  
Internal Network  
192.168.1.0  
Internal  
192.168.1.99  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
Port3  
2.2.2.2  
External  
1.1.1.2  
FortiGate-800  
Gateway #1: 1.1.1.1  
Gateway #2: 2.2.2.1  
ISP1  
ISP2  
External Network #1  
100.100.100.0  
External Network #2  
200.200.200.0  
Internet  
Configuring ping servers  
Use the following procedure to make gateway 1 the ping server for the external  
interface and gateway 2 the ping server for the DMZ interface.  
1
2
Go to System > Network > Interface.  
For the external interface, select Modify  
.
Ping Server: 1.1.1.1  
Select Enable Ping Server  
Select OK  
3
For the DMZ interface, select Modify  
.
Ping Server: 2.2.2.1  
Select Enable Ping Server  
Select OK  
FortiGate-800 Installation and Configuration Guide  
51  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Configuration example: Multiple connections to the Internet  
NAT/Route mode installation  
Using the CLI  
1
2
Add a ping server to the external interface.  
set system interface external config detectserver 1.1.1.1  
gwdetect enable  
Add a ping server to the DMZ interface.  
set system interface dmz config detectserver 2.2.2.1 gwdetect  
enable  
Destination-based routing examples  
This section describes the following destination-based routing examples:  
Primary and backup links to the Internet  
Use the following procedure to add a default destination-based route that directs all  
outgoing traffic to gateway 1. If gateway 1 fails, all connections are redirected to  
gateway 2. Gateway 1 is the primary link to the Internet and gateway 2 is the backup  
link.  
1
2
Go to System > Network > Routing Table.  
Select New.  
Destination IP: 0.0.0.0  
Mask: 0.0.0.0  
Gateway #1: 1.1.1.1  
Gateway #2: 2.2.2.1  
Device #1: external  
Device #2: dmz  
Select OK.  
Using the CLI  
1
Add the route to the routing table.  
set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1  
dev1 external gw2 2.2.2.1 dev2 dmz  
Table 13: Route for primary and backup links  
Destination IP Mask  
0.0.0.0 0.0.0.0  
Gateway #1  
Device #1  
Gateway #2  
Device #2  
1.1.1.1  
external  
2.2.2.1  
dmz  
52  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
NAT/Route mode installation  
Configuration example: Multiple connections to the Internet  
Load sharing  
You can also configure destination routing to direct traffic through both gateways at  
the same time. If users on the internal network connect to the networks of ISP1 and  
ISP2, you can add routes for each of these destinations. Each route can include a  
backup destination to the network of the other ISP.  
Table 14: Load sharing routes  
Destination IP‘ Mask  
Gateway #1 Device #1  
Gateway #2 Device #2  
100.100.100.0 255.255.255.0 1.1.1.1  
200.200.200.0 255.255.255.0 2.2.2.1  
external  
dmz  
2.2.2.1  
1.1.1.1  
dmz  
external  
The first route directs all traffic destined for the 100.100.100.0 network out the external  
interface to gateway 1 with the IP address 1.1.1.1. If this router is down, traffic  
destined for the 100.100.100.0 network is redirected out the DMZ interface to gateway  
2 with the IP address 2.2.2.1.  
Load sharing and primary and secondary connections  
You can combine these routes into a more complete multiple Internet connection  
configuration. In the topology shown in Figure 9 on page 51, users on the internal  
network connect to the Internet to access web pages and other Internet resources.  
However, they can also connect to services, such as email, provided by their ISPs.  
You can combine the routes described in the previous examples to provide users with  
a primary and backup connection to the Internet, while at the same time routing traffic  
to each ISP network as required.  
The routing described below allows a user on the internal network to connect to the  
Internet through gateway 1 and ISP1. At the same time, this user can also connect  
through gateway 2 to access a mail server maintained by ISP2.  
To add the routes using the web-based manager  
1
2
Go to System > Network > Routing Table.  
Select New to add the default route for primary and backup links to the Internet.  
Destination IP: 0.0.0.0  
Mask: 0.0.0.0  
Gateway #1: 1.1.1.1  
Gateway #2: 2.2.2.1  
Device #1: external  
Device #2: dmz  
Select OK.  
FortiGate-800 Installation and Configuration Guide  
53  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuration example: Multiple connections to the Internet  
NAT/Route mode installation  
3
Select New to add a route for connections to the network of ISP1.  
Destination IP: 100.100.100.0  
Mask: 255.255.255.0  
Gateway #1: 1.1.1.1  
Gateway #2: 2.2.2.1  
Device #1: external  
Device #2: dmz  
4
Select New to add a route for connections to the network of ISP2.  
Destination IP: 200.200.200.0  
Mask: 255.255.255.0  
Gateway #1: 2.2.2.1  
Gateway #2: 1.1.1.1  
Device #1: dmz  
Device #2: external  
Select OK.  
5
Change the order of the routes in the routing table to move the default route below the  
other two routes.  
For the default route select Move to  
.
Type a number in the Move to field to move this route to the bottom of the list.  
If there are only 3 routes, type 3.  
Select OK.  
To add the routes using the CLI  
1
2
3
Add the route for connections to the network of ISP2.  
set system route number 1 dst 100.100.100.0 255.255.255.0 gw1  
1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz  
Add the route for connections to the network of ISP1.  
set system route number 2 dst 200.200.200.0 255.255.255.0 gw1  
2.2.2.1 dev1 dmz gw2 1.1.1.1 dev2 external  
Add the default route for primary and backup links to the Internet.  
set system route number 3 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1  
dev1 external gw2 2.2.2.1 dev2 dmz  
The routing table should have routes arranged as shown in Table 15.  
Table 15: Example combined routing table  
Destination IP‘ Mask  
Gateway #1 Device #1  
Gateway #2 Device #2  
100.100.100.0 255.255.255.0 1.1.1.1  
200.200.200.0 255.255.255.0 2.2.2.1  
external  
dmz  
2.2.2.1  
1.1.1.1  
2.2.2.1  
dmz  
external  
dmz  
0.0.0.0  
0.0.0.0  
1.1.1.1  
external  
54  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
NAT/Route mode installation  
Configuration example: Multiple connections to the Internet  
Policy routing examples  
Adding policy routing increases your control over how packets are routed. Policy  
routing works on top of destination-based routing. To increase the control provided by  
destination-based routing, configure destination-based routing first and then build  
policy routing on top.  
For example, if you use destination-based routing to configure routing for dual Internet  
connections, you can use policy routing to better control which traffic is sent to which  
destination route. This section describes the following policy routing examples, based  
on topology similar to that shown in Figure 9 on page 51. Differences are noted in  
each example.  
The policy routes described in these examples work only if you have already defined  
destination routes similar to those described in the previous section.  
For more information about policy routing, see “Policy routing” on page 156.  
Routing traffic from internal subnets to different external networks  
If the FortiGate unit provides Internet access for multiple internal subnets, you can use  
policy routing to control the route that traffic from each network takes to the Internet.  
For example, if the internal network includes the subnets 192.168.10.0 and  
192.168.20.0 you can enter the following policy routes:  
1
2
Enter the following command to route traffic from the 192.168.10.0 subnet to the  
100.100.100.0 external network:  
set system route policy 1 src 192.168.10.0 255.255.255.0 dst  
100.100.100.0 255.255.255.0 gw 1.1.1.1  
Enter the following command to route traffic from the 192.168.20.0 subnet to the  
200.200.200.0 external network:  
set system route policy 2 src 192.168.20.0 255.255.255.0 dst  
200.200.200.0 255.255.255.0 gw 2.2.2.1  
Routing a service to an external network  
You can use the following policy routes to direct all HTTP traffic (using port 80) to one  
external network and all other traffic to the other external network.  
1
2
Enter the following command to route all HTTP traffic using port 80 to the next hop  
gateway with IP address 1.1.1.1.  
set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0  
0.0.0.0 protocol 6 port 80 80 gw 1.1.1.1  
Enter the following command to route all other traffic to the next hop gateway with IP  
address 2.2.2.1.  
Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0  
0.0.0.0 gw 2.2.2.1  
FortiGate-800 Installation and Configuration Guide  
55  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Configuration example: Multiple connections to the Internet  
NAT/Route mode installation  
Firewall policy example  
Firewall policies control how traffic flows through the FortiGate unit. After you  
configure routing for multiple Internet connections, you must create firewall policies.  
Firewall policies control which traffic is allowed through the FortiGate unit and the  
interfaces that this traffic can connect through.  
For traffic originating on the internal network to be able to connect to the Internet  
through both Internet connections, you must add redundant policies from the internal  
interface to each interface that connects to the Internet. After you add these policies,  
the routing configuration controls which Internet connection is used.  
Adding a redundant default policy  
Figure 9 on page 51 shows a FortiGate unit connected to the Internet using its internal  
and DMZ interfaces. The default policy allows all traffic from the internal network to  
connect to the Internet through the external interface. If you add a similar policy to the  
internal to DMZ policy list, this policy allows all traffic from the internal network to  
connect to the Internet through the DMZ interface. With both these policies added to  
the firewall configuration, the routing configuration determines which Internet  
connection the traffic from the internal network uses. For more information about the  
To add a redundant default policy  
1
2
3
Go to Firewall > Policy > Internal->DMZ.  
Select New.  
Configure the policy to match the default policy.  
Source  
Destination  
Schedule  
Service  
Action  
Internal_All  
DMZ_All  
Always  
ANY  
Accept  
NAT  
Select NAT.  
4
Select OK to save the changes.  
Adding more firewall policies  
In most cases your firewall configuration includes more than the default policy.  
However, the basic premise of creating redundant policies applies even as the firewall  
configuration becomes more complex. To configure the FortiGate unit to use multiple  
Internet connections you must add duplicate policies for connections between the  
internal network and both interfaces connected to the Internet. As well, as you add  
redundant policies, you must arrange them in both policy lists in the same order.  
56  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
NAT/Route mode installation  
Configuration example: Multiple connections to the Internet  
Restricting access to a single Internet connection  
In some cases you might want to limit some traffic to being able to use only one  
Internet connection. For example, in the topology shown in Figure 9 on page 51 the  
organization might want its mail server to be able to connect to only the SMTP mail  
server of ISP1. To do this, you add a single Internal->External firewall policy for  
SMTP connections. Because redundant policies have not been added, SMTP traffic  
from the Internet network is always connected to ISP1. If the connection to ISP1 fails  
the SMTP connection is not available.  
FortiGate-800 Installation and Configuration Guide  
57  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Configuration example: Multiple connections to the Internet  
NAT/Route mode installation  
58  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Transparent mode installation  
This chapter describes how to install your FortiGate unit in Transparent mode. If you  
want to install the FortiGate unit in NAT/Route mode, see “NAT/Route mode  
installation” on page 41. If you want to install two or more FortiGate units in HA mode,  
This chapter describes:  
Preparing to configure Transparent mode  
Use Table 16 to gather the information that you need to customize Transparent mode  
settings.  
Table 16: Transparent mode settings  
Administrator Password:  
IP:  
_____._____._____._____  
_____._____._____._____  
_____._____._____._____  
Netmask:  
Default Gateway:  
Management IP  
DNS Settings  
The management IP address and netmask must be valid for the network  
from which you will manage the FortiGate unit. Add a default gateway if the  
FortiGate unit must connect to a router to reach the management  
computer.  
Primary DNS Server:  
_____._____._____._____  
Secondary DNS Server: _____._____._____._____  
FortiGate-800 Installation and Configuration Guide  
59  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Using the setup wizard  
Transparent mode installation  
Using the setup wizard  
From the web-based manager, you can use the setup wizard to begin the initial  
configuration of the FortiGate unit. For information about connecting to the web-based  
Changing to Transparent mode using the web-based manager  
The first time that you connect to the FortiGate unit, it is configured to run in  
NAT/Route mode.  
To switch to Transparent mode using the web-based manager  
1
2
3
4
Go to System > Status.  
Select Change to Transparent Mode.  
Select Transparent in the Operation Mode list.  
Select OK.  
To reconnect to the web-based manager, change the IP address of the management  
computer to 10.10.10.2. Connect to the internal or DMZ interface and browse to  
https:// followed by the Transparent mode management IP address. The default  
FortiGate Transparent mode management IP address is 10.10.10.1.  
Starting the setup wizard  
1
2
3
Select Easy Setup Wizard (the middle button in the upper-right corner of the  
web-based manager).  
Use the information that you gathered in Table 16 on page 59 to fill in the wizard fields.  
Select the Next button to step through the wizard pages.  
Confirm your configuration settings, and then select Finish and Close.  
Reconnecting to the web-based manager  
If you changed the IP address of the management interface while you were using the  
setup wizard, you must reconnect to the web-based manager using the new IP  
address. Browse to https:// followed by the new IP address of the management  
interface. Otherwise, you can reconnect to the web-based manager by browsing to  
https://10.10.10.1. If you connect to the management interface through a router, make  
sure that you have added a default gateway for that router to the management IP  
default gateway field.  
60  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Transparent mode installation  
Using the front control buttons and LCD  
Using the front control buttons and LCD  
This procedure describes how to use the control buttons and LCD to configure  
Transparent mode IP addresses. Use the information that you recorded in Table 16 on  
page 59 to complete this procedure. Starting with Main Menu displayed on the LCD,  
use the front control buttons and LCD:  
1
2
Press Enter three times to configure the  
management interface IP address.  
Set the manager interface IP address.  
Use the up and down arrow keys to increase or decrease the value of each IP address  
digit. Press Enter to move to the next digit. Press Esc to move to the previous digit.  
Note: When you enter an IP address, the LCD always shows three digits for each part of the  
address. For example, the IP address 192.168.100.1 appears on the LCD as 192.168.100.001.  
The IP address 192.168.23.45 appears as 192.168.023.045.  
3
4
5
6
7
8
After you set the last digit of the IP address, press Enter.  
Use the down arrow to highlight Netmask.  
Press Enter and set the management IP Netmask.  
After you set the last digit of the Netmask, press Enter.  
Press Esc to return to the Main Menu.  
Repeat these steps to configure the default gateway, if required.  
Using the command line interface  
As an alternative to the setup wizard, you can begin the initial configuration of the  
FortiGate unit using the command line interface (CLI). To connect to the CLI, see  
you gathered in Table 16 on page 59 to complete the following procedures.  
Changing to Transparent mode using the CLI  
1
2
Make sure that you are logged into the CLI.  
Switch to Transparent mode. Enter:  
set system opmode transparent  
After a few seconds, the login prompt appears.  
3
4
Type adminand press Enter.  
The following prompt appears:  
Type ? for a list of commands.  
Confirm that the FortiGate unit has switched to Transparent mode. Enter:  
get system status  
The CLI displays the status of the FortiGate unit. The last line shows the current  
operation mode.  
Operation mode: Transparent  
FortiGate-800 Installation and Configuration Guide  
61  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Completing the configuration  
Transparent mode installation  
Configuring the Transparent mode management IP address  
1
2
Make sure that you are logged into the CLI.  
Set the management IP address and netmask to the IP address and netmask that you  
recorded in Table 16 on page 59. Enter:  
set system management ip <IP address> <netmask>  
Example  
set system management ip 10.10.10.2 255.255.255.0  
3
Confirm that the address is correct. Enter:  
get system management  
The CLI lists the management IP address and netmask.  
Configure the Transparent mode default gateway  
1
2
Make sure that you are logged into the CLI.  
Set the default route to the default gateway that you recorded in Table 16 on page 59.  
Enter:  
set system route number <number> gw1 <IP address>  
Example  
set system route number 0 gw1 204.23.1.2  
Completing the configuration  
Use the information in this section to complete the initial configuration of the FortiGate  
unit.  
Setting the date and time  
For effective scheduling and logging, the FortiGate system date and time must be  
accurate. You can either manually set the system date and time or configure the  
FortiGate unit to automatically keep its time correct by synchronizing with a Network  
Time Protocol (NTP) server.  
For information about setting the FortiGate system date and time, see “Setting system  
Enabling antivirus protection  
You can protect users on your internal network from downloading a virus from the  
Internet.  
1
2
3
4
5
Go to Firewall > Policy > Internal->External.  
Select Edit  
to edit this policy.  
Select Anti-Virus & Web filter to enable antivirus protection for this policy.  
Select the Scan Content Profile.  
Select OK to save the changes.  
62  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
               
Transparent mode installation  
Connecting the FortiGate unit to your networks  
Registering your FortiGate unit  
After purchasing and installing a new FortiGate unit, you can register the unit by going  
to the System Update Support page, or using a web browser to connect to  
http://support.fortinet.com and selecting Product Registration.  
To register, enter your contact information and the serial numbers of the FortiGate  
units that you or your organization have purchased. You can register multiple  
FortiGate units in a single session without re-entering your contact information.  
For more information about registration, see “Registering FortiGate units” on  
Configuring virus and attack definition updates  
You can configure the FortiGate unit to automatically check whether new versions of  
the virus definitions and attack definitions are available. If it finds new versions, the  
FortiGate unit automatically downloads and installs the updated definitions.  
The FortiGate unit uses HTTPS on port 8890 to check for updates. The FortiGate  
external interface must have a path to the FortiResponse Distribution Network (FDN)  
using port 8890.  
For information about configuring automatic virus and attack updates, see “Updating  
Connecting the FortiGate unit to your networks  
After you complete the initial configuration of the FortiGate-800 unit, you can connect  
the FortiGate-800 between your internal network and the Internet and to other  
networks.  
There are 4 10/100/1000 Base-TX connectors on the FortiGate-800:  
Internal for connecting to your internal network,  
External for connecting to your public switch or router and the Internet,  
DMZ and HA for connecting other networks,  
HA is also used to connect to another FortiGate-500 for high availability (see “High  
There are 4 10/100 Base-TX connectors on the FortiGate-800:  
Interfaces 1 to 4 for connecting up to four additional networks to your  
FortiGate-800.  
To connect the FortiGate-800 unit running in Transparent mode:  
1
2
Connect the Internal interface to the hub or switch connected to your internal network.  
Connect the External interface to the public switch or router provided by your Internet  
Service Provider.  
3
Optionally connect the DMZ and HA interfaces and interfaces 1 to 4 to hubs or  
switches connected to your other networks.  
FortiGate-800 Installation and Configuration Guide  
63  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Transparent mode configuration examples  
Transparent mode installation  
Figure 10: FortiGate-800 Transparent mode connections  
Internal Network  
Other Network  
Hub or Switch  
Internal  
DMZ  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
Interface 4  
External  
FortiGate-800  
Public Switch  
or Router  
Internet  
Other Network  
Transparent mode configuration examples  
A FortiGate unit operating in Transparent mode still requires a basic configuration to  
operate as a node on the IP network. As a minimum, the FortiGate unit must be  
configured with an IP address and subnet mask. These are used for management  
access and to allow the unit to receive antivirus and definitions updates. Also, the unit  
must have sufficient route information to reach:  
the management computer,  
The FortiResponse Distribution Network (FDN),  
a DNS server.  
A route is required whenever the FortiGate unit connects to a router to reach a  
destination. If all the destinations are located on the external network, you might be  
required to enter only a single default route. If, however, the network topology is more  
complex, you might be required to enter one or more static routes in addition to the  
default route.  
64  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Transparent mode installation  
Transparent mode configuration examples  
This section describes:  
Default routes and static routes  
To create a route to a destination, you need to define an IP prefix which consists of an  
IP network address and a corresponding netmask value. A default route matches any  
prefix and forwards traffic to the next hop router (otherwise known as the default  
gateway). A static route matches a more specific prefix and forwards traffic to the next  
hop router.  
Default route example  
:
IP Prefix 0.0.0.0 (IP address)  
0.0.0.0 (Netmask)  
Next Hop 192.168.1.2  
Static Route example  
IP Prefix 172.100.100.0 (IP address)  
255.255.255.0 (Netmask)  
Next Hop 192.168.1.2  
Note: When adding routes to the FortiGate unit, add the default route last so that it appears on  
the bottom of the route list. This makes sure that the unit attempts to match more specific routes  
before selecting the default route.  
Example default route to an external network  
Figure 11 shows a FortiGate unit where all destinations, including the management  
computer, are located on the external network. To reach these destinations, the  
FortiGate unit must connect to the “upstream” router leading to the external network.  
To facilitate this connection, you must enter a single default route that points to the  
upstream router as the next hop/default gateway.  
FortiGate-800 Installation and Configuration Guide  
65  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Transparent mode configuration examples  
Transparent mode installation  
Figure 11: Default route to an external network  
FortiResponse  
Distribution  
DNS  
Network (FDN)  
Internet  
Management  
Computer  
Upstream  
Router  
Gateway IP 192.168.1.2  
DMZ  
Management IP 192.168.1.1  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
FortiGate-800  
8
Internal Network  
General configuration steps  
1
2
3
Set the FortiGate unit to operate in Transparent mode.  
Configure the Management IP address and Netmask of the FortiGate unit.  
Configure the default route to the external network.  
66  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Transparent mode installation  
Transparent mode configuration examples  
Web-based manager example configuration steps  
To configure basic Transparent mode settings and a default route using the  
web-based manager  
1
2
3
Go to System > Status.  
Select Change to Transparent Mode.  
Select Transparent in the Operation Mode list.  
Select OK.  
The FortiGate unit changes to Transparent mode.  
Go to System > Network > Management.  
Change the Management IP and Netmask:  
IP: 192.168.1.1  
Mask: 255.255.255.0  
Select Apply.  
Go to System > Network > Routing.  
Select New to add the default route to the external network.  
Destination IP: 0.0.0.0  
Mask: 0.0.0.0  
Gateway: 192.168.1.2  
Select OK.  
CLI configuration steps  
To configure the Fortinet basic settings and a default route using the CLI:  
1
2
3
Change the system to operate in Transparent Mode.  
set system opmode transparent  
Add the Management IP address and Netmask.  
set system management ip 192.168.1.1 255.255.255.0  
Add the default route to the external network.  
set system route number 1 gw1 192.168.1.2  
Example static route to an external destination  
Figure 12 shows a FortiGate unit that requires routes to the FDN located on the  
external network. The Fortigate unit does not require routes to the DNS servers or  
management computer because they are located on the internal network.  
To connect to the FDN, you typically enter a single default route to the external  
network. However, for additional security, you can enter static routes to a specific  
FortiResponse server in addition to a default route to the external network. If the static  
route becomes unavailable (for example, because the IP address of the  
FortiResponse server changes) the FortiGate unit can still receive antivirus and NIDS  
updates from the FDN using the default route.  
FortiGate-800 Installation and Configuration Guide  
67  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Transparent mode configuration examples  
Transparent mode installation  
Note: This is an example configuration only. To configure a static route, you require a  
destination IP address.  
Figure 12: Static route to an external destination  
24.102.233.5  
FortiResponse  
Distribution  
Internet  
Network (FDN)  
Upstream  
Router  
DNS  
Gateway IP 192.168.1.2  
DMZ  
Management IP 192.168.1.1  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
FortiGate-800  
8
Internal Network  
Management  
Computer  
General configuration steps  
1
2
3
4
Set the FortiGate unit to operate in Transparent mode.  
Configure the Management IP address and Netmask of the FortiGate unit.  
Configure the static route to the FortiResponse server.  
Configure the default route to the external network.  
Web-based manager example configuration steps  
To configure the basic FortiGate settings and a static route using the web-based  
manager:  
1
Go to System > Status.  
Select Change to Transparent Mode.  
Select Transparent in the Operation Mode list.  
Select OK.  
The FortiGate unit changes to Transparent mode.  
68  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Transparent mode installation  
Transparent mode configuration examples  
2
Go to System > Network > Management.  
Change the Management IP and Netmask:  
IP: 192.168.1.1  
Mask: 255.255.255.0  
Select Apply.  
3
Go to System > Network > Routing.  
Select New to add the static route to the FortiResponse server.  
Destination IP: 24.102.233.5  
Mask: 255.255.255.0  
Gateway: 192.168.1.2  
Select OK.  
Select New to add the default route to the external network.  
Destination IP: 0.0.0.0  
Mask: 0.0.0.0  
Gateway: 192.168.1.2  
Select OK.  
CLI configuration steps  
To configure the Fortinet basic settings and a static route using the CLI:  
1
2
3
Set the system to operate in Transparent Mode.  
set system opmode transparent  
Add the Management IP address and Netmask.  
set system management ip 192.168.1.1 255.255.255.0  
Add the static route to the primary FortiResponse server.  
set system route number 1 dst 24.102.233.5 255.255.255.0 gw1  
192.168.1.2  
4
Add the default route to the external network.  
set system route number 2 gw1 192.168.1.2  
Example static route to an internal destination  
Figure 13 shows a FortiGate unit where the FDN is located on an external subnet and  
the management computer is located on a remote, internal subnet. To reach the FDN,  
you need to enter a single default route that points to the upstream router as the next  
hop/default gateway. To reach the management computer, you need to enter a single  
static route that leads directly to it. This route points to the internal router as the next  
hop. (No route is required for the DNS servers because they are on the same layer 3  
subnet as the FortiGate unit.)  
FortiGate-800 Installation and Configuration Guide  
69  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Transparent mode configuration examples  
Transparent mode installation  
Figure 13: Static route to an internal destination  
FortiResponse  
Distribution  
Internet  
Network (FDN)  
Upstream  
Router  
DNS  
Gateway IP 192.168.1.2  
DMZ  
Management IP 192.168.1.1  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
FortiGate-800  
8
Internal Network A  
Gateway IP  
192.168.1.3  
Internal  
Router  
Internal Network B  
Management Computer  
172.16.1.11  
General configuration steps  
1
2
3
4
Set the unit to operate in Transparent mode.  
Configure the Management IP address and Netmask of the FortiGate unit.  
Configure the static route to the management computer on the internal network.  
Configure the default route to the external network.  
70  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Transparent mode installation  
Transparent mode configuration examples  
Web-based manager example configuration steps  
To configure the FortiGate basic settings, a static route, and a default route using the  
web-based manager:  
1
2
3
Go to System > Status.  
Select Change to Transparent Mode.  
Select Transparent in the Operation Mode list.  
Select OK.  
The FortiGate unit changes to Transparent mode.  
Go to System > Network > Management.  
Change the Management IP and Netmask:  
IP: 192.168.1.1  
Mask: 255.255.255.0  
Select Apply.  
Go to System > Network > Routing.  
Select New to add the static route to the management computer.  
Destination IP: 172.16.1.11  
Mask: 255.255.255.0  
Gateway: 192.168.1.3  
Select OK.  
Select New to add the default route to the external network.  
Destination IP: 0.0.0.0  
Mask: 0.0.0.0  
Gateway: 192.168.1.2  
Select OK.  
CLI configuration steps  
To configure the FortiGate basic settings, a static route, and a default route using the  
CLI:  
1
2
3
Set the system to operate in Transparent Mode.  
set system opmode transparent  
Add the Management IP address and Netmask.  
set system management ip 192.168.1.1 255.255.255.0  
Add the static route to the management computer.  
set system route number 1 dst 172.16.1.11 255.255.255.0 gw1  
192.168.1.3  
4
Add the default route to the external network.  
set system route number 2 gw1 192.168.1.2  
FortiGate-800 Installation and Configuration Guide  
71  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Transparent mode configuration examples  
Transparent mode installation  
72  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
High availability  
Fortinet achieves high availability (HA) using redundant hardware and the FortiGate  
Clustering Protocol (FGCP). Each FortiGate unit in an HA cluster uses the same  
overall security policy and shares the same configuration settings. You can add up to  
32 FortiGate units to an HA cluster. Each FortiGate unit in an HA cluster must be the  
same model and must run the same FortiOS firmware image.  
FortiGate HA is device redundant. If one of the FortiGate units in an HA cluster fails,  
1
all functions, all established firewall connections, and all IPSec VPN sessions are  
maintained by the other FortiGate units in the HA cluster.  
You manage the cluster by connecting to the cluster web-based manager from any  
cluster interface configured for HTTPS administrative access. You can also manage  
the cluster by connecting to the cluster CLI from any cluster interface configured for  
SSH administrative access. All configuration changes made to the cluster are  
automatically synchronized to all cluster members.  
From the web-based manager you can monitor the status and log messages of the  
cluster and of each of the FortiGate units in the cluster. You can also monitor the  
cluster by using an SNMP manager to get SNMP information from or receive traps for  
any cluster interface configured for SNMP administrative access.  
The FortiGate units in the cluster use dedicated HA ethernet interfaces to  
communicate cluster session information, synchronize the cluster configuration, and  
report individual system status.The units in the cluster constantly communicate HA  
status information to make sure that the cluster is operating properly. For this reason,  
the connection between the HA interface of all the FortiGate units in the cluster must  
be well maintained. An interruption of this communication can have unpredictable  
results.  
Note: The HA interfaces of the FortiGate units in a cluster are assigned IP addresses during  
cluster negotiation. These IP addresses cannot be viewed using the web-based manager or the  
CLI. Attempting to change the IP address of an HA interface using the web-based manager or  
the CLI has no effect on the IP address assigned during cluster negotiation. HA interfaces only  
accept connections used for HA communication between units in the cluster. You cannot  
connect to the HA interfaces to manage the cluster or to manage individual FortiGate units in  
the cluster.  
FortiGate units can be configured to operate in active-passive (A-P) or active-active  
(A-A) HA mode. Active-active and active-passive clusters can run in either NAT/Route  
or Transparent mode.  
1.HA does not provide session failover for PPPoE, DHCP, PPTP, and L2TP services.  
FortiGate-800 Installation and Configuration Guide  
73  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring an HA cluster  
High availability  
An active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a  
primary FortiGate unit that processes traffic, and one or more subordinate FortiGate  
units. The subordinate FortiGate units are connected to the network and to the  
primary FortiGate unit but do not process traffic.  
Active-active (A-A) HA load balances virus scanning among all the FortiGate units in  
the cluster. An active-active HA cluster consists of a primary FortiGate unit that  
processes traffic and subordinate units that also process traffic. The primary FortiGate  
unit uses a load balancing algorithm to distribute virus scanning to all the FortiGate  
units in the HA cluster.  
This chapter provides an overview of HA functionality and describes how to configure  
and manage HA clusters in NAT/Route mode and Transparent mode.  
Configuring an HA cluster  
Use the following procedures to create an HA cluster consisting of two or more  
FortiGate units. These procedures describe how to configure each of the FortiGate  
units for HA operation and then how to connect the FortiGate units to form a cluster.  
Once the cluster is connected you can configure it in the same way as you would  
configure a standalone FortiGate unit.  
This section describes:  
Configuring FortiGate units for HA operation  
Each FortiGate unit in the cluster must have the same HA configuration. Use the  
following procedure to configure each FortiGate unit for HA operation.  
To configure a FortiGate unit for HA operation  
Power on the FortiGate unit that you want to configure.  
Connect to the web-based manager.  
1
2
3
Give the FortiGate unit a unique host name.  
See “Changing the FortiGate host name” on page 94. Use host names to identify  
individual cluster units.  
4
5
Go to System > Config > HA.  
Select HA.  
74  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
High availability  
Configuring an HA cluster  
6
Select the HA mode.  
Select Active-Active mode to create an Active-Active HA cluster.  
Select Active-Passive mode to create an Active-Passive HA cluster.  
The HA mode must be the same for all FortiGate units in the HA cluster.  
7
8
9
Enter and confirm a password for the HA cluster.  
The password must be the same for all FortiGate units in the HA cluster.  
Select a Group ID for the HA cluster.  
The Group ID must be the same for all FortiGate units in the HA cluster.  
If you are configuring Active-Active HA, select a schedule.  
The schedule controls load balancing among the FortiGate units in the active-active  
HA cluster. The schedule must be the same for all FortiGate units in the HA cluster.  
None  
Hub  
No load balancing. Select None when the cluster interfaces are  
connected to load balancing switches.  
Load balancing for hubs. Select Hub if the cluster interfaces are  
connected to a hub. Traffic is distributed to units in a cluster based on  
the Source IP and Destination IP of the packet.  
Least Connection  
Round Robin  
Least connection load balancing. If the FortiGate units are connected  
using switches, select Least connection to distribute traffic to the cluster  
unit with the fewest concurrent connections.  
Round robin load balancing. If the FortiGate units are connected using  
switches, select round robin to distribute traffic to the next available  
cluster unit.  
Weighted Round  
Robin  
Weighted round robin load balancing. Similar to round robin, but  
weighted values are assigned to each of the units in a cluster based on  
their capacity and on how many connections they are currently  
processing. For example, the primary unit should have a lower weighted  
value because it handles scheduling and forwards traffic. Weighted  
round robin distributes traffic more evenly because units that are not  
processing traffic will be more likely to receive new connections than  
units that are very busy.  
Random  
IP  
Random load balancing. If the FortiGate units are connected using  
switches, select random to randomly distribute traffic to cluster units.  
Load balancing according to IP address. If the FortiGate units are  
connected using switches, select IP to distribute traffic to units in a  
cluster based on the Source IP and Destination IP of the packet.  
IP Port  
Load balancing according to IP address and port. If the FortiGate units  
are connected using switches, select IP Port to distribute traffic to units  
in a cluster based on the Source IP, Source Port, Destination IP, and  
Destination port of the packet.  
Note: Do not configure Monitor on Interface until the FortiGate cluster is connected and  
10  
Select Apply.  
The FortiGate unit negotiates to establish an HA cluster. When you select apply you  
might temporarily loose connectivity with the FortiGate unit as the HA cluster  
negotiates.  
FortiGate-800 Installation and Configuration Guide  
75  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Configuring an HA cluster  
High availability  
Figure 14: Example Active-Active HA configuration  
11  
If you are configuring a NAT/Route mode cluster, power off the FortiGate unit and then  
repeat this procedure for all the FortiGate units in the cluster. Once all the units are  
configured, proceed to “Connecting the cluster” on page 76.  
12  
If you are configuring a Transparent mode cluster, reconnect to the web-based  
manager.  
You might have to wait a few minutes before you can reconnect.  
13  
14  
Go to System > Status.  
Select Change to Transparent Mode and select OK to switch the FortiGate unit to  
Transparent mode.  
15  
16  
Power off the FortiGate unit.  
Repeat this procedure for all the FortiGate units in the cluster.  
Connecting the cluster  
Use the following procedure to connect a cluster operating in NAT/Route mode or  
Transparent mode. Connect the FortiGate units in the cluster to each other and to  
your network. You must connect all matching interfaces in the cluster to the same hub  
or switch. Then you must connect these interfaces to their networks using the same  
hub or switch.  
Fortinet recommends using switches for all cluster connections for the best  
performance.  
The FortiGate units in the cluster use dedicated HA ethernet interfaces to  
communicate HA status information to make sure the cluster is functioning properly.  
For this reason, the connection between the HA interfaces of all the FortiGate units in  
the cluster must be well maintained. An interruption of this communication can have  
unpredictable results.  
76  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
High availability  
Configuring an HA cluster  
Inserting an HA cluster into your network temporarily interrupts communications on  
the network because new physical connections are being made to route traffic through  
the cluster. Also, starting the cluster interrupts network traffic until the individual  
FortiGate units in the cluster are functioning and the cluster completes negotiation.  
Cluster negotiation normally takes just a few seconds. During system startup and  
negotiation all network traffic is dropped.  
To connect the cluster  
1
Connect the cluster units:  
Connect the internal interfaces of each FortiGate unit to a switch or hub connected  
to your internal network.  
Connect the external interfaces of each FortiGate unit to a switch or hub connected  
to your external network.  
Optionally connect the DMZ interfaces of each FortiGate unit to a switch or hub  
connected to your DMZ network.  
Optionally connect ports 1 to 4 of each FortiGate unit to switches or hubs  
connected to other networks.  
Connect the HA interfaces of the FortiGate units to another switch or hub.  
Figure 15: HA network configuration  
Internal Network  
Internal  
External  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
HA  
Hub or  
Switch  
Hub or  
Switch  
HA  
Router  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
Internal  
External  
Internet  
FortiGate-800 Installation and Configuration Guide  
77  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Managing an HA cluster  
High availability  
2
Power on all the FortiGate units in the cluster.  
As the units power on they negotiate to choose the primary cluster unit and the  
subordinate units. This negotiation occurs with no user intervention.  
When negotiation is complete the you can configure the cluster as if it was a single  
FortiGate unit. Use the information in “NAT/Route mode installation” on page 41 or  
“Transparent mode installation” on page 59 to configure the cluster interfaces,  
configure your network, and complete the cluster configuration.  
Note: Do not change the HA interface IP address. The HA interface of each FortiGate unit in the  
cluster is assigned an IP address during cluster negotiation.  
Use the information in “Managing an HA cluster” on page 78 to log into and manage  
the cluster.  
Adding a new FortiGate unit to a functioning cluster  
You can add a new FortiGate unit to a functioning cluster at any time. The new  
FortiGate unit must be the same model as the other units in the cluster and must be  
running the same firmware version.  
To add a new unit to the cluster  
1
2
Configure the new FortiGate unit for HA operation with the same HA configuration as  
the other units in the cluster.  
If the cluster is running in Transparent mode, change the operating mode of the new  
FortiGate unit to Transparent mode.  
3
4
Connect the new FortiGate unit to the cluster.  
Power on the new FortiGate unit.  
When the unit powers on it negotiates to join the cluster. After it joins the cluster, the  
cluster synchronizes the new unit configuration with the configuration of the primary  
unit.  
Managing an HA cluster  
The configurations of all of the FortiGate units in the cluster are synchronized so that  
the FortiGate units can function as a cluster. Because of this synchronization, you  
manage the HA cluster instead of managing the individual FortiGate units in the  
cluster. You manage the cluster by connecting to the web-based manager or CLI  
using any interface configured for management access (except the HA interface). All  
units in the cluster are synchronized with the same interface IP addresses.  
Connecting to any interface IP address configured for management access connects  
to that cluster interface, which automatically connects you to the primary FortiGate  
unit in the cluster.  
78  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
High availability  
Managing an HA cluster  
You can also use SNMP to manage the cluster by configuring a cluster interface for  
SNMP administrative access. Using an SNMP manager you can get cluster  
configuration information and receive traps.  
Note: You cannot connect to the HA interfaces to manage the cluster or to manage individual  
FortiGate units in the cluster.  
You can change the cluster configuration by connecting to the cluster and changing  
the configuration of the primary FortiGate unit. The cluster automatically synchronizes  
all configuration changes to the subordinate units in the cluster as the changes are  
made.  
The only configuration change that is not synchronized is the FortiGate host name.  
You can give each cluster unit a unique host name to help to identify cluster members.  
For information about changing the host name of cluster members, see “Changing  
You can use the web-based manager to monitor the status and logs of individual  
You can manage individual cluster units by using SSH to connect to the CLI of the  
cluster. From the CLI you can use the execute ha managecommand to connect to  
the CLI of each unit in the cluster. You can also manage individual cluster units by  
using a null-modem cable to connect to the primary cluster unit. From there you can  
also use the execute ha managecommand to connect to the CLI of each unit in the  
cluster. See “Managing individual cluster units” on page 83 for more information.  
This section describes:  
Configuring cluster interface monitoring  
Monitor FortiGate interfaces to make sure that they are functioning properly and that  
they are connected to their networks. If a monitored interface fails or is disconnected  
from its network, the FortiGate unit stops processing traffic and is removed from the  
cluster. If you can re-establish traffic flow through the interface (for example, if you  
reconnect a disconnected network cable) the FortiGate unit rejoins the cluster.  
FortiGate-800 Installation and Configuration Guide  
79  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Managing an HA cluster  
High availability  
Note: Only monitor interfaces that are connected to networks. You should not configure cluster  
interface monitoring until the cluster is connected to your network.  
To monitor cluster interfaces  
1
2
3
Connect to the cluster and log into the web-based manager.  
Go to System > Config > HA.  
In the Monitor on Interface section, select the names of the interfaces that you want to  
monitor.  
4
Select Apply.  
The cluster synchronizes this configuration change to all cluster units.  
Viewing the status of cluster members  
The web-based manager lists the serial numbers of all the FortiGate units in the  
cluster. The primary unit is identified as Local. For each cluster member, the list  
includes the up time and status for that cluster member.  
To view the status of each cluster member  
1
2
Connect to the cluster and log into the web-based manager.  
Go to System > Status > Cluster Members.  
Figure 16: Example cluster members list  
Monitoring cluster members  
To monitor health information for each cluster member  
1
2
Connect to the cluster and log into the web-based manager.  
Go to System > Status > Monitor.  
The cluster displays CPU, memory status, and hard disk status for each cluster  
member. The primary unit is identified as Local and the other units in the cluster are  
listed by serial number.  
The display includes bar graphs of current CPU and memory usage as well as line  
graphs of CPU and memory usage for the past minute.  
80  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
High availability  
Managing an HA cluster  
3
Select Sessions & Network.  
The cluster displays sessions and network status for each cluster member. The  
primary unit is identified as Local and the other units in the cluster are listed by serial  
number.  
The display includes bar graphs of the current number of sessions and current  
network utilization as well as line graphs of session and network utilization usage for  
the last minute. The line graph scales are shown in the upper left corner of the graph.  
Figure 17: Example cluster CPU, memory, and hard disk display  
4
5
Select Virus & Intrusions.  
The cluster displays virus and intrusions status for each cluster member. The primary  
unit is identified as Local and the other units in the cluster are listed by serial number.  
The display includes bar graphs of the number viruses and intrusions detected per  
hour as well as line graphs of the number of viruses and intrusions detected for the  
last 20 hours.  
Select Packets & Bytes.  
The cluster displays the number of packets and bytes processed by each cluster  
member.  
To set the update frequency  
Select the automatic refresh interval.  
Select Go.  
1
2
More frequent updates use more system resources and increase network traffic.  
However, this only occurs when you are viewing the display using the web-based  
manager.  
FortiGate-800 Installation and Configuration Guide  
81  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Managing an HA cluster  
High availability  
Viewing cluster sessions  
To view the cluster communication sessions  
1
2
Connect to the cluster and log into the web-based manager.  
Go to System > Status > Session.  
The session table displays the sessions processed by the primary unit in the cluster,  
including HA communication sessions between the primary unit and the subordinate  
units. HA communications use:  
Port 702 as the destination port,  
From and To IP address on the 10.0.0.0 subnet.  
During cluster negotiation, the HA interface of each cluster unit is assigned an IP  
address. The IP address of the primary unit is 10.0.0.1. The IP address of the first  
subordinate unit is 10.0.0.2. The IP address of the second subordinate unit is  
10.0.0.3 and so on.  
Viewing and managing cluster log messages  
To view log messages for each cluster member  
1
2
Connect to the cluster and log into the web-based manager.  
Go to Log&Report > Logging.  
The cluster displays the primary unit Traffic log, Event log, Attack log, Antivirus log,  
Web Filter log, and Email Filter log.  
The pull-down list at the upper right of the display identifies the unit for which logs are  
displayed. The primary unit is identified as Local and the other units in the cluster are  
listed by serial number.  
3
4
Select the serial number of one of the units in the cluster to display the logs for this  
cluster unit.  
You can view logs saved to memory or logs saved to the hard disk, depending on the  
configuration of the cluster unit.  
For each cluster unit:  
If the cluster unit logs to memory you can view, search, and manage log  
messages. For more information, see “Viewing logs saved to memory” on  
If the cluster unit contains a hard disk you can view, search, and manage log  
messages. For more information, see:  
82  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
High availability  
Managing an HA cluster  
Monitoring cluster units for failover  
If the primary unit in the cluster fails, the units in the cluster renegotiate to select a new  
primary unit. Failure of the primary unit results in the following:  
If SNMP is enabled, the new primary FortiGate unit sends the trap message “HA  
switch”. This trap indicates that the primary unit in an HA cluster has failed and has  
been replaced with a new primary unit.  
The cluster contains fewer FortiGate units. The failed primary unit no longer  
appears on the Cluster Members list.  
The host name and serial number of the primary cluster unit changes.  
The new primary unit logs the following messages to the event log:  
HA slave became master  
Detected HA member dead  
If a subordinate unit fails, the cluster continues to function normally. Failure of a  
subordinate unit results in the following:  
The cluster contains fewer FortiGate units. The failed unit no longer appears on the  
Cluster Members list.  
The master unit logs the following message to the event log:  
Detected HA member dead  
Viewing cluster communication sessions  
1
2
Connect to the cluster and log into the web-based manager.  
Go to System > Status > Session.  
The session table displays the sessions processed by the primary unit in the cluster,  
including HA communication sessions between the primary unit and the subordinate  
units. HA communications use:  
Port 702 as the destination port,  
From and To IP address on the 10.0.0.0 subnet.  
During cluster negotiation, the HA interface of each cluster unit is assigned an IP  
address. The IP address of the primary unit is 10.0.0.1. The IP address of the first  
subordinate unit is 10.0.0.2. The IP address of the second subordinate unit is  
10.0.0.3 and so on.  
Managing individual cluster units  
You can connect to the CLI of each unit in the cluster. This procedure describes how  
to log into the primary unit CLI and from there connect to the CLI of subordinate  
cluster units. You log into the subordinate unit with the ha_admin administrator  
account. This built-in administrator account gives you read & write permission on the  
subordinate unit. For information about administration accounts and permissions, see  
FortiGate-800 Installation and Configuration Guide  
83  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Managing an HA cluster  
High availability  
To manage a cluster unit  
1
Use SSH to connect to the cluster and log into the CLI.  
Connect to any cluster interface configured for SSH management to log into the  
cluster.  
You can also use a direct cable connection to log into the primary unit CLI. (To do this  
you must know which unit is the primary unit. See “Selecting a FortiGate unit as a  
permanent primary unit” on page 87 to control which FortiGate unit becomes the  
primary unit).  
2
3
Enter the following command followed by a space and type a question mark (?):  
execute ha manage  
The CLI displays a list of all the subordinate units in the cluster. Each cluster unit is  
numbered, starting at 1. The information displayed for each cluster unit includes the  
unit serial number and host name of the unit.  
Complete the command with the number of the subordinate unit to log into. For  
example, to log into subordinate unit 1, enter the following command:  
execute ha manage 1  
Press Enter and you are connected to and logged into the CLI of the selected  
subordinate unit. If this subordinate unit has a different host name, the CLI prompt  
changes to this host name. You can use CLI commands to manage this subordinate  
unit.  
4
Enter the following command to return to the primary unit CLI:  
exit  
You can use the execute ha managecommand to log into the CLI of any of the  
other subordinate units in the cluster.  
Changing cluster unit host names  
You can identify individual cluster units by giving each unit a unique host name. The  
host name is the only configuration setting not synchronized by the cluster.  
To set the host name of each cluster member  
1
2
Use SSH to connect to the cluster and log into the CLI.  
Enter the following command to change the host name of the primary unit:  
set system hostname <hostname_str>  
3
4
Use the information in “Managing individual cluster units” on page 83 to log into each  
cluster member.  
Enter the following command to change the host name of the cluster member.  
set system hostname <hostname_str>  
5
Repeat steps 3 and 4 for each cluster member.  
84  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
High availability  
Managing an HA cluster  
Synchronizing the cluster configuration  
Cluster synchronization keeps all units in the cluster synchronized with the master  
unit. This includes:  
System configuration  
Virus definition updates  
Attack definition updates  
Web filter lists  
Email filter lists  
Replacement messages  
CA certificates  
Local certificates  
Synchronization with all cluster members occurs in real time as the administrator  
changes or adds configuration settings to the primary unit. When the primary unit  
downloads antivirus or attack definition updates, all cluster members also receive  
these updates.  
From each subordinate unit, you can also use the execute ha synchronize  
command to manually synchronize its configuration with the primary unit. Using this  
command you can synchronize the following:  
Table 17: execute ha synchronizekeywords  
Keyword  
Description  
config  
Synchronize the FortiGate configuration. This includes normal system  
configuration, firewall configuration, VPN configuration and so on stored in the  
FortiGate configuration file.  
avupd  
Synchronize the antivirus engine and antivirus definitions received by the  
primary unit from the FortiResponse Distribution Network (FDN).  
attackdef  
Synchronize NIDS attack definition updates received by the primary unit from  
the FDN.  
weblists  
Synchronize web filter lists added to or changed on the primary unit.  
emaillists Synchronize email filter lists added to or changed on the primary unit.  
resmsg  
ca  
Synchronize replacement messages changed on the primary unit.  
Synchronize CA certificates added to the primary unit.  
Synchronize local certificates added to the primary unit.  
Synchronize all of the above.  
localcert  
all  
To manually synchronize the configuration of subordinate units with the  
primary unit  
1
2
Connect to the cluster and log into the CLI.  
Connect to the CLI of each of the subordinate units in the cluster.  
For information about connecting to subordinate units, see “Managing individual  
3
Use the execute ha synchronizecommand to synchronize the configuration of  
the subordinate unit.  
FortiGate-800 Installation and Configuration Guide  
85  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Managing an HA cluster  
High availability  
4
Repeat steps 2 and 3 for all the subordinate units in the HA cluster.  
Upgrading firmware  
To upgrade the firmware of the FortiGate units in a cluster, you must upgrade the  
firmware of each unit separately. In most cases, if you are upgrading to a new  
firmware build within the same firmware version (for example, upgrading from 2.50  
build069 to 2.50 build070), you can do firmware upgrades using the following  
procedure and without interrupting cluster operation. This procedure involves  
uploading a new firmware image to the primary unit. Once the firmware image is  
uploaded, the primary unit restarts, running the new firmware version. When the  
primary unit restarts, it is removed from the cluster, which fails over to a new primary  
unit. During the failover, service might be interrupted if the cluster is very busy.  
Because of this interruption and in case the firmware upgrade fails, you should do this  
procedure only during off peak times when the cluster is not busy.  
Note: if you are upgrading to a new firmware version (for example, from 2.50 to 2.80) and in  
some cases if you are upgrading to a new maintenance release of the same firmware version,  
you must remove individual units from the cluster. For more information, see “Changing the  
To upgrade the firmware version for all the units in a cluster  
1
2
Copy the firmware image file to your management computer.  
Connect to the cluster and log into the web-based manager as the admin  
administrative user.  
3
4
5
Go to System > Status.  
Select Firmware Upgrade  
.
Enter the path and filename of the firmware image file, or select Browse and locate the  
file.  
6
Select OK.  
The primary FortiGate unit uploads the firmware image file, upgrades to the new  
firmware version, and restarts. When this happens the primary FortiGate unit is  
removed from the cluster and one of the subordinate units becomes the new primary  
unit. After the failover occurs you can log into the cluster again to connect to the new  
primary unit.  
7
8
Connect to the cluster and log into the web-based manager as the admin  
administrative user.  
Repeat steps 3 to 7 for each cluster unit.  
Once the firmware upgrade is finished for all the FortiGate units in the cluster, log into  
the cluster and update antivirus and attack definitions for the cluster. For information  
about updating antivirus and attack definitions, see “Manually initiating antivirus and  
86  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
High availability  
Advanced HA options  
Replacing a FortiGate unit after failover  
A failover can occur because of a hardware or software problem. When a failover  
occurs, you can attempt to restart the failed FortiGate unit by cycling its power. If the  
FortiGate unit starts up correctly, it rejoins the HA cluster, which then continues to  
function normally. If the FortiGate unit does not restart normally or does not rejoin the  
HA cluster, you must take it out of the network and either reconfigure or replace it.  
Once the FortiGate unit is reconfigured or replaced, change its HA configuration to  
match the FortiGate unit that failed and reconnect it to the network. The reconnected  
FortiGate unit then automatically joins the HA cluster.  
Advanced HA options  
You can configure the following advanced HA options using the FortiGate CLI:  
Selecting a FortiGate unit as a permanent primary unit  
In a typical FortiGate cluster configuration, the primary unit is selected automatically.  
In some situations, you might want to control which unit becomes the primary unit. You  
can select a FortiGate unit as the permanent primary unit by changing its priority and  
configuring it to override any other primary unit.  
To select a permanent primary unit  
1
2
Connect to the CLI of the FortiGate unit that you want to become the permanent  
primary unit.  
Set the priority of the permanent primary unit. Enter:  
set system ha priority <priority_int>  
Where <priority_int>is the priority to set for the permanent primary unit. The unit  
with the lowest priority becomes the primary unit. The default priority is 128. Set the  
priority of the permanent primary unit to a number lower than 128.  
For example, to set the priority of the permanent primary unit to 10, enter the  
command:  
set system ha priority 10  
3
4
Make sure that the priority of all the other units in the cluster is higher than the priority  
of the permanent primary unit.  
The command get system ha modedisplays the current priority of the FortiGate  
unit that you are connected to.  
Configure the permanent primary unit to override an existing primary unit when it joins  
the cluster. Use the following command to configure primary unit override:  
FortiGate-800 Installation and Configuration Guide  
87  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Advanced HA options  
High availability  
set system ha override enable  
Enable override so that the permanent primary unit overrides any other primary unit.  
For example, if the permanent primary unit shuts down, one of the other units in the  
cluster replaces it as the primary unit. When the permanent primary unit is restarted, it  
can become the primary unit again only if override is enabled.  
Configuring the priority of each FortiGate unit in the cluster  
In addition to selecting a permanent primary FortiGate unit, you can set the priorities  
of each of the subordinate units in the cluster to control the failover path. For example,  
if you have three FortiGate units in an HA cluster and you configured one as the  
permanent primary FortiGate unit, you might always want the cluster to failover to the  
same FortiGate unit if the primary unit fails.  
If you have many FortiGate units in the cluster, you can assign a different priority to  
each of them to create a failover path.  
To set the priority of each FortiGate unit in a cluster  
1
2
Connect to the cluster and log into the CLI.  
Select a permanent primary unit by following all the steps in the procedure “Selecting  
3
4
From the primary unit CLI, enter the following command to log into a subordinate  
cluster member:  
execute ha manage <cluster-member_int>  
Set the priority of the cluster member. Enter:  
set system ha priority <priority_int>  
Where <priority_int>is the priority to set for the permanent primary unit. The  
permanent primary unit must have the lowest priority. The unit with the second lowest  
priority always becomes the new primary unit if the permanent primary unit fails. The  
default priority is 128.  
For example, to set the priority of a cluster unit to 20, enter the command:  
set system ha priority 20  
5
6
Enter the command exitto return to the primary unit CLI.  
Repeat steps 3 to 5 for each cluster unit.  
Configuring weighted-round-robin weights  
By default, in active-active HA mode the weighted round-robin schedule assigns the  
same weight to each FortiGate unit in the cluster. If you configure a cluster to use the  
weighted round-robin schedule, you can use the set system ha weight  
command to configure a weight value for each cluster unit. The weight value sets the  
maximum number of connections that are sent to a cluster unit before a connection  
can be sent to the next cluster unit. You can set weight values to control the number of  
connections processed by each cluster unit. For example, you might want to reduce  
the number of connections processed by the primary cluster unit by increasing the  
weight assigned to the subordinate cluster units.  
88  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
High availability  
Active-Active cluster packet flow  
Weight values are entered in order according to the priority of the units in the cluster.  
For example, if you have a cluster of three FortiGate units, you can enter the following  
command to configure the weight values for each unit:  
set system ha weight 1 3 3  
This command has the following results:  
The first connection is processed by the primary unit  
The next three connections are processed by the first subordinate unit  
The next three connections are processed by the second subordinate unit  
The subordinate units process more connections than the primary unit, and both  
subordinate units, on average, process the same number of connections.  
Active-Active cluster packet flow  
This section describes packet flow through an active-active HA cluster. The cluster  
consists of two FortiGate units (primary and subordinate). Cluster interfaces are  
connected using switches.  
Figure 18: Active-active HA packet flow  
Switch 1  
Switch 2  
HA cluster  
Primary Unit  
Client  
Server  
Subordinate Unit  
FortiGate-800 Installation and Configuration Guide  
89  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Active-Active cluster packet flow  
High availability  
NAT/Route mode packet flow  
In NAT/Route mode, five MAC addresses are involved in active-active communication  
between a client and a server if the cluster routes the packets to the subordinate unit  
in the cluster:  
Virtual cluster MAC address (MAC_V)  
Client MAC address (MAC_C),  
Server MAC address (MAC_S),  
Subordinate unit internal MAC address (MAC_S_I),  
Subordinate unit external MAC address (MAC_S_E).  
In NAT/Route mode, the HA cluster works as a gateway when it responds to ARP  
requests. Therefore, the client and the server only know the gateway MAC address  
(MAC_V), which is a virtual MAC address created by the HA cluster. The virtual MAC  
address is 00-09-0f-06-ff-00.  
Switch 1 and 2 know where the virtual MAC address and the real MAC address are.  
Packets are routed through the subordinate unit as follows.  
A request packet from a client on the internal network to a server on the external  
network:  
1
2
3
Source is MAC_C and destination is MAC_V (from client to primary)  
Source is MAC_V and destination is MAC_S_I (from primary to subordinate internal)  
Source is MAC_S_E and destination is MAC_S (from subordinate external to server)  
A response packet from a server on the external network to a client on the internal  
network:  
1
2
3
Source is MAC_S and destination is MAC_V (from server to primary)  
Source is MAC_V and destination is MAC_S_E (from primary to subordinate external)  
Source is MAC_S_I and destination is MAC_C (from subordinate internal to client)  
Configuring switches to work with a NAT/Route mode cluster  
Some switch vendors use a Global MAC address table for the entire switch instead of  
multiple MAC address tables, one for each interface and VLAN. The Global MAC  
address table feature causes interoperability problems with FortiGate HA. For a switch  
to work with FortiGate HA, the switch should support and be configured to use  
individual MAC address tables for each switch interface.  
90  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
High availability  
Active-Active cluster packet flow  
The following are examples of switches that are compatible with the FGCP because  
they use a Global MAC address table:  
HP 4100 GL series,  
HP2628,  
HP5300,  
Cisco Catalyst,  
Cisco 2850,  
Cisco 3550,  
Nortel PP8600,  
Nortel XLR.  
Transparent mode packet flow  
In transparent mode, six MAC addresses are involved in active-active communication  
between a client and a server if the cluster routes the packets to the subordinate unit  
in the cluster:  
Client MAC address (MAC_C),  
Server MAC address (MAC_S),  
Primary unit internal MAC address (MAC_P_I),  
Primary unit external MAC address (MAC_P_E),  
Subordinate unit internal MAC address (MAC_S_I),  
Subordinate unit external MAC address (MAC_S_E).  
A request packet from a client on the internal network to a server on the external  
network:  
1
2
Source is MAC_C and destination is MAC_S (from client to primary)  
Source is MAC_P_I and destination is MAC_S_I (from primary internal to subordinate  
internal)  
3
Source is MAC_S_E and destination is MAC_S (from subordinate external to server)  
A response packet from a server on the external network to a client on the internal  
network:  
1
2
Source is MAC_S and destination is MAC_C (from server to primary)  
Source is MAC_P_E and destination is MAC_S_E (from primary external to  
subordinate external)  
3
Source is MAC_S_I and destination is MAC_C (from subordinate internal to client)  
FortiGate-800 Installation and Configuration Guide  
91  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Active-Active cluster packet flow  
High availability  
92  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
System status  
You can connect to the web-based manager and view the current system status of the  
FortiGate unit. The status information that is displayed includes the current firmware  
version, the current virus and attack definitions, and the FortiGate unit serial number.  
If you log into the web-based manager using the admin administrator account, you  
can make any of the following changes to the FortiGate system settings:  
If you log into the web-based manager with another administrator account, you can  
view the system settings including:  
All administrative users can also go to the Monitor page and view FortiGate system  
status. System status displays FortiGate system health monitoring information,  
including CPU and memory status, session and network status.  
All administrative users can also go to the Session page and view the active  
communication sessions to and through the FortiGate unit.  
FortiGate-800 Installation and Configuration Guide  
93  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Changing the FortiGate host name  
System status  
Changing the FortiGate host name  
The FortiGate host name appears on the Status page and in the FortiGate CLI  
prompt. The host name is also used as the SNMP system name. For information  
about the SNMP system name, see “Configuring SNMP” on page 173.  
The default host name is FortiGate-800.  
To change the FortiGate host name  
1
2
3
4
Go to System > Status.  
Select Edit Host Name  
Type a new host name.  
Select OK.  
.
The new host name is displayed on the Status page, and in the CLI prompt, and is  
added to the SNMP System Name.  
Changing the FortiGate firmware  
After you download a FortiGate firmware image from Fortinet, you can use the  
procedures listed in Table 18 to install the firmware image on your FortiGate unit.  
Table 18: Firmware upgrade procedures  
Procedure  
Description  
Commonly-used web-based manager and CLI procedures to  
upgrade to a new FortiOS firmware version or to a more recent  
build of the same firmware version.  
Use the web-based manager or CLI procedure to revert to a  
previous firmware version. This procedure reverts the FortiGate  
unit to its factory default configuration.  
Use this procedure to install a new firmware version or revert to a  
previous firmware version. You must run this procedure by  
connecting to the CLI using the FortiGate console port and a  
null-modem cable. This procedure reverts the FortiGate unit to its  
factory default configuration.  
Use this procedure to test a new firmware image before installing it.  
You must run this procedure by connecting to the CLI using the  
FortiGate console port and a null-modem cable. This procedure  
temporarily installs a new firmware image using your current  
configuration. You can test the firmware image before installing it  
permanently. If the firmware image works correctly you can use  
one of the other procedures listed in this table to install it  
permanently.  
Installing and using a If the FortiGate unit is running BIOS version v3.x, you can install a  
backup firmware image. Once the backup firmware image is  
installed you can switch to this backup image when required.  
94  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
System status  
Changing the FortiGate firmware  
Upgrading to a new firmware version  
Use the following procedures to upgrade the FortiGate unit to a newer firmware  
version.  
Upgrading the firmware using the web-based manager  
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions  
included with the firmware release that you are installing. After you install new firmware, use the  
sure that antivirus and attack definitions are up to date.  
To upgrade the firmware using the web-based manager  
Copy the firmware image file to your management computer.  
Log into the web-based manager as the admin administrative user.  
Go to System > Status.  
1
2
3
4
5
Select Firmware Upgrade  
.
Type the path and filename of the firmware image file, or select Browse and locate the  
file.  
6
Select OK.  
The FortiGate unit uploads the firmware image file, upgrades to the new firmware  
version, restarts, and displays the FortiGate login. This process takes a few minutes.  
7
8
Log into the web-based manager.  
Go to System > Status and check the Firmware Version to confirm that the firmware  
upgrade is successfully installed.  
9
Update antivirus and attack definitions. For information about antivirus and attack  
Upgrading the firmware using the CLI  
To use the following procedure you must have a TFTP server that the FortiGate unit  
can connect to.  
Note: Installing firmware replaces your current antivirus and attack definitions with the  
definitions included with the firmware release that you are installing. After you install new  
page 119 to make sure that antivirus and attack definitions are up to date. You can also use the  
CLI command execute updatecenter updatenowto update the antivirus and attack  
definitions.  
To upgrade the firmware using the CLI  
1
2
3
Make sure that the TFTP server is running.  
Copy the new firmware image file to the root directory of the TFTP server.  
Log into the CLI as the admin administrative user.  
FortiGate-800 Installation and Configuration Guide  
95  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Changing the FortiGate firmware  
System status  
4
Make sure the FortiGate unit can connect to the TFTP server.  
You can use the following command to ping the computer running the TFTP server.  
For example, if the IP address of the TFTP server is 192.168.1.168:  
execute ping 192.168.1.168  
5
Enter the following command to copy the firmware image from the TFTP server to the  
FortiGate unit:  
execute restore image <name_str> <tftp_ip>  
Where <name_str>is the name of the firmware image file on the TFTP server and  
<tftp_ip>is the IP address of the TFTP server. For example, if the firmware image  
file name is FGT_300-v250-build045-FORTINET.out and the IP address of the  
TFTP server is 192.168.1.168, enter:  
execute restore image FGT_300-v250-build045-FORTINET.out  
192.168.1.168  
The FortiGate unit uploads the firmware image file, upgrades to the new firmware  
version, and restarts. This process takes a few minutes.  
6
7
Reconnect to the CLI.  
To confirm that the new firmware image is successfully installed, enter:  
get system status  
8
9
page 119 to update antivirus and attack definitions, or from the CLI, enter:  
execute updatecenter updatenow  
To confirm that the antivirus and attack definitions are succesfully updated, enter the  
following command to display the antivirus engine, virus and attack definitions version,  
contract expiry, and last update attempt information.  
get system objver  
Reverting to a previous firmware version  
Use the following procedures to revert your FortiGate unit to a previous firmware  
version.  
Reverting to a previous firmware version using the web-based  
manager  
The following procedures revert the FortiGate unit to its factory default configuration  
and delete NIDS user-defined signatures, web content lists, email filtering lists, and  
changes to replacement messages.  
Before beginning this procedure you can:  
Back up the FortiGate unit configuration. For information, see “Backing up system  
Back up the NIDS user-defined signatures. For information, see the FortiGate  
NIDS Guide  
Back up web content and email filtering lists. For information, see the FortiGate  
Content Protection Guide.  
96  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
System status  
Changing the FortiGate firmware  
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS  
v2.50 to FortiOS v2.36) you might not be able to restore the previous configuration  
from the backup configuration file.  
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions  
included with the firmware release that you are installing. After you install new firmware, use the  
sure that antivirus and attack definitions are up to date.  
To revert to a previous firmware version using the web-based manager  
Copy the firmware image file to your management computer.  
Log into the FortiGate web-based manager as the admin administrative user.  
Go to System > Status.  
1
2
3
4
5
Select Firmware Upgrade  
.
Type the path and filename of the previous firmware image file, or select Browse and  
locate the file.  
6
Select OK.  
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,  
resets the configuration, restarts, and displays the FortiGate login. This process takes  
a few minutes.  
7
Log into the web-based manager.  
For information about logging into the web-based manager when the FortiGate unit is  
8
9
Go to System > Status and check the Firmware Version to confirm that the firmware  
is successfully installed.  
Restore your configuration.  
For information about restoring your configuration, see “Restoring system settings” on  
10  
Update antivirus and attack definitions. For information about antivirus and attack  
Reverting to a previous firmware version using the CLI  
This procedure reverts your FortiGate unit to its factory default configuration and  
deletes NIDS user-defined signatures, web content lists, email filtering lists, and  
changes to replacement messages.  
Before beginning this procedure you can:  
Back up the FortiGate unit configuration using the command execute backup  
config.  
Back up the NIDS user defined signatures using the command execute backup  
nidsuserdefsig  
Back up web content and email filtering lists. For information, see the FortiGate  
Content Protection Guide.  
FortiGate-800 Installation and Configuration Guide  
97  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Changing the FortiGate firmware  
System status  
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS  
v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration  
from the backup configuration file.  
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions  
included with the firmware release that you are installing. After you install new firmware, use the  
sure that antivirus and attack definitions are up to date. You can also use the CLI command  
execute updatecenter updatenowto update the antivirus and attack definitions.  
To use the following procedure you must have a TFTP server that the FortiGate unit  
can connect to.  
To revert to a previous firmware version using the CLI  
Make sure that the TFTP server is running.  
1
2
3
4
Copy the new firmware image file to the root directory of the TFTP server.  
Log into the FortiGate CLI as the admin administrative user.  
Make sure the FortiGate unit can connect to the TFTP server.  
You can use the following command to ping the computer running the TFTP server.  
For example, if the TFTP server's IP address is 192.168.1.168:  
execute ping 192.168.1.168  
5
Enter the following command to copy the firmware image from the TFTP server to the  
FortiGate unit:  
execute restore image <name_str> <tftp_ip>  
Where <name_str>is the name of the firmware image file on the TFTP server and  
<tftp_ip>is the IP address of the TFTP server. For example, if the firmware image  
file name is FGT_300-v250-build045-FORTINET.outand the IP address of the  
TFTP server is 192.168.1.168, enter:  
execute restore image FGT_300-v250-build045-FORTINET.out  
192.168.1.168  
The FortiGate unit uploads the firmware image file. After the file uploads, a message  
similar to the following is displayed:  
Get image from tftp server OK.  
This operation will downgrade the current firmware version!  
Do you want to continue? (y/n)  
6
7
Type Y.  
The FortiGate unit reverts to the old firmware version, resets the configuration to  
factory defaults, and restarts. This process takes a few minutes.  
8
Reconnect to the CLI.  
For information about logging into the CLI when the FortiGate unit is set to factory  
9
To confirm that the new firmware image has been loaded, enter:  
get system status  
10  
Restore your previous configuration. Use the following command:  
execute restore config  
98  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
System status  
Changing the FortiGate firmware  
11  
12  
Update antivirus and attack definitions. For information, see “Manually initiating  
execute updatecenter updatenow  
To confirm that the antivirus and attack definitions have been updated, enter the  
following command to display the antivirus engine, virus and attack definitions version,  
contract expiry, and last update attempt information.  
get system objver  
Installing firmware images from a system reboot using the CLI  
This procedure installs a specified firmware image and resets the FortiGate unit to  
default settings. You can use this procedure to upgrade to a new firmware version,  
revert to an older firmware version, or re-install the current firmware version.  
Note: This procedure varies for different FortiGate BIOS versions. These variations are  
explained in the procedure steps that are affected. The version of the BIOS running on the  
FortiGate unit is displayed when you restart the FortiGate unit using the CLI through a console  
connection.  
To perform this procedure you:  
access the CLI by connecting to the FortiGate console port using a null-modem  
cable,  
install a TFTP server that you can connect to from the FortiGate internal interface.  
The TFTP server should be on the same subnet as the internal interface.  
Before beginning this procedure you can:  
Back up the FortiGate unit configuration. For information, see “Backing up system  
Back up the NIDS user defined signatures. For information, see the FortiGate  
NIDS Guide.  
Back up web content and email filtering lists. For information, see the FortiGate  
Content Protection Guide.  
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS  
v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration  
from the backup configuration file.  
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions  
included with the firmware release that you are installing. After you install new firmware, use the  
sure that antivirus and attack definitions are up to date.  
To install firmware from a system reboot  
1
2
3
4
Connect to the CLI using the null-modem cable and FortiGate console port.  
Make sure that the TFTP server is running.  
Copy the new firmware image file to the root directory of the TFTP server.  
Make sure that the internal interface is connected to the same network as the TFTP  
server.  
FortiGate-800 Installation and Configuration Guide  
99  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Changing the FortiGate firmware  
System status  
5
To confirm that the FortiGate unit can connect to the TFTP server, use the following  
command to ping the computer running the TFTP server. For example, if the IP  
address of the TFTP server is 192.168.1.168, enter:  
execute ping 192.168.1.168  
6
Enter the following command to restart the FortiGate unit:  
execute reboot  
As the FortiGate units starts, a series of system startup messages is displayed.  
When one of the following messages appears:  
FortiGate unit running v2.x BIOS  
Press Any Key To Download Boot Image.  
...  
FortiGate unit running v3.x BIOS  
Press any key to enter configuration menu.....  
......  
7
Immediately press any key to interrupt the system startup.  
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the  
FortiGate unit reboots and you must log in and repeat the execute rebootcommand.  
If you successfully interrupt the startup process, one of the following messages  
appears:  
FortiGate unit running v2.x BIOS  
Enter TFTP Server Address [192.168.1.168]:  
Go to step 9.  
FortiGate unit running v3.x BIOS  
[G]: Get firmware image from TFTP server.  
[F]: Format boot device.  
[B]: Boot with backup firmware and set as default.  
[Q]: Quit menu and continue to boot with default firmware.  
[H]: Display this list of options.  
Enter G,F,B,Q,or H:  
8
9
Type G to get the new firmware image from the TFTP server.  
Type the address of the TFTP server and press Enter.  
The following message appears:  
Enter Local Address [192.168.1.188]:  
10  
Type the address of the internal interface of the FortiGate unit and press Enter.  
Note: The local IP address is used only to download the firmware image. After the firmware is  
installed, the address of this interface is changed back to the default IP address for this  
interface.  
The following message appears:  
Enter File Name [image.out]:  
100  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
System status  
Changing the FortiGate firmware  
11  
Enter the firmware image filename and press Enter.  
The TFTP server uploads the firmware image file to the FortiGate unit and messages  
similar to the following are displayed:  
FortiGate unit running v2.x BIOS  
Do You Want To Save The Image? [Y/n]  
Type Y.  
FortiGate unit running v3.x BIOS  
Save as Default firmware/Run image without saving:[D/R]  
Save as Default firmware/Backup firmware/Run image without  
saving:[D/B/R]  
Type D.  
The FortiGate unit installs the new firmware image and restarts. The installation might  
take a few minutes to complete.  
Restoring the previous configuration  
Change the internal interface addresses if required. You can do this from the CLI  
using the command:  
set system interface  
After changing the interface addresses, you can access the FortiGate unit from the  
web-based manager and restore the configuration.  
To restore the FortiGate unit configuration, see “Restoring system settings” on  
To restore NIDS user defined signatures, see “Adding user-defined signatures” on  
To restore web content filtering lists, see “Restoring the Banned Word list” on  
To restore email filtering lists, see “Uploading the email banned word list” on  
If you are reverting to a previous firmware version (for example, reverting from  
FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous  
configuration from the backup up configuration file.  
Update the virus and attack definitions to the most recent version, see “Manually  
Testing a new firmware image before installing it  
You can test a new firmware image by installing the firmware image from a system  
reboot and saving it to system memory. After completing this procedure the FortiGate  
unit operates using the new firmware image with the current configuration. This new  
firmware image is not permanently installed. The next time the FortiGate unit restarts,  
it operates with the originally installed firmware image using the current configuration.  
If the new firmware image operates successfully, you can install it permanently using  
FortiGate-800 Installation and Configuration Guide  
101  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Changing the FortiGate firmware  
System status  
To run this procedure you:  
access the CLI by connecting to the FortiGate console port using a null-modem  
cable,  
install a TFTP server that you can connect to from the FortiGate internal interface.  
The TFTP server should be on the same subnet as the internal interface.  
To test a new firmware image  
1
2
3
4
Connect to the CLI using a null-modem cable and FortiGate console port.  
Make sure the TFTP server is running.  
Copy the new firmware image file to the root directory of the TFTP server.  
Make sure that the internal interface is connected to the same network as the TFTP  
server.  
You can use the following command to ping the computer running the TFTP server.  
For example, if the TFTP server's IP address is 192.168.1.168:  
execute ping 192.168.1.168  
5
6
Enter the following command to restart the FortiGate unit:  
execute reboot  
As the FortiGate unit reboots, press any key to interrupt the system startup.  
As the FortiGate units starts, a series of system startup messages are displayed.  
When one of the following messages appears:  
FortiGate unit running v2.x BIOS  
Press Any Key To Download Boot Image.  
...  
FortiGate unit running v3.x BIOS  
Press any key to enter configuration menu.....  
......  
7
Immediately press any key to interrupt the system startup.  
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the  
FortiGate unit reboots and you must log in and repeat the execute rebootcommand.  
If you successfully interrupt the startup process, one of the following messages  
appears:  
FortiGate unit running v2.x BIOS  
Enter TFTP Server Address [192.168.1.168]:  
Go to step 9.  
FortiGate unit running v3.x BIOS  
[G]: Get firmware image from TFTP server.  
[F]: Format boot device.  
[Q]: Quit menu and continue to boot with default firmware.  
[H]: Display this list of options.  
Enter G,F,Q,or H:  
8
Type G to get the new firmware image from the TFTP server.  
102  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
System status  
Changing the FortiGate firmware  
9
Type the address of the TFTP server and press Enter.  
The following message appears:  
Enter Local Address [192.168.1.188]:  
10  
Type the address of the internal interface of the FortiGate unit and press Enter.  
Note: The local IP address is used only to download the firmware image. After the firmware is  
installed, the address of this interface is changed back to the default IP address for this  
interface.  
The following message appears:  
Enter File Name [image.out]:  
11  
Enter the firmware image file name and press Enter.  
The TFTP server uploads the firmware image file to the FortiGate unit and messages  
similar to the following appear.  
FortiGate unit running v2.x BIOS  
Do You Want To Save The Image? [Y/n]  
Type N.  
FortiGate unit running v3.x BIOS  
Save as Default firmware/Run image without saving:[D/R]  
Type R.  
The FortiGate image is installed to system memory and the FortiGate unit starts  
running the new firmware image but with its current configuration.  
12  
13  
You can log into the CLI or the web-based manager using any administrative account.  
To confirm that the new firmware image has been loaded, from the CLI enter:  
get system status  
You can test the new firmware image as required.  
Installing and using a backup firmware image  
If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware  
image. Once the backup firmware image is installed you can switch to this backup  
image when required.  
This section describes:  
Installing a backup firmware image  
To run this procedure you:  
access the CLI by connecting to the FortiGate console port using a null-modem  
cable,  
install a TFTP server that you can connect to from the FortiGate as described in  
FortiGate-800 Installation and Configuration Guide  
103  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Changing the FortiGate firmware  
System status  
To install a backup firmware image  
1
2
3
4
Connect to the CLI using the null-modem cable and FortiGate console port.  
Make sure that the TFTP server is running.  
Copy the new firmware image file to the root directory of your TFTP server.  
To confirm that the FortiGate unit can connect to the TFTP server, use the following  
command to ping the computer running the TFTP server. For example, if the IP  
address of the TFTP server is 192.168.1.168:  
execute ping 192.168.1.168  
5
6
Enter the following command to restart the FortiGate unit:  
execute reboot  
As the FortiGate unit starts, a series of system startup messages are displayed.  
When one of the following messages appears:  
Press any key to enter configuration menu.....  
......  
Immediately press any key to interrupt the system startup.  
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the  
FortiGate unit reboots and you must log in and repeat the execute rebootcommand.  
If you successfully interrupt the startup process, one of the following messages  
appears:  
[G]: Get firmware image from TFTP server.  
[F]: Format boot device.  
[B]: Boot with backup firmware and set as default.  
[Q]: Quit menu and continue to boot with default firmware.  
[H]: Display this list of options.  
Enter G,F,B,Q,or H:  
7
8
Type G to get the new firmware image from the TFTP server.  
Type the address of the TFTP server and press Enter.  
The following message appears:  
Enter Local Address [192.168.1.188]:  
9
Type the address of the interface of the FortiGate unit that can connect to the TFTP  
server and press Enter.  
The following message appears:  
Enter File Name [image.out]:  
10  
Enter the firmware image file name and press Enter.  
The TFTP server uploads the firmware image file to the FortiGate unit and messages  
similar to the following appear.  
Save as Default firmware/Backup firmware/Run image without  
saving:[D/B/R]  
11  
Type B.  
The FortiGate unit saves the backup firmware image and restarts. When the FortiGate  
unit restarts it is running the previously installed firmware version.  
104  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
System status  
Changing the FortiGate firmware  
Switching to the backup firmware image  
Use this procedure to switch the FortiGate unit to operating with a backup firmware  
image that you previously installed. When you switch the FortiGate unit to the backup  
firmware image, the FortiGate unit operates using the configuration that was saved  
with that firmware image.  
If you install a new backup image from a reboot, the configuration saved with this  
firmware image is the factory default configuration. If you use the procedure  
firmware image that was previously running as the default firmware image, the  
configuration saved with this firmware image is restored.  
To switch to the backup firmware image  
1
2
Connect to the CLI using the null-modem cable and FortiGate console port.  
Enter the following command to restart the FortiGate unit:  
execute reboot  
As the FortiGate units starts, a series of system startup messages are displayed.  
When the following message appears:  
Press any key to enter configuration menu.....  
......  
3
Immediately press any key to interrupt the system startup.  
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the  
FortiGate unit reboots and you must log in and repeat the execute rebootcommand.  
If you successfully interrupt the startup process, the following message appears:  
[G]: Get firmware image from TFTP server.  
[F]: Format boot device.  
[B]: Boot with backup firmware and set as default.  
[Q]: Quit menu and continue to boot with default firmware.  
[H]: Display this list of options.  
Enter G,F,B,Q,or H:  
4
Type B to load the backup firmware image.  
The FortiGate unit loads the backup firmware image and restarts. When the FortiGate  
unit restarts, it is running the backup firmware version and the configuration is set to  
factory default.  
FortiGate-800 Installation and Configuration Guide  
105  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Manual virus definition updates  
System status  
Switching back to the default firmware image  
Use this procedure to switch the FortiGate unit to operating with the backup firmware  
image that had been running as the default firmware image. When you switch to this  
backup firmware image, the configuration saved with this firmware image is restored.  
To switch back to the default firmware image  
1
2
Connect to the CLI using the null-modem cable and FortiGate console port.  
Enter the following command to restart the FortiGate unit:  
execute reboot  
As the FortiGate units starts, a series of system startup messages are displayed.  
When the following message appears:  
Press any key to enter configuration menu.....  
......  
3
Immediately press any key to interrupt the system startup.  
Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the  
FortiGate unit reboots and you must log in and repeat the execute rebootcommand.  
If you successfully interrupt the startup process, the following message appears:  
[G]: Get firmware image from TFTP server.  
[F]: Format boot device.  
[B]: Boot with backup firmware and set as default.  
[Q]: Quit menu and continue to boot with default firmware.  
[H]: Display this list of options.  
Enter G,F,B,Q,or H:  
4
Type B to load the backup firmware image.  
The FortiGate unit loads the backup firmware image and restarts. When the FortiGate  
unit restarts it is running the backup firmware version with a restored configuration.  
Manual virus definition updates  
The Status page of the FortiGate web-based manager displays the current installed  
versions of the FortiGate antivirus definitions.  
Note: For information about configuring the FortiGate unit for automatic antivirus definitions  
manually start an antivirus definitions update by going to System > Update and selecting  
Update Now.  
To update the antivirus definitions manually  
1
Download the latest antivirus definitions update file from Fortinet and copy it to the  
computer that you use to connect to the web-based manager.  
2
3
Start the web-based manager and go to System > Status.  
In the Antivirus Definitions Version section, select Definitions Update  
.
106  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
System status  
Manual attack definition updates  
4
5
Type the path and filename for the antivirus definitions update file, or select Browse  
and locate the antivirus definitions update file.  
Select OK to copy the antivirus definitions update file to the FortiGate unit.  
The FortiGate unit updates the antivirus definitions. This takes about 1 minute.  
6
Go to System > Status to confirm that the Antivirus Definitions Version information  
has updated.  
Manual attack definition updates  
The Status page of the FortiGate web-based manager displays the current installed  
versions of the FortiGate Attack Definitions used by the Network Intrusion Detection  
System (NIDS).  
Note: For information about configuring the FortiGate unit for automatic attack definitions  
manually start an attack definitions update by going to System > Update and selecting Update  
Now.  
To update the attack definitions manually  
1
Download the latest attack definitions update file from Fortinet and copy it to the  
computer that you use to connect to the web-based manager.  
2
3
4
Start the web-based manager and go to System > Status.  
In the Attack Definitions Version section, select Definitions Update  
.
Type the path and filename for the attack definitions update file, or select Browse and  
locate the attack definitions update file.  
5
6
Select OK to copy the attack definitions update file to the FortiGate unit.  
The FortiGate unit updates the attack definitions. This takes about 1 minute.  
Go to System > Status to confirm that the Attack Definitions Version information has  
updated.  
Displaying the FortiGate serial number  
1
Go to System > Status.  
The serial number is displayed on the System Status page of the web-based  
manager. The serial number is specific to the FortiGate unit and does not change with  
firmware upgrades.  
FortiGate-800 Installation and Configuration Guide  
107  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Displaying the FortiGate up time  
System status  
Displaying the FortiGate up time  
1
Go to System > Status.  
The FortiGate up time displays the time in days, hours, and minutes since the  
FortiGate unit was last started.  
Displaying log hard disk status  
1
Go to System > Status.  
Log Hard Disk displays Available if the FortiGate unit contains a hard disk and Not  
Available if no hard disk is installed. The FortiGate unit uses the hard disk to store log  
messages and quarantine files infected with a virus or blocked by antivirus file  
blocking.  
Backing up system settings  
You can back up system settings by downloading them to a text file on the  
management computer.  
To back up system settings  
Go to System > Status.  
1
2
3
4
Select System Settings Backup.  
Select Backup System Settings.  
Type a name and location for the file.  
The system settings file is backed up to the management computer.  
5
Select Return to go back to the Status page.  
Restoring system settings  
You can restore system settings by uploading a previously downloaded system  
settings text file.  
To restore system settings  
Go to System > Status.  
1
2
3
Select System Settings Restore.  
Enter the path and filename of the system settings file, or select Browse and locate  
the file.  
4
5
Select OK to restore the system settings file to the FortiGate unit.  
The FortiGate unit restarts, loading the new system settings.  
Reconnect to the web-based manager and review your configuration to confirm that  
the uploaded system settings have taken effect.  
108  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
               
System status  
Restoring system settings to factory defaults  
Restoring system settings to factory defaults  
Use the following procedure to restore system settings to the values set at the factory.  
This procedure does not change the firmware version or the antivirus or attack  
definitions.  
Caution: This procedure deletes all changes that you have made to the FortiGate configuration  
!
and reverts the system to its original configuration, including resetting interface addresses.  
To restore system settings to factory defaults  
Go to System > Status.  
1
2
3
Select Restore Factory Defaults.  
Select OK to confirm.  
The FortiGate unit restarts with the configuration that it had when it was first powered  
on.  
4
Reconnect to the web-based manager and review the system configuration to confirm  
that it has been reset to the default settings.  
For information about restoring system settings, see “Restoring system settings” on  
Changing to Transparent mode  
Use the following procedure to change the FortiGate unit from NAT/Route mode to  
Transparent mode. After you change the FortiGate unit to Transparent mode, most of  
the configuration resets to Transparent mode factory defaults.  
The following items are not set to Transparent mode factory defaults:  
The admin administrator account password (see “Adding and editing administrator  
Custom replacement messages (see “Replacement messages” on page 181)  
To change to Transparent mode  
Go to System > Status.  
1
2
3
4
Select Change to Transparent Mode.  
Select Transparent in the operation mode list.  
Select OK.  
The FortiGate unit changes operation mode.  
5
To reconnect to the web-based manager, connect to the interface configured for  
Transparent mode management access and browse to https:// followed by the  
Transparent mode management IP address.  
By default in Transparent mode, you can connect to the internal or DMZ interface. The  
default Transparent mode management IP address is 10.10.10.1.  
FortiGate-800 Installation and Configuration Guide  
109  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Changing to NAT/Route mode  
System status  
Changing to NAT/Route mode  
Use the following procedure to change the FortiGate unit from Transparent mode to  
NAT/Route mode. After you change the FortiGate unit to NAT/Route mode, most of  
the configuration resets to NAT/Route mode factory defaults.  
The following items are not set to NAT/Route mode factory defaults:  
The admin administrator account password (see “Adding and editing administrator  
Custom replacement messages (see “Replacement messages” on page 181)  
To change to NAT/Route mode  
Go to System > Status.  
1
2
3
4
Select Change to NAT Mode.  
Select NAT/Route in the operation mode list.  
Select OK.  
The FortiGate unit changes operation mode.  
5
To reconnect to the web-based manager you must connect to the interface configured  
by default for management access.  
By default in NAT/Route mode, you can connect to the internal or DMZ interface. The  
default Transparent mode management IP address is 192.168.1.99.  
Restarting the FortiGate unit  
1
Go to System > Status.  
2
Select Restart.  
The FortiGate unit restarts.  
Shutting down the FortiGate unit  
You can restart the FortiGate unit after shutdown only by turning the power off and  
then on.  
1
2
Go to System > Status.  
Select Shutdown.  
The FortiGate unit shuts down and all traffic flow stops.  
110  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
System status  
System status  
System status  
You can use the system status monitor to display FortiGate system health information.  
The system health information includes memory usage, the number of active  
communication sessions, and the amount of network bandwidth currently in use. The  
web-based manager displays current statistics as well as statistics for the previous  
minute.  
If the FortiGate unit contains a hard disk, the system status monitor displays the  
capacity of the hard disk and the amount of used and free space on the hard disk.  
You can also view current virus and intrusion status. The web-based manager  
displays the current number of viruses and attacks as well as a graph of virus and  
attack levels over the previous 20 hours.  
In each case you can set an automatic refresh interval that updates the display every  
5 to 30 seconds. You can also refresh the display manually.  
Viewing CPU and memory status  
Current CPU and memory status indicates how close the FortiGate unit is to running  
at full capacity. The web-based manager displays CPU and memory usage for core  
processes only. CPU and memory use for management processes (for example, for  
HTTPS connections to the web-based manager) is excluded.  
If CPU and memory use is low, the FortiGate unit is able to process much more  
network traffic than is currently running. If CPU and memory use is high, the FortiGate  
unit is performing near its full capacity. Putting additional demands on the system  
might cause traffic processing delays.  
CPU and memory intensive processes, such as encrypting and decrypting IPSec VPN  
traffic, virus scanning, and processing high levels of network traffic containing small  
packets, increase CPU and memory usage.  
To view CPU and memory status  
1
Go to System > Status > Monitor.  
CPU & Memory status is displayed. The display includes bar graphs of current CPU  
and memory usage as well as line graphs of CPU and memory usage for the previous  
minute.  
If your FortiGate unit contains a hard disk, CPU, memory, and hard disk status are  
displayed.  
2
3
Set the automatic refresh interval and select Go to control how often the web-based  
manager updates the display.  
More frequent updates use system resources and increase network traffic. However,  
this occurs only when you are viewing the display using the web-based manager.  
Select Refresh to manually update the information displayed.  
FortiGate-800 Installation and Configuration Guide  
111  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
System status  
System status  
Figure 19: CPU and memory status monitor  
Viewing sessions and network status  
Use the session and network status display to track how many network sessions the  
FortiGate unit is processing and to see what effect the number of sessions has on the  
available network bandwidth. Also, by comparing CPU and memory usage with  
session and network status you can see how much demand network traffic is putting  
on system resources.  
The Sessions section displays the total number of sessions being processed by the  
FortiGate unit on all interfaces. It also displays the sessions as a percentage of the  
maximum number of sessions that the FortiGate unit is designed to support.  
The Network utilization section displays the total network bandwidth being used  
through all FortiGate interfaces. It also displays network utilization as a percentage of  
the maximum network bandwidth that can be processed by the FortiGate unit.  
To view sessions and network status  
Go to System > Status > Monitor.  
Select Sessions & Network.  
1
2
Sessions and network status is displayed. The display includes bar graphs of the  
current number of sessions and current network utilization as well as line graphs of  
session and network utilization usage for the last minute. The line graph scales are  
shown in the upper left corner of the graph.  
3
Set the automatic refresh interval and select Go to control how often the web-based  
manager updates the display.  
More frequent updates use system resources and increase network traffic. However,  
this only occurs when you are viewing the display using the web-based manager.  
112  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
System status  
System status  
4
Select Refresh to manually update the information displayed.  
Figure 20: Sessions and network status monitor  
Viewing virus and intrusions status  
Use the virus and intrusions status display to track when viruses are found by the  
FortiGate antivirus system and to track when the NIDS detects a network-based  
attack.  
To view virus and intrusions status  
Go to System > Status > Monitor.  
Select Virus & Intrusions.  
1
2
Virus and intrusions status is displayed. The display includes bar graphs of the  
number viruses and intrusions detected per hour as well as line graphs of the number  
of viruses and intrusions detected for the last 20 hours.  
3
4
Set the automatic refresh interval and select Go to control how often the web-based  
manager updates the display.  
More frequent updates use system resources and increase network traffic. However,  
this only occurs when you are viewing the display using the web-based manager. The  
line graph scales are shown on the upper right corner of the graph.  
Select Refresh to manually update the information displayed.  
FortiGate-800 Installation and Configuration Guide  
113  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Session list  
System status  
Figure 21: Sessions and network status monitor  
Session list  
The session list displays information about the communications sessions currently  
being processed by the FortiGate unit. You can use the session list to view current  
sessions. FortiGate administrators with read and write permission and the FortiGate  
admin user can also stop active communication sessions.  
To view the session list  
1
Go to System > Status > Session.  
The web-based manager displays the total number of active sessions in the FortiGate  
unit session table and lists the top 16.  
2
3
4
To navigate the list of sessions, select Page Up  
Select Refresh to update the session list.  
If you are logged in as an administrative user with read and write privileges or as the  
admin user, you can select Clear to stop an active session.  
or Page Down  
.
114  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
System status  
Session list  
Each line of the session list displays the following information.  
Protocol  
From IP  
The service protocol of the connection, for example, udp, tcp, or icmp.  
The source IP address of the connection.  
From Port The source port of the connection.  
To IP  
The destination IP address of the connection.  
The destination port of the connection.  
To Port  
Expire  
Clear  
The time, in seconds, before the connection expires.  
Stop an active communication session.  
Figure 22: Example session list  
FortiGate-800 Installation and Configuration Guide  
115  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Session list  
System status  
116  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Virus and attack definitions updates  
and registration  
You can configure the FortiGate unit to connect to the FortiResponse Distribution  
Network (FDN) to update the antivirus and attack definitions and the antivirus engine.  
You have the following update options:  
Request updates from the FDN,  
Schedule updates to automatically request the latest versions hourly, daily, or  
weekly,  
Set Push updates so that the FDN contacts your FortiGate unit when a new update  
is available.  
To receive scheduled updates and push updates, you must register the FortiGate unit  
on the Fortinet support web page.  
This chapter describes:  
Updating antivirus and attack definitions  
You can configure the FortiGate unit to connect to the FortiResponse Distribution  
Network (FDN) to automatically receive the latest antivirus and attack definitions and  
antivirus engine updates. The FortiGate unit supports the following antivirus and  
attack definition update features:  
User-initiated updates from the FDN,  
Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus  
engine updates from the FDN,  
Push updates from the FDN,  
Update status including version numbers, expiry dates, and update dates and  
times,  
Push updates through a NAT device.  
FortiGate-800 Installation and Configuration Guide  
117  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Updating antivirus and attack definitions  
Virus and attack definitions updates and registration  
The Update page on the web-based manager displays the following antivirus and  
attack definition update information.  
Version  
Current antivirus engine, virus definition, and attack definition version  
numbers.  
Expiry date  
Expiry date of your license for antivirus engine, virus definition, and attack  
definition updates.  
Last update  
attempt  
Date and time on which the FortiGate unit last attempted to download  
antivirus engine, virus definition, and attack definition updates.  
Last update  
status  
Success or failure of the last update attempt. No updates means the last  
update attempt was successful but no new updates were available. Update  
succeeded or similar messages mean the last update attempt was  
successful and new updates were installed. Other messages can indicate  
that the FortiGate was not able to connect to the FDN and other error  
conditions.  
This section describes:  
Connecting to the FortiResponse Distribution Network  
Before the FortiGate unit can receive antivirus and attack updates, it must be able to  
connect to the FortiResponse Distribution Network (FDN). The FortiGate unit uses  
HTTPS on port 8890 to connect to the FDN. The FortiGate external interface must  
have a path to the Internet using port 8890. For information about configuring  
scheduled updates, see “Scheduling updates” on page 120.  
You can also configure the FortiGate unit to allow push updates. Push updates are  
provided to the FortiGate unit from the FDN using HTTPS on UDP port 9443. To  
receive push updates, the FDN must have a path to the FortiGate external interface  
using UDP port 9443. For information about configuring push updates, see “Enabling  
The FDN is a world-wide network of FortiResponse Distribution Servers (FDSs).  
When the FortiGate unit connects to the FDN it connects to the nearest FDS. To do  
this, all FortiGate units are programmed with a list of FDS addresses sorted by  
nearest time zone according to the time zone configured for the FortiGate unit. To  
make sure the FortiGate unit receives updates from the nearest FDS, check that you  
have selected the correct time zone for your area.  
To make sure the FortiGate unit can connect to the FDN  
1
Go to System > Config > Time and make sure the time zone is set to the time zone  
for the region in which your FortiGate unit is located.  
2
3
Go to System > Update.  
Select Refresh.  
The FortiGate unit tests its connection to the FDN. The test results are displayed at  
the top of the System Update page.  
118  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Virus and attack definitions updates and registration  
Updating antivirus and attack definitions  
Table 19: Connections to the FDN  
Connections  
Status  
Comments  
Available  
The FortiGate unit can connect to the FDN. You can  
configure the FortiGate unit for scheduled updates.  
Not available The FortiGate unit cannot connect to the FDN. You  
must configure your FortiGate unit and your network so  
that the FortiGate unit can connect to the Internet and  
to the FDN. For example, you may need to add routes  
to the FortiGate routing table or configure your network  
to allow the FortiGate unit to use HTTPS on port 8890  
to connect to the Internet.  
FortiResponse  
Distribution  
Network  
You may also have to connect to an override  
FortiResponse server to receive updates. See “Adding  
Available  
The FDN can connect to the FortiGate unit to send  
push updates. You can configure the FortiGate unit to  
receive push updates. See “Enabling push updates” on  
Not available The FDN cannot connect to the FortiGate unit to send  
push updates. Push updates may not be available if  
you have not registered the FortiGate unit (see  
Push Update  
Manually initiating antivirus and attack definitions updates  
You can use the following procedure to update the antivirus and attack definitions at  
any time. The FortiGate unit must be able to connect to the FDN or to an override  
FortiResponse server.  
To update antivirus and attack definitions  
1
2
Go to System > Update.  
Select Update Now to update the antivirus and attack definitions.  
If the connection to the FDN or override server is successful, the web-based manager  
displays a message similar to the following:  
Your update request has been sent. Your database will be updated  
in a few minutes. Please check your update page for the status  
of the update.  
After a few minutes, if an update is available, the System Update page lists new  
version information for antivirus definitions, the antivirus engine, or attack definitions.  
The System Status page also displays new dates and version numbers for antivirus  
and attack definitions. Messages are recorded to the event log indicating whether the  
update was successful or not.  
FortiGate-800 Installation and Configuration Guide  
119  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Scheduling updates  
Virus and attack definitions updates and registration  
Configuring update logging  
Use the following procedure to configure FortiGate logging to record log messages  
when the FortiGate unit updates antivirus and attack definitions. The update log  
messages are recorded on the FortiGate Event log.  
To configure update logging  
1
2
Go to Log&Report > Log Setting.  
Select Config Policy for the type of logs that the FortiGate unit is configured to record.  
For information about recording logs, see “Recording logs” on page 309.  
3
4
Select Update to record log messages when the FortiGate unit updates antivirus and  
attack definitions.  
Select any of the following update log options.  
Failed Update Records a log message whenever an update attempt fails.  
Successful  
Update  
Records a log message whenever an update attempt is successful.  
FDN error  
Records a log message whenever it cannot connect to the FDN or  
whenever it receives an error message from the FDN.  
5
Select OK.  
Scheduling updates  
The FortiGate unit can check for and download updated definitions hourly, daily, or  
weekly, according to a schedule that you specify.  
This section describes:  
Enabling scheduled updates  
To enable scheduled updates  
1
2
3
Go to System > Update.  
Select the Scheduled Update check box.  
Select one of the following to check for and download updates.  
Hourly  
Once every 1 to 23 hours. Select the number of hours and minutes between  
each update request.  
Daily  
Once a day. You can specify the time of day to check for updates.  
Weekly  
Once a week. You can specify the day of the week and the time of day to check  
for updates.  
120  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Virus and attack definitions updates and registration  
Scheduling updates  
4
Select Apply.  
The FortiGate unit starts the next scheduled update according to the new update  
schedule.  
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the  
FortiGate event log.  
Figure 23: Configuring automatic antivirus and attack definitions updates  
Adding an override server  
If you cannot connect to the FDN, or if your organization provides antivirus and attack  
updates using their own FortiResponse server, you can use the following procedure to  
add the IP address of an override FortiResponse server.  
To add an override server  
1
2
3
4
Go to System > Update.  
Select the Use override server address check box.  
Type the IP address of a FortiResponse server.  
Select Apply.  
The FortiGate unit tests the connection to the override server.  
If the FortiResponse Distribution Network setting changes to available, the FortiGate  
unit has successfully connected to the override server.  
If the FortiResponse Distribution Network stays set to not available, the FortiGate unit  
cannot connect to the override server. Check the FortiGate configuration and network  
configuration for settings that would prevent the FortiGate unit connecting to the  
override FortiResponse server.  
FortiGate-800 Installation and Configuration Guide  
121  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Enabling push updates  
Virus and attack definitions updates and registration  
Enabling scheduled updates through a proxy server  
If your FortiGate unit must connect to the Internet through a proxy server, you can use  
the set system autoupdate tunnelingcommand to allow the FortiGate unit to  
connect (or tunnel) to the FDN using the proxy server. Using this command you can  
specify the IP address and port of the proxy server. As well, if the proxy server  
requires authentication, you can add the user name and password required for the  
proxy server to the autoupdate configuration. The full syntax for enabling updates  
through a proxy server is:  
set system autoupdate tunneling enable [address  
<proxy-address_ip> [port <proxy-port> [username <username_str>  
[password <password_str>]]]]  
For example, if the IP address of the proxy server is 64.23.6.89 and its port is 8080,  
enter the following command:  
set system autouopdate tunneling enable address 64.23.6.89  
port 8080  
For more information about the set system autoupdatecommand, see Volume 6,  
FortiGate CLI Reference Guide.  
The FortiGate unit connects to the proxy server using the HTTP CONNECT method,  
as described in RFC 2616. The FortiGate unit sends an HTTP CONNECT request to  
the proxy server (optionally with authentication information) specifying the IP address  
and port required to connect to the FDN. The proxy server establishes the connection  
to the FDN and passes information between the FortiGate unit and the FDN.  
The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers  
do not allow the CONNECT to connect to any port; they restrict the allowed ports to  
the well known ports for HTTPS and perhaps some other similar services. Because  
FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy  
server might have to be configured to allow connections on this port.  
There are no special tunneling requirements if you have configured an override server  
address to connect to the FDN.  
Enabling push updates  
The FDN can push updates to FortiGate units to provide the fastest possible response  
to critical situations. You must register the FortiGate unit before it can receive push  
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a  
SETUP message to the FDN. The next time a new antivirus engine, new antivirus  
definitions, or new attack definitions are released, the FDN notifies all FortiGate units  
that are configured for push updates that a new update is available. Within 60  
seconds of receiving a push notification, the FortiGate unit requests an update from  
the FDN.  
Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect  
122  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Virus and attack definitions updates and registration  
Enabling push updates  
When the network configuration permits, configuring push updates is recommended in  
addition to configuring scheduled updates. On average the FortiGate unit receives  
new updates sooner through push updates than if the FortiGate unit receives only  
scheduled updates. However, scheduled updates make sure that the FortiGate unit  
receives the latest updates.  
Enabling push updates is not recommended as the only method for obtaining updates.  
The FortiGate unit might not receive the push notification. Also, when the FortiGate  
unit receives a push notification it makes only one attempt to connect to the FDN and  
download updates.  
This section describes:  
Enabling push updates  
To enable push updates  
1
2
3
Go to System > Update.  
Select Allow Push Update.  
Select Apply.  
Push updates when FortiGate IP addresses change  
The SETUP message that the FortiGate unit sends when you enable push updates  
includes the IP address of the FortiGate interface that the FDN connects to. If your  
FortiGate unit is running in NAT/Route mode, the SETUP message includes the  
FortiGate external IP address. If your FortiGate unit is running in Transparent mode,  
the SETUP message includes the FortiGate management IP address. The FDN must  
be able to connect to this IP address for your FortiGate unit to be able to receive push  
update messages. If your FortiGate unit is behind a NAT device, see “Enabling push  
Whenever the external IP address of the FortiGate unit changes, the FortiGate unit  
sends a new SETUP message to notify the FDN of the address change. As long as  
the FortiGate unit sends this SETUP message and the FDN receives it, the FDN can  
maintain the most up-to-date external IP address for the FortiGate unit.  
The FortiGate unit sends the SETUP message if you change the external IP address  
manually or if you have set the external interface addressing mode to DHCP or  
PPPoE and your DHCP or PPPoE server changes the IP address.  
If you have redundant connections to the Internet, the FortiGate unit also sends the  
SETUP message when one Internet connection goes down and the FortiGate unit  
fails over to the other Internet connection.  
In Transparent mode if you change the management IP address, the FortiGate unit  
also sends the SETUP message to notify the FDN of the address change.  
FortiGate-800 Installation and Configuration Guide  
123  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Enabling push updates  
Virus and attack definitions updates and registration  
Enabling push updates through a NAT device  
If the FDN can connect to the FortiGate unit only through a NAT device, you must  
configure port forwarding on the NAT device and add the port forwarding information  
to the push update configuration. Using port forwarding, the FDN connects to the  
FortiGate unit using either port 9443 or an override push port that you specify.  
Note: You cannot receive push updates through a NAT device if the external IP address of the  
NAT device is dynamic (for example, set using PPPoE or DHCP).  
Example: push updates through a NAT device  
This example describes how to configure a FortiGate NAT device to forward push  
updates to a FortiGate unit installed on its internal network. For the FortiGate unit on  
the internal network to receive push updates, the FortiGate NAT device must be  
configured with a port forwarding virtual IP. This virtual IP maps the IP address of the  
external interface of the FortiGate NAT device and a custom port to the IP address of  
the FortiGate unit on the internal network. This IP address can either be the external  
IP address of the FortiGate unit if it is operating in NAT/Route mode, or the  
Management IP address of the FortiGate unit if it is operating in Transparent mode.  
Note: This example describes the configuration for a FortiGate NAT device. However, you can  
use any NAT device with a static external IP address that can be configured for port forwarding.  
124  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Virus and attack definitions updates and registration  
Enabling push updates  
Figure 24: Example network topology: Push updates through a NAT device  
FortiResponse  
Distribution  
Network (FDN)  
Internet  
Push update to  
IP address 64.230.123.149  
and port 45001  
External IP  
64.230.123.149  
Virtual IP maps  
64.230.123.149:45001  
to  
FortiGate-300  
NAT Device  
Esc  
Enter  
192.168.1.99:9443  
External IP or  
Management IP  
192.168.1.99  
FortiGate-800  
I
N
T
E
R
N
A
L
E
X
T
E
R
N
A
L
D
M
Z
HA  
1
2
3
4
CONSOLE  
USB  
Esc  
Enter  
P
W
R
8
Internal Network  
General procedure  
Use the following steps to configure the FortiGate NAT device and the FortiGate unit  
on the internal network so that the FortiGate unit on the internal network can receive  
push updates:  
1
2
Add a port forwarding virtual IP to the FortiGate NAT device.  
Add a firewall policy to the FortiGate NAT device that includes the port forwarding  
virtual IP.  
3
Configure the FortiGate unit on the internal network with an override push IP and port.  
FortiGate-800 Installation and Configuration Guide  
125  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Enabling push updates  
Virus and attack definitions updates and registration  
Note: Before completing the following procedure, you should register the internal network  
FortiGate unit so that it can receive push updates.  
Adding a port forwarding virtual IP to the FortiGate NAT device  
Use the following procedure to configure a FortiGate NAT device to use port  
forwarding to forward push update connections from the FDN to a FortiGate unit on  
the internal network.  
To configure the FortiGate NAT device  
Go to Firewall > Virtual IP.  
Select New.  
1
2
3
4
Type a name for the virtual IP.  
In the External Interface section, select the external interface that the FDN connects  
to.  
For the example topology, select the external interface.  
5
6
In the Type section, select Port Forwarding.  
In the External IP Address section, type the external IP address that the FDN  
connects to.  
For the example topology, enter 64.230.123.149.  
7
8
Type the External Service Port that the FDN connects to.  
For the example topology, enter 45001.  
In the Map to IP section, type the IP address of the FortiGate unit on the internal  
network.  
If the FortiGate unit is operating in NAT/Route mode, enter the IP address of the  
external interface.  
If the FortiGate unit is operating in Transparent mode, enter the management IP  
address.  
For the example topology, enter 192.168.1.99.  
Set the Map to Port to 9443.  
Set Protocol to UDP.  
9
10  
11  
Select OK.  
126  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Virus and attack definitions updates and registration  
Enabling push updates  
Figure 25: Push update port forwarding virtual IP  
Adding a firewall policy for the port forwarding virtual IP  
To configure the FortiGate NAT device  
1
2
Add a new external to internal firewall policy.  
Configure the policy with the following settings:  
Source  
Destination  
Schedule  
Service  
Action  
External_All  
The virtual IP added above.  
Always  
ANY  
Accept  
Selected.  
NAT  
3
Select OK.  
Configuring the FortiGate unit with an override push IP and port  
To configure the FortiGate unit on the internal network  
1
2
3
Go to System > Update.  
Select the Allow Push Update check box.  
Select the Use override push check box.  
FortiGate-800 Installation and Configuration Guide  
127  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Registering FortiGate units  
Virus and attack definitions updates and registration  
4
5
6
Set IP to the external IP address added to the virtual IP.  
For the example topology, enter 64.230.123.149.  
Set Port to the external service port added to the virtual IP.  
For the example topology, enter 45001.  
Select Apply.  
The FortiGate unit sends the override push IP address and port to the FDN. The FDN  
now uses this IP address and port for push updates to the FortiGate unit on the  
internal network.  
If the external IP address or external service port change, add the changes to the Use  
override push configuration and select Apply to update the push information on the  
FDN.  
Figure 26: Example push update configuration  
7
8
Select Apply.  
You can select Refresh to make sure that push updates work.  
Push Update changes to Available.  
Registering FortiGate units  
After purchasing and installing a new FortiGate unit, you can register the unit using  
the web-based manager by going to System Update Support page, or by using a web  
browser to connect to http://support.fortinet.com and selecting Product Registration.  
Registration consists of entering your contact information and the serial numbers of  
the FortiGate units that you or your organization purchased. You can register multiple  
FortiGate units in a single session without re-entering your contact information.  
Once registration is completed, Fortinet sends a Support Login user name and  
password to your email address. You can use this user name and password to log on  
to the Fortinet support web site to:  
View your list of registered FortiGate units  
Register additional FortiGate units  
Add or change FortiCare Support Contract numbers for each FortiGate unit  
View and change registration information  
Download virus and attack definitions updates  
Download firmware upgrades  
Modify registration information after an RMA  
Soon you will also be able to:  
Access Fortinet user documentation  
Access the Fortinet knowledge base  
128  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Virus and attack definitions updates and registration  
Registering FortiGate units  
All registration information is stored in the Fortinet Customer Support database. This  
information is used to make sure that your registered FortiGate units can be kept up to  
date. All information is strictly confidential. Fortinet does not share this information  
with any third-party organizations for any reason.  
This section describes:  
FortiCare Service Contracts  
Owners of a new FortiGate unit are entitled to 90 days of technical support services.  
To continue receiving support services after the 90-day expiry date, you must  
purchase a FortiCare Support Contract from an authorized Fortinet reseller or  
distributor. Different levels of service are available so you can purchase the support  
that you need. For maximum network protection, Fortinet strongly recommends that  
all customers purchase a service contract that covers antivirus and attack definition  
updates. See your Fortinet reseller or distributor for details of packages and pricing.  
To activate the FortiCare Support Contract, you must register the FortiGate unit and  
add the FortiCare Support Contract number to the registration information. You can  
also register the FortiGate unit without purchasing a FortiCare Support Contract. In  
that case, when you purchase a FortiCare Support Contract you can update the  
registration information to add the support contract number.  
A single FortiCare Support Contract can cover multiple FortiGate units. You must  
enter the same service contract number for each of the FortiGate models covered by  
the service contract.  
FortiGate-800 Installation and Configuration Guide  
129  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Registering FortiGate units  
Virus and attack definitions updates and registration  
Registering the FortiGate unit  
Before registering a FortiGate unit, you require the following information:  
Your contact information including:  
First and last name  
Company name  
Email address (Your Fortinet support login user name and password will be  
sent to this email address.)  
Address  
Contact phone number  
A security question and an answer to the security question.  
This information is used for password recovery. The security question should be a  
simple question that only you know the answer to. The answer should not be easy  
to guess.  
The product model and serial number for each FortiGate unit that you want to  
register.  
The serial number is located on a label on the bottom of the FortiGate unit.  
You can view the Serial number from the web-based manager by going to  
System > Status.  
The serial number is also available from the CLI using the get system status  
command.  
FortiCare Support Contract numbers, if you purchased FortiCare Support  
Contracts for the FortiGate units that you want to register.  
To register one or more FortiGate units  
1
2
Go to System > Update > Support.  
Enter your contact information on the product registration form.  
Figure 27: Registering a FortiGate unit (contact information and security question)  
3
Provide a security question and an answer to the security question.  
130  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Virus and attack definitions updates and registration  
Updating registration information  
4
5
6
Select the model number of the Product Model to register.  
Enter the Serial Number of the FortiGate unit.  
If you have purchased a FortiCare Support Contract for this FortiGate unit, enter the  
support contract number.  
Figure 28: Registering a FortiGate unit (product information)  
7
Select Finish.  
If you have not entered a FortiCare Support Contract number (SCN) you can return to  
the previous page to enter the number. If you do not have a FortiCare Support  
Contract, you can select Continue to complete the registration.  
If you have entered a support contract number, a real-time validation is performed to  
verify that the SCN information matches the FortiGate unit. If the information does not  
match you can try entering it again.  
A web page is displayed that contains detailed information about the Fortinet technical  
support services available to you for the registered FortiGate unit.  
Your Fortinet support user name and password is sent to the email address provided  
with your contact information.  
Updating registration information  
You can use your Fortinet support user name and password to log on to the Fortinet  
Support web site at any time to view or update your Fortinet support information.  
This section describes:  
FortiGate-800 Installation and Configuration Guide  
131  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Updating registration information  
Virus and attack definitions updates and registration  
Recovering a lost Fortinet support password  
If you provided a security question and answer when you registered on the Fortinet  
support web site, you can use the following procedure to receive a replacement  
password. If you did not provide a security question and answer, contact Fortinet  
technical support.  
To recover a lost Fortinet support password  
Go to System > Update > Support.  
Select Support Login.  
1
2
3
4
5
Enter your Fortinet support user name.  
Select Forgot your password?  
Enter your email address and select Submit.  
The security question that you entered when you registered is displayed.  
6
Enter the answer to your security question and select Get Password.  
If you entered the correct answer to the security question, an email containing a new  
password is sent to your email address. You can use your current user name and this  
password to log into the Fortinet support web site.  
7
8
Select Support Login.  
When you receive your new password, enter your user name and new password to  
log into the Fortinet support web site.  
Viewing the list of registered FortiGate units  
To view the list of registered FortiGate units  
Go to System > Update > Support.  
Select Support Login.  
1
2
3
4
5
Enter your Fortinet support user name and password.  
Select Login.  
Select View Products.  
The list of FortiGate products that you have registered is displayed. For each  
FortiGate unit, the list includes the serial number and current support options for that  
unit.  
132  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Virus and attack definitions updates and registration  
Updating registration information  
Figure 29: Sample list of registered FortiGate units  
Registering a new FortiGate unit  
To register a new FortiGate unit  
1
2
3
4
5
6
7
8
Go to System > Update > Support.  
Select Support Login.  
Enter your Fortinet support user name and password.  
Select Login.  
Select Add Registration.  
Select the model number of the product model that you want to register.  
Enter the serial number of the FortiGate unit.  
If you have purchased a FortiCare Support Contract for this FortiGate unit, enter the  
support contract number.  
9
Select Finish.  
The list of FortiGate products that you have registered is displayed. The list now  
includes the new FortiGate unit.  
Adding or changing a FortiCare Support Contract number  
To add or change a FortiCare Support Contract number  
1
2
3
4
5
Go to System > Update > Support.  
Select Support Login.  
Enter your Fortinet support user name and password.  
Select Login.  
Select Add/Change Contract number.  
FortiGate-800 Installation and Configuration Guide  
133  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Updating registration information  
Virus and attack definitions updates and registration  
6
Select the Serial Number of the FortiGate unit for which to add or change a FortiCare  
Support Contract number.  
7
8
Add the new Support Contract number.  
Select Finish.  
The list of FortiGate products that you have registered is displayed. The list now  
includes the new support contract information.  
Changing your Fortinet support password  
To change your Fortinet support password  
1
2
3
4
5
6
7
8
Go to System > Update > Support.  
Select Support Login.  
Enter your Fortinet support user name and password.  
Select Login.  
Select My Profile.  
Select Change Password.  
Enter your current password.  
Enter and confirm a new password.  
An email is sent to your email address confirming that your password has been  
changed. Use your current user name and new password the next time you log into  
the Fortinet technical support web site.  
Changing your contact information or security question  
To change your contact information or security question  
1
2
3
4
5
6
7
8
9
Go to System > Update > Support.  
Select Support Login.  
Enter your Fortinet support user name and password.  
Select Login.  
Select My Profile.  
Select Edit Profile.  
Make the required changes to your contact information.  
Make the required changes to your security question and answer.  
Select Update Profile.  
Your changes are saved to the Fortinet technical support database. If you changed  
your contact information, the changes are displayed.  
134  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Virus and attack definitions updates and registration  
Updating registration information  
Downloading virus and attack definitions updates  
Use the following procedure to manually download virus and attack definitions  
updates. This procedure also describes how to install the attack definitions updates on  
your FortiGate unit.  
To download virus and attack definitions updates  
Go to System > Update > Support.  
Select Support Login.  
1
2
3
4
5
6
7
Enter your Fortinet support user name and password.  
Select Login.  
Select Download Virus/Attack Update.  
If required, select the FortiOS version.  
Select the virus and attack definitions to download.  
Figure 30: Downloading virus and attack definition updates  
For information about how to install the downloaded files, see “Manual virus definition  
FortiGate-800 Installation and Configuration Guide  
135  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Registering a FortiGate unit after an RMA  
Virus and attack definitions updates and registration  
Registering a FortiGate unit after an RMA  
The Return Material Authorization (RMA) process starts when a registered FortiGate  
unit does not work properly because of a hardware failure. If this happens while the  
FortiGate unit is protected by hardware coverage, you can return the FortiGate unit  
that is not functioning to your reseller or distributor.  
The RMA is recorded and you will receive a replacement unit. Fortinet adds the RMA  
information to the Fortinet support database. When you receive the replacement unit  
you can use the following procedure to update your product registration information.  
To register a FortiGate unit after an RMA  
Go to System > Update > Support.  
Select Support Login.  
1
2
3
4
5
6
Enter your Fortinet support user name and password to log in.  
Select Add Registration.  
Select the link to replace a unit with a new unit from an RMA.  
Select Finish.  
The list of FortiGate products that you have registered is displayed. The list now  
includes the replacement FortiGate unit. All support levels are transferred to the  
replacement unit.  
136  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
FortiGate-800 Installation and Configuration Guide Version 2.50  
Network configuration  
You can use the System Network page to change any of the following FortiGate  
network settings:  
Configuring zones  
In NAT/Route mode, you can use zones to group related interfaces and VLAN  
subinterfaces. Grouping interfaces and VLAN subinterfaces into zones simplifies  
policy creation. If you group interfaces an VLAN subinterfaces into a zone, you can  
configure policies for connections to and from this zone, rather than to and from each  
interface and VLAN subinterface.  
You can add zones, rename and edit zones, and delete zones from the zone list.  
A new zone does not appear in the policy grid until you add an interface to it (see  
“Adding an interface to a zone” on page 139) and add a firewall address for it (see  
This section describes:  
FortiGate-800 Installation and Configuration Guide  
137  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuring interfaces  
Network configuration  
Adding zones  
The new zone does not appear in the policy grid until you add an interface to it, see  
To add an interface to a zone” below, and add a firewall address for it (see “Adding  
To add a zone  
1
2
3
Go to System > Network > Zone.  
Select New.  
Type a name for the zone.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
Select the Block intra-zone traffic check box if you want to block traffic between  
interfaces in the same zone.  
5
Select OK.  
Deleting zones  
You must remove all interfaces and VLAN subinterfaces from a zone before you can  
delete the zone. You can only delete zones that have the Delete icon  
in the zone list.  
beside them  
To delete a zone  
1
Go to System > Network > Zone.  
2
3
Select Delete  
to remove a zone from the list.  
Select OK to delete the zone.  
Configuring interfaces  
Use the following procedures to configure FortiGate interfaces and VLAN  
subinterfaces. All of these procedures can be used for physical FortiGate interfaces  
and for VLAN subinterfaces.  
138  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Network configuration  
Configuring interfaces  
Viewing the interface list  
To view the interface list  
Go to System > Network > Interface.  
1
The interface list is displayed. The interface list shows the following status information  
for all the FortiGate interfaces and VLAN subinterfaces:  
The name of the interface  
The IP address of the interface  
The netmask of the interface  
The zone that the interface has been added to  
The administrative access configuration for the interface  
about administrative access options.  
The administrative status for the interface  
If the administrative status is a green arrow, the interface is up and can accept  
network traffic. If the administrative status is a red arrow, the interface is  
administratively down and cannot accept traffic. To change the administrative  
Changing the administrative status of an interface  
You can use the following procedures to start an interface that is administratively  
down and stop and interface that is administratively up.  
To start up an interface that is administratively down  
1
2
Go to System > Network > Interface.  
The interface list is displayed.  
Select Bring Up for the interface that you want to start.  
To stop an interface that is administratively up  
1
From the FortiGate CLI, enter the command:  
set system interface <intf_str> config status down  
You can only stop an interface that is administratively up from the FortiGate command  
line interface (CLI).  
Adding an interface to a zone  
If you have added zones to the FortiGate unit, you can use the following procedure to  
add an interface or VLAN subinterface to a zone.  
You must delete any firewall addresses added to an interface or VLAN subinterface  
before adding the interface or VLAN subinterface to a zone. For information about  
deleting addresses, see “Deleting addresses” on page 199.  
When you add an interface or VLAN subinterface to a zone, you cannot add firewall  
addresses to the interface or VLAN subinterface and the interface or VLAN  
subinterface does not appear on the policy grid.  
FortiGate-800 Installation and Configuration Guide  
139  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Configuring interfaces  
Network configuration  
To add an interface to a zone  
1
2
3
Go to System > Network > Interface.  
Choose the interface or VLAN subinterface to add to a zone and select Modify  
From the Belong to Zone list, select the zone that you want to add the interface to.  
.
The belong to zone list only appears if you have added zones and if you have not  
added firewall addresses for the interface.  
4
5
Select OK to save the changes.  
Repeat these steps to add more interfaces or VLAN subinterfaces to zones.  
Configuring an interface with a manual IP address  
You can change the static IP address of any FortiGate interface.  
To change an interface with a manual IP address  
1
2
3
4
Go to System > Network > Interface.  
Choose an interface and select Modify  
Set Addressing Mode to Manual.  
.
Change the IP address and Netmask as required.  
The IP address of the interface must be on the same subnet as the network the  
interface is connecting to.  
Two interfaces cannot have the same IP address and cannot have IP addresses on  
the same subnet.  
5
Select OK to save your changes.  
If you changed the IP address of the interface to which you are connecting to manage  
the FortiGate unit, you must reconnect to the web-based manager using the new  
interface IP address.  
Configuring an interface for DHCP  
You can configure any FortiGate interface to use DHCP.  
If you configure the interface to use DHCP, the FortiGate unit automatically broadcasts  
a DHCP request. You can disable connect to server if you are configuring the  
FortiGate unit offline and you do not want the FortiGate unit to send the DHCP  
request.  
By default, the FortiGate unit also retrieves a default gateway IP address and DNS  
server IP addresses from the DHCP server. You can disable the option Retrieve  
default gateway and DNS from server if you do not want the DHCP server to configure  
these FortiGate settings.  
To configure an interface for DHCP  
1
2
3
Go to System > Network > Interface.  
Choose an interface and select Modify  
.
In the Addressing Mode section, select DHCP.  
140  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Network configuration  
Configuring interfaces  
4
Clear the Retrieve default gateway and DNS from server check box if you do not want  
the FortiGate unit to obtain a default gateway IP address and DNS server IP  
addresses from the DHCP server.  
By default, this option is enabled.  
5
6
7
Clear the Connect to Server check box if you do not want the FortiGate unit to connect  
to the DHCP server.  
By default, this option is enabled.  
Select Apply.  
The FortiGate unit attempts to contact the DHCP server from the interface to set the  
IP address, netmask, default gateway IP address, and DNS server IP addresses.  
Select Status to refresh the addressing mode status message.  
initializing  
connecting  
connected  
No activity  
The FortiGate unit is attempting to connect to the DHCP server.  
The FortiGate unit retrieves an IP address, netmask, and other settings from  
the DHCP server.  
failed  
The FortiGate unit was unable to retrieve an IP address and other  
information from the DHCP server.  
8
Select OK.  
Configuring an interface for PPPoE  
Use the following procedure to configure any FortiGate interface to use PPPoE.  
If you configure the interface to use PPPoE, the FortiGate unit automatically  
broadcasts a PPPoE request. You can disable connect to server if you are configuring  
the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE  
request.  
By default, the FortiGate unit also retrieves a default gateway IP address and DNS  
server IP addresses from the PPPoE server. You can disable the option Retrieve  
default gateway and DNS from server if you do not want the PPPoE server to  
configure these FortiGate settings.  
To configure an interface for PPPoE  
1
2
3
4
5
Go to System > Network > Interface.  
Choose an interface and select Modify  
.
In the Addressing Mode section, select PPPoE.  
Enter your PPPoE account User Name and Password.  
Clear the Retrieve default gateway and DNS from server check box if you do not want  
the FortiGate unit to obtain a default gateway IP address and DNS server IP  
addresses from the PPPoE server.  
By default, this option is enabled.  
6
Clear the Connect to Server check box if you do not want the FortiGate unit to connect  
to the PPPoE server.  
By default, this option is enabled.  
FortiGate-800 Installation and Configuration Guide  
141  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring interfaces  
Network configuration  
7
8
Select Apply.  
The FortiGate unit attempts to contact the PPPoE server from the interface to set the  
IP address, netmask, default gateway IP address, and DNS server IP addresses.  
Select Status: to refresh the addressing mode status message. Possible messages:  
initializing  
connecting  
connected  
No activity  
The FortiGate unit is attempting to connect to the DHCP server.  
The FortiGate unit retrieves an IP address, netmask, and other settings from  
the PPPoE server.  
failed  
The FortiGate unit was unable to retrieve an IP address and other  
information from the PPPoE server.  
9
Select OK.  
Adding a secondary IP address to an interface  
You can use the CLI to add a secondary IP address to any FortiGate interface. The  
secondary IP address cannot be the same as the primary IP address but it can be on  
the same subnet.  
To add a secondary IP address from the CLI enter the command:  
set system interface <intf_str> config secip <second_ip>  
<netmask_ip>  
You can also configure management access and add a ping server to the secondary  
IP address.  
set system interface <intf_str> config secallowaccess ping  
https ssh snmp http telnet  
set system interface <intf_str> config secgwdetect enable  
Adding a ping server to an interface  
Add a ping server to an interface if you want the FortiGate unit to confirm connectivity  
with the next hop router on the network connected to the interface. Adding a ping  
server is required for routing failover. See “Adding destination-based routes to the  
To add a ping server to an interface  
1
2
3
Go to System > Network > Interface.  
Choose an interface and select Modify  
.
Set Ping Server to the IP address of the next hop router on the network connected to  
the interface.  
4
Select the Enable check box.  
The FortiGate unit uses dead gateway detection to ping the Ping Server IP address to  
make sure that the FortiGate unit can connect to this IP address. To configure dead  
5
Select OK to save the changes.  
142  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Network configuration  
Configuring interfaces  
Controlling administrative access to an interface  
For a FortiGate unit running in NAT/Route mode, you can control administrative  
access to an interface to control how administrators access the FortiGate unit and the  
FortiGate interfaces to which administrators can connect.  
Controlling administrative access for an interface connected to the Internet allows  
remote administration of the FortiGate unit from any location on the Internet. However,  
allowing remote administration from the Internet could compromise the security of  
your FortiGate unit. You should avoid allowing administrative access for an interface  
connected to the Internet unless this is required for your configuration. To improve the  
security of a FortiGate unit that allows remote administration from the Internet:  
Use secure administrative user passwords,  
Change these passwords regularly,  
Enable secure administrative access to this interface using only HTTPS or SSH,  
Do not change the system idle timeout from the default value of 5 minutes (see To  
To configure administrative access in Transparent mode, see “Configuring the  
To control administrative access to an interface  
1
2
3
Go to System > Network > Interface.  
Choose an interface and select Modify  
.
Select the Administrative Access methods for the interface.  
HTTPS  
PING  
To allow secure HTTPS connections to the web-based manager through this  
interface.  
If you want this interface to respond to pings. Use this setting to verify your  
installation and for testing.  
HTTP  
To allow HTTP connections to the web-based manager through this interface.  
HTTP connections are not secure and can be intercepted by a third party.  
SSH  
To allow SSH connections to the CLI through this interface.  
SNMP  
To allow a remote SNMP manager to request SNMP information by connecting to  
this interface. See “Configuring SNMP” on page 173.  
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections  
are not secure and can be intercepted by a third party.  
4
Select OK to save the changes.  
FortiGate-800 Installation and Configuration Guide  
143  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuring interfaces  
Network configuration  
Changing the MTU size to improve network performance  
To improve network performance, you can change the maximum transmission unit  
(MTU) of the packets that the FortiGate unit transmits from any interface. Ideally, this  
MTU should be the same as the smallest MTU of all the networks between the  
FortiGate unit and the destination of the packets. If the packets that the FortiGate unit  
sends are larger, they are broken up or fragmented, which slows down transmission.  
Experiment by lowering the MTU to find an MTU size for best network performance.  
To change the MTU size of the packets leaving an interface  
1
2
3
4
Go to System > Network > Interface.  
Choose an interface and select Modify  
Select Override default MTU value (1500).  
Set the MTU size.  
.
Set the maximum packet size. For manual and DHCP addressing mode the MTU size  
can be from 576 to 1500 bytes. For PPPoE addressing mode the MTU size can be  
from 576 to 1492 bytes.  
Configuring traffic logging for connections to an interface  
To configure traffic logging for connections to an interface  
1
2
3
Go to System > Network > Interface.  
Choose an interface and select Modify  
.
Select the Log check box to record log messages whenever a firewall policy accepts a  
connection to this interface.  
4
Select OK to save the changes.  
Configuring the management interface in Transparent mode  
Configure the management interface in Transparent mode to set the management IP  
address of the FortiGate unit. Administrators connect to this IP address to administer  
the FortiGate unit. The FortiGate also uses this IP address to connect to the FDN for  
You can also configure the management interface to control how administrators  
connect to the FortiGate unit for administration and the FortiGate interfaces to which  
administrators can connect.  
Controlling administrative access to a FortiGate interface connected to the Internet  
allows remote administration of the FortiGate unit from any location on the Internet.  
However, allowing remote administration from the Internet could compromise the  
security of the FortiGate unit. You should avoid allowing administrative access for an  
interface connected to the Internet unless this is required for your configuration. To  
improve the security of a FortiGate unit that allows remote administration from the  
Internet:  
Use secure administrative user passwords,  
Change these passwords regularly,  
144  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
               
Network configuration  
VLAN overview  
Enable secure administrative access to this interface using only HTTPS or SSH,  
Do not change the system idle timeout from the default value of 5 minutes (see To  
To configure the management interface in Transparent mode  
Go to System > Network > Management.  
1
2
Change the Management IP and Netmask as required.  
This must be a valid address for the network that you want to manage the FortiGate  
unit from.  
3
4
Add a default gateway IP address if the FortiGate unit must connect to a default  
gateway to reach the management computer.  
Select the administrative access methods for each interface.  
HTTPS  
PING  
To allow secure HTTPS connections to the web-based manager through this  
interface.  
If you want this interface to respond to pings. Use this setting to verify your  
installation and for testing.  
HTTP  
To allow HTTP connections to the web-based manager through this interface.  
HTTP connections are not secure and can be intercepted by a third party.  
SSH  
To allow SSH connections to the CLI through this interface.  
SNMP  
To allow a remote SNMP manager to request SNMP information by connecting to  
this interface. See “Configuring SNMP” on page 173.  
TELNET To allow Telnet connections to the CLI through this interface. Telnet connections  
are not secure and can be intercepted by a third party.  
5
6
Select Log for each interface that you want to record log messages whenever a  
firewall policy accepts a connection to this interface.  
Select Apply to save the changes.  
VLAN overview  
FortiGate units support IEEE 802.1Q Virtual LAN (VLAN) technology. A VLAN is group  
of PCs, servers, and other network devices that communicate as if they were on the  
same LAN segment, even though they may not be. For example, the workstations and  
servers for an accounting department could be scattered throughout an office,  
connected to numerous network segments, but they can still belong to the same  
VLAN.  
A VLAN segregates devices logically instead of physically. Each VLAN is treated as a  
broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but  
cannot connect with devices in other VLANs. The communication among devices on a  
VLAN is independent of the physical network.  
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent  
and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that  
contain a VLAN identifier as well as other information.  
FortiGate-800 Installation and Configuration Guide  
145  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
VLANs in NAT/Route mode  
Network configuration  
In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3  
routers or firewalls add VLAN tags to packets. Packets passing between devices in  
the same VLAN can be handled by layer 2 switches. Packets passing between  
devices in different VLANs must be handled by a layer 3 device such as router,  
firewall, or layer 3 switch.  
Operating in NAT/Route mode, the FortiGate unit functions as a layer 3 device to  
control the flow of packets between VLANs. See “VLANs in NAT/Route mode” on  
page 146 for more information.  
Operating in Transparent mode, the FortiGate unit functions as a layer 2 device to  
control the flow of packets between segments in the same VLAN. See “Virtual  
VLANs in NAT/Route mode  
In NAT/Route mode, FortiGate units support VLANs for constructing VLAN trunks  
between an IEEE 802.1Q-compliant switch (or router) and the FortiGate unit. Normally  
the FortiGate unit internal interface connects to a VLAN trunk on an internal switch,  
and the external interface connects to an upstream Internet router untagged. The  
FortiGate unit can then apply different policies for traffic on each VLAN that connects  
to the internal interface.  
In this configuration, you add VLAN subinterfaces to the FortiGate internal interface  
that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The  
FortiGate unit directs packets with VLAN IDs, to subinterfaces with matching VLAN  
IDs.  
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit  
can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags  
from incoming packets and add different VLAN tags to outgoing packets.  
Rules for VLAN IDs  
Two VLAN subinterfaces added to the same physical interface cannot have the same  
VLAN ID. However, you can add two or more VLAN subinterfaces with the same  
VLAN IDs to different physical interfaces. There is no internal connection or link  
between two VLAN subinterfaces with same VLAN ID. Their relationship is the same  
as the relationship between any two FortiGate network interfaces.  
Rules for VLAN IP addresses  
IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all  
interfaces must be on different subnets. This rule applies to both physical interfaces  
and to VLAN subinterfaces.  
Note: You can enter the CLI command set system ip-overlap enableto allow IP  
address overlap. If you enter this command, multiple VLAN interfaces can have an IP address  
that is part of a subnet used by another interface. This command is recommended for advanced  
users only.  
146  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Network configuration  
Virtual domains in Transparent mode  
Adding VLAN subinterfaces  
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE  
802.1Q-compliant router. The VLAN ID can be any number between 1 and 4096.  
Each VLAN subinterface must also be configured with its own IP address and  
netmask.  
You add VLAN subinterfaces to the physical interface that receives VLAN-tagged  
packets.  
To add VLAN subinterfaces  
1
2
3
Go to System > Network > Interface.  
Select New VLAN to add a VLAN subinterface.  
Enter a Name to identify the VLAN subinterface.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
Select the interface that receives the VLAN packets intended for this VLAN  
subinterface.  
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this  
VLAN subinterface.  
The VLAN ID can be any number between 1 and 4096 but must match the VLAN ID  
added by the IEEE 802.1Q-compliant router or switch.  
6
7
Configure the VLAN subinterface settings as you would for any FortiGate interface.  
You can add the VLAN subinterface to a zone, configure addressing, add a ping  
server, and configure administrative access to the VLAN subinterface. For more  
Select OK to save your changes.  
The FortiGate unit adds the new subinterface to the interface that you selected in  
step 4.  
Virtual domains in Transparent mode  
In Transparent mode, The FortiGate unit can apply firewall policies and services, such  
as virus scanning, to traffic on an IEEE 802.1 VLAN trunk. The FortiGate unit  
operating in Transparent mode can be inserted into the trunk without making changes  
to the network. In a typical configuration, the FortiGate internal interface accepts  
VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal  
VLANs. The FortiGate external interface forwards tagged packets through the trunk to  
an external VLAN switch or router. This external switch or router could be connected  
to the Internet. The FortiGate unit can be configured to apply different policies for  
traffic on each VLAN in the trunk.  
FortiGate-800 Installation and Configuration Guide  
147  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Virtual domains in Transparent mode  
Network configuration  
To support VLANs in Transparent mode, you add virtual domains to the FortiGate unit.  
A virtual domain contains at least 2 VLAN subinterfaces. For VLAN traffic to be able to  
pass between the FortiGate Internal and external interface you would add a VLAN  
subinterface to the internal interface and another VLAN subinterface to the external  
interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit  
applies firewall policies to the traffic on this VLAN. If these VLAN subinterfaces have  
different VLAN IDs, or if you add more than two VLAN subinterfaces to the virtual  
domain, you can also use firewall policies to control connections between VLANs.  
When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is  
directed to the VLAN subinterface with matching VLAN ID. The VLAN subinterface  
removes the VLAN tag and assigns a destination interface to the packet based on its  
destination MAC address. The firewall policies for this source and destination VLAN  
subinterface pair are applied to the packet. If the packet is accepted by the firewall,  
the FortiGate unit forwards the packet to the destination VLAN subinterface. The  
destination VLAN ID is added to the packet and it is sent to the VLAN trunk.  
When a packet enters a virtual domain on the FortiGate unit, it is confined to that  
virtual domain. In a given domain, you can only create firewall policies for connections  
between VLAN subinterfaces or zones in the virtual domain. The packet never  
crosses the virtual domain border.  
The FortiGate-800 supports 64 virtual domains.  
Figure 31: FortiGate unit with two virtual domains  
VLAN Switch or router  
FortiGate unit  
VLAN1  
Virtual Domain 1  
Internal  
External  
VLAN1  
content filtering  
antivirus  
NIDS  
VLAN1  
VLAN2  
VLAN3  
VLAN2  
VLAN3  
VLAN1  
VLAN1  
VLAN Switch  
or router  
Internet  
VLAN2  
VLAN3  
VLAN trunk  
Virtual Domain 2  
content filtering  
VLAN trunk  
VLAN2  
VLAN3  
VLAN2  
VLAN3  
antivirus  
NIDS  
148  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Network configuration  
Virtual domains in Transparent mode  
Virtual domain properties  
A virtual domain has the following exclusive properties:  
VLAN name,  
VLAN ID,  
VLAN interface assignment,  
VLAN zone assignment (optional),  
Firewall policy.  
Virtual domains share the following global properties with other processes on the  
FortiGate unit:  
System settings,  
Firewall policy objects (addresses, services, schedule, content profiles, and so on),  
User information,  
NIDS settings,  
Antivirus, Web filter, Mail filter settings,  
Log & report settings.  
In addition to the global properties, virtual domains share a common administrative  
model. Administrators have access to all of the virtual domains on the FortiGate unit.  
Only their administrative access level varies.  
Configuring a virtual domain  
Configure a virtual domain by adding the virtual domain to the FortiGate configuration.  
Then add matching pairs of VLAN subinterfaces to the virtual domain.  
Adding a virtual domain  
Use the following procedure to add a virtual domain to the FortiGate unit. You must  
add at least one virtual domain to support VLANs in Transparent mode. Add more  
virtual domains to simplify configuration if you are planning to add a large number of  
VLANs.  
To add a virtual domain  
1
2
3
4
Go to System > Virtual Domain.  
Select New to add a virtual domain.  
Type a Name for the virtual domain.  
Select OK to add the virtual domain.  
FortiGate-800 Installation and Configuration Guide  
149  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Virtual domains in Transparent mode  
Network configuration  
Adding VLAN subinterfaces to a virtual domain  
Use the following procedure to add VLAN subinterfaces to a virtual domain. You must  
add at least two VLAN subinterfaces to each virtual domain. In most configurations a  
virtual domain is used to send VLAN-tagged packets received at one FortiGate  
physical interface to another FortiGate physical interface (for example, from the  
internal interface to the external interface). For this to occur, you must add VLAN  
subinterfaces to the receiving and sending physical interfaces (for example, to the  
internal and external interfaces.  
To add VLAN subinterfaces to a virtual domain  
Go to System > Network > VLAN.  
1
2
3
4
5
Select the Virtual Domain to add the VLAN subinterface to.  
Select New to add a VLAN subinterface.  
Type a Name for the VLAN subinterface.  
Select the interface to associate the VLAN subinterface with.  
The VLAN subinterface must be added to the FortiGate interface that receives the  
VLAN-tagged packets.  
6
7
Enter a VLAN ID for the VLAN subinterface.  
The VLAN ID can be any number between 1 and 4095.  
Optionally, select a zone to add the VLAN subinterface to a zone.  
To add a zone to a virtual domain, see “Adding zones to virtual domains” on page 150.  
8
9
Select OK to add the VLAN subinterface.  
Repeat these steps to add more VLAN subinterfaces to the virtual domain.  
To configure management access and traffic logging for VLAN subinterfaces  
1
2
Go to System > Network > Management.  
Configure management access as required for the VLAN subinterfaces that you have  
added.  
You can select HTTPS, PING, SSH, SNMP, HTTP, or TELNET.  
3
Select Log to configure traffic logging for the VLAN subinterfaces that you have  
added.  
Adding zones to virtual domains  
Add zones to a virtual domain to group together related VLAN subinterfaces. Use  
zones to simplify firewall policy creation if you have many VLAN subinterfaces in a  
virtual domain. For more information about zones, see “Configuring zones” on  
page 137. Use the following procedure to add a zone to a virtual domain.  
150  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Network configuration  
Virtual domains in Transparent mode  
Figure 32: FortiGate unit containing a virtual domain with zones  
VLAN Switch or router  
FortiGate unit  
Virtual Domain  
VLAN1  
VLAN2  
VLAN3  
External  
VLAN1  
Internal  
VLAN1  
VLAN2  
VLAN3  
VLAN2  
VLAN3  
VLAN1  
VLAN1  
zone1  
VLAN Switch  
or router  
Internet  
VLAN trunk  
VLAN trunk  
zone2  
VLAN2  
VLAN3  
VLAN2  
VLAN3  
Multiple zones in a single virtual domain cannot be connected to a single VLAN trunk.  
This configuration is correct because each zone is connected to a different VLAN  
trunk (zone1 connected to the VLAN trunk on the internal interface and zone2  
connected to the VLAN trunk on the external interface). If you were to add another  
zone (for example, zone3 connected to the VLAN trunk on the internal interface) the  
FortiGate unit would not be able to successfully differentiate between traffic for zone1  
and zone3. This is the case because both zone 1 and zone3 traffic would be routed to  
the same MAC address.  
To add a zone to a virtual domain  
Go to System > Network > Zone.  
Select New to add a zone.  
1
2
3
4
5
Type a Name for the zone.  
Select the Virtual Domain to add the zone to.  
Optionally select Block intra-zone traffic to block traffic between VLAN subinterfaces  
in the same zone.  
6
Select OK to add the zone.  
To add VLAN subinterfaces to a zone  
1
2
Go to System > Network > VLAN.  
Set Virtual Domain to All or to the virtual domain containing the VLAN subinterfaces to  
add to a zone.  
3
Select List to list all of VLAN subinterfaces added to the FortiGate unit or to the  
selected virtual domain.  
4
5
6
For a VLAN subinterface to add to a zone, select Modify  
.
From the zone list, select the name of the zone to add the VLAN subinterface to.  
Select OK to save your changes.  
You can also use the procedure “Adding VLAN subinterfaces” on page 147 to add a  
VLAN subinterface to a zone if you are adding new VLAN subinterfaces to a virtual  
domain to which you have already added zones.  
FortiGate-800 Installation and Configuration Guide  
151  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Virtual domains in Transparent mode  
Network configuration  
Adding firewall policies for virtual domains  
Once the network configuration for the virtual domain is complete, you must create  
firewall policies for the virtual domain to allow packets to flow through the firewall  
between VLAN subinterfaces.  
Adding addresses for virtual domains  
Before you can create firewall policies for a virtual domain, you must add source and  
destination addresses for the VLAN subinterfaces and zones added to the virtual  
domain.  
1
2
3
4
5
6
7
Go to Firewall > Address.  
Select the VLAN subinterface or zone to which to add the address.  
Select New to add a new address.  
Enter an Address Name to identify the address.  
Enter the IP Address.  
Enter the NetMask.  
Select OK to add the address.  
Adding firewall policies for virtual domains  
Add Firewall policies to control connections and traffic between FortiGate VLAN  
subinterfaces and zones in a virtual domain.  
1
2
3
4
Go to Firewall > Policy.  
Select the Virtual Domain to which you want to add the policy.  
Select a source VLAN subinterface or zone.  
Select a destination VLAN subinterface or zone.  
VLAN subinterfaces or zones only appear in the source and destination lists if they  
have been added to the selected virtual domain and if you have added firewall  
addresses for them.  
The source and destination cannot be the same VLAN subinterface or zone.  
5
6
7
Select New to add a new policy.  
Configure the policy.  
Select OK to add the policy.  
152  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Network configuration  
Adding DNS server IP addresses  
Deleting virtual domains  
You must remove all VLAN subinterfaces and zones that have been added to the  
virtual domain before you can delete the virtual domain. To remove VLAN  
subinterfaces and zones you must remove all firewall policies and firewall addresses  
for the VLAN subinterfaces and zones. You can only delete virtual domains that have  
the Delete icon beside them in the zone list.  
Delete the virtual domain components in the following order:  
firewall policies  
source and destination addresses  
VLAN subinterfaces  
zones  
the virtual domain  
Adding DNS server IP addresses  
Several FortiGate functions, including sending email alerts and URL blocking, use  
DNS. Use the following procedure to add the IP addresses of the DNS servers that  
your FortiGate unit can connect to. DNS server IP addresses are usually supplied by  
your ISP.  
To add DNS server IP addresses  
1
2
3
Go to System > Network > DNS.  
Change the primary and secondary DNS server IP addresses as required.  
Select Apply to save the changes.  
Configuring routing  
This section describes how to configure FortiGate routing. You can configure routing  
to add static routes from the FortiGate unit to local routers. Using policy routing you  
can increase the flexibility of FortiGate routing to support more advanced routing  
functions.  
You can also use routing to create a multiple Internet connection configuration that  
supports redundancy and load sharing between the two Internet connections.  
This section describes:  
FortiGate-800 Installation and Configuration Guide  
153  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Configuring routing  
Network configuration  
Adding a default route  
You can add a default route for network traffic leaving the external interface.  
To add a default route  
1
2
3
4
5
Go to System > Network > Routing Table.  
Select New to add a new route.  
Set the Source IP and Netmask to 0.0.0.0.  
Set the Destination IP and Netmask to 0.0.0.0.  
Set Gateway 1 to the IP address of the routing gateway that routes traffic to the  
Internet.  
6
Select OK to save the default route.  
Note: Only one default route can be active at a time. If two default routes are added to the  
routing table, only the default route closest to the top of the routing table is active.  
Adding destination-based routes to the routing table  
You can add destination-based routes to the FortiGate routing table to control the  
destination of traffic exiting the FortiGate unit. You configure routes by adding  
destination IP addresses and netmasks and adding gateways for these destination  
addresses. The gateways are the next hop routers to which to route traffic that  
matches the destination addresses in the route.  
You can add one or two gateways to a route. If you add one gateway, the FortiGate  
unit routes the traffic to that gateway. You can add a second gateway to route traffic to  
the second gateway if the first gateway fails.  
To support routing failover, the IP address of each gateway must be added to the ping  
server of the interface connected to the same network as the gateway. For information  
about adding a ping server, see “Adding a ping server to an interface” on page 142.  
To add destination-based routes to the routing table  
Go to System > Network > Routing Table.  
Select New to add a new route.  
1
2
3
4
Type the Destination IP address and netmask for the route.  
Add the IP address of Gateway #1.  
Gateway #1 is the IP address of the primary destination for the route.  
Gateway #1 must be on the same subnet as a Fortigate interface.  
If you are adding a static route from the FortiGate unit to a single destination router,  
you need to specify only one gateway.  
5
Add the IP address of Gateway #2, if you want to route traffic to multiple gateways.  
154  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Network configuration  
Configuring routing  
6
7
8
Set Device #1 to the FortiGate interface or VLAN subinterface through which to route  
traffic to connect to Gateway #1.  
You can select the name of an interface, VLAN subinterface, or Auto (the default). If  
you select the name of an interface or VLAN subinterface the traffic is routed to that  
interface. If you select Auto the system selects the interface according to the following  
rules:  
If the Gateway #1 IP address is on the same subnet as a FortiGate interface or  
VLAN subinterface, the system sends the traffic to that interface.  
If the Gateway #1 IP address is not on the same subnet as a FortiGate interface or  
VLAN subinterface, the system routes the traffic to the external interface, using the  
default route.  
You can use Device #1 to send packets to an interface that is on a different subnet  
than the destination IP address of the packets without routing them using the default  
route.  
Set Device #2 to the FortiGate interface or VLAN subinterface through which to route  
traffic to connect to Gateway #2.  
You can select the name of an interface, VLAN subinterface, or Auto (the default). If  
you select the name of an interface or VLAN subinterface the traffic is routed to that  
interface. If you select Auto the system selects the interface according to the following  
rules:  
If the Gateway #2 IP address is on the same subnet as a FortiGate interface or  
VLAN subinterface, the system sends the traffic to that interface.  
If the Gateway #2 IP address is not on the same subnet as a FortiGate interface or  
VLAN subinterface, the system routes the traffic to the external interface, using the  
default route.  
You can use Device #2 to send packets to an interface that is on a different subnet  
than the destination IP address of the packets without routing them using the default  
route.  
Select OK to save the route.  
Note: Any two routes in the routing table must differ by something other than just the gateway to  
be simultaneously active. If two routes added to the routing table are identical except for their  
gateway IP addresses, only the route closer to the top of the routing table can be active.  
Note: Arrange routes in the routing table from more specific to more general. For information  
about arranging routes in the routing table, see “Configuring the routing table”.  
Adding routes in Transparent mode  
Use the following procedure to add routes when operating the FortiGate unit in  
Transparent mode.  
To add a route in Transparent mode  
Go to System > Network > Routing.  
Select New.  
1
2
3
4
Enter the Destination IP address and Netmask for the route.  
Enter the Gateway IP address for the route.  
FortiGate-800 Installation and Configuration Guide  
155  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuring routing  
Network configuration  
5
6
Select OK to save the new route.  
Repeat steps 1 to 5 to add more routes as required.  
Configuring the routing table  
The routing table shows the destination IP address and mask of each route that you  
add, as well as the gateways and devices added to the route. The routing table also  
displays the gateway connection status. A green check mark indicates that the  
FortiGate unit has used the ping server and dead gateway detection to determine that  
it can connect to the gateway. A red X means that a connection cannot be established.  
A blue question mark means that the connection status is unknown. For more  
The FortiGate unit assigns routes using a best match algorithm based on the  
destination address of the packet and the destination address of the route. To select a  
route for a packet, the FortiGate unit searches the routing table for a route that best  
matches the destination address of the packet. If a match is not found, the FortiGate  
unit routes the packet using the default route.  
To configure the routing table  
1
2
Go to System > Network > Routing Table.  
Choose the route that you want to move and select Move to  
the routing table.  
to change its order in  
3
4
Type a number in the Move to field to specify where in the routing table to move the  
route and select OK.  
Select Delete  
to delete a route from the routing table.  
Figure 33: Routing table  
Policy routing  
Policy routing extends the functions of destination routing. Using policy routing you  
can route traffic based on the following:  
Destination address  
Source address  
Protocol, service type, or port range  
Incoming or source interface  
156  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Network configuration  
Configuring DHCP services  
Using policy routing you can build a routing policy database (RPDB) that selects the  
appropriate route for traffic by applying a set of routing rules. To select a route for  
traffic, the FortiGate unit matches the traffic with the policy routes added to the RPDB  
starting at the top of the list. The first policy route that matches is used to set the route  
for the traffic. The route supplies the next hop gateway as well as the FortiGate  
interface to be used by the traffic.  
Packets are matched with policy routes before they are matched with destination  
routes. If a packet does not match a policy route, it is routed using destination routes.  
The gateway added to a policy route must also be added to a destination route. When  
the FortiGate unit matches packets with a route in the RPDB, the FortiGate unit looks  
in the destination routing table for the gateway that was added to the policy route. If a  
match is found, the FortiGate unit routes the packet using the matched destination  
route. If a match is not found, the FortiGate unit routes the packet using normal  
routing.  
To find a route with a matching gateway, the FortiGate unit starts at the top of the  
destination routing table and searches until it finds the first matching destination route.  
This matched route is used to route the packet.  
For policy routing examples, see “Policy routing examples” on page 55.  
Policy routing command syntax  
Configure policy routing using the following CLI command.  
set system route policy <route_int> src <source_ip>  
<source_mask> iifname <source-interface_name>  
dst <destination_ip> <destination_mask>  
oifname <destination-interface_name> protocol <protocol_int>  
port <low-port_int> <high-port_int> gw <gateway_ip>  
Complete policy routing command syntax is described in Volume 6: FortiGate CLI  
Reference Guide.  
Configuring DHCP services  
You can configure DHCP server or DHCP relay agent functionality on any FortiGate  
interface.  
A FortiGate interface can act as either a DHCP server or as a DHCP relay agent. An  
interface cannot provide both functions.  
Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiGate unit  
must be in NAT/Route mode and the interface must have a static IP address.  
This section describes the following:  
FortiGate-800 Installation and Configuration Guide  
157  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring DHCP services  
Network configuration  
Configuring a DHCP relay agent  
In a DHCP relay configuration, the FortiGate unit forwards DHCP requests from  
DHCP clients through the FortiGate unit to a DHCP server. The FortiGate unit also  
returns responses from the DHCP server to the DHCP clients. The DHCP server must  
have a route to the FortiGate unit that is configured as the DHCP relay so that the  
packets sent by the DHCP server to the DHCP client arrive at the FortiGate  
performing DHCP relay.  
To configure an interface as a DHCP relay agent  
Go to System > Network > DHCP.  
Select Service.  
1
2
3
4
5
6
Select the interface to be the DHCP relay agent.  
Select DHCP Relay Agent.  
Enter the DHCP Server IP address.  
Select Apply.  
Configuring a DHCP server  
As a DHCP server, the FortiGate unit dynamically assigns IP addresses to hosts  
located on connected subnets. You can configure a DHCP server for any FortiGate  
interface. You can also configure a DHCP server for more than one FortiGate  
interface. For each DHCP server configuration you can add multiple scopes (also  
called address scopes) so that the DHCP server can assign IP addresses to  
computers on multiple subnets.  
Use these procedures to configure an interface as a DHCP server:  
Adding a DHCP server to an interface  
To add a DHCP server to an interface  
Go to System > Network > DHCP.  
Select Service.  
1
2
3
4
5
Select an interface.  
Select DHCP Server.  
Select Apply.  
Adding scopes to a DHCP server  
If you have configured an interface as a DHCP server, the interface requires at least  
one scope (also called an address scope). The scope designates the starting IP and  
ending IP for the range of addresses that the FortiGate unit assigns to DHCP clients.  
158  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
               
Network configuration  
Configuring DHCP services  
You can add multiple scopes to an interface so that the DHCP server added to that  
interface can supply IP addresses to computers on multiple subnets.  
Add multiple scopes if the DHCP server receives DHCP requests from subnets that  
are not connected directly to the FortiGate unit. In this case, the DHCP requests are  
sent to the FortiGate unit through DHCP relay. DHCP relay packets contain DHCP  
relay IP, which is the IP address of the subnet from which the DHCP relay received the  
request.  
If the DHCP request received by the DHCP server is not forwarded by a DHCP relay,  
the DHCP server decides which scope to use based on the IP address of the interface  
that received the DHCP request; usually the scope with the same subnet as the  
interface.  
If the DHCP request received by the server is forwarded by a DHCP relay, the relay IP  
is used to select the scope.  
To add a scope to a DHCP server  
Go to System > Network > DHCP.  
Select Address Scope.  
1
2
3
Select an interface.  
You must configure the interface as a DHCP server before it can be selected.  
4
5
Select New to add an address scope.  
Configure the address scope.  
Scope Name  
IP Pool  
Enter the address scope name.  
Enter the starting IP and ending IP for the range of IP addresses that this  
DHCP server assigns to DHCP clients.  
Netmask  
Enter the netmask that the DHCP server assigns to the DHCP clients.  
Lease Duration Enter the interval, in days, hours and minutes, after which a DHCP client  
must ask the DHCP server for a new address.  
If you select Unlimited, DHCP leases never expire.  
Domain  
Optionally enter in the domain that the DHCP server assigns to the DHCP  
clients.  
Default Route  
Enter the default route to be assigned to DHCP clients. The default route  
must be on the same subnet as the IP pool.  
6
7
Select Advanced if you want to configure Advanced Options.  
DNS IP Enter the addresses of up to 3 DNS servers that the DHCP server assigns  
to the DHCP clients.  
WINS Server IP Add the IP addresses of one or two WINS servers to be assigned to DHCP  
clients.  
Exclusion Range Optionally enter up to 4 exclusion ranges of IP addresses within the IP pool  
that cannot be assigned to DHCP clients.  
Select OK.  
FortiGate-800 Installation and Configuration Guide  
159  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Configuring DHCP services  
Network configuration  
Adding a reserve IP to a DHCP server  
If you have configured an interface as a DHCP server, you can reserve an IP address  
for a particular device on the network according to the MAC address of the device.  
When you add the MAC address of a device and an IP address to the reserve IP list,  
the DHCP server always assigns this IP address to the device.  
To add a reserve IP you must first select the interface and scope to which you want to  
add the reserve IP.  
To add a reserve IP to a DHCP server  
Go to System > Network > DHCP.  
Select Reserve IP.  
1
2
3
Select an interface.  
You must configure the interface as a DHCP server before you can select it.  
4
Select a scope.  
You must configure an address scope for the interface before you can select it.  
5
6
Select New to add a reserved IP.  
Configure the reserved IP.  
IP  
Enter an IP address. The IP address must be within the IP pool added to the  
selected scope.  
MAC  
Enter the MAC address of the device.  
Name  
Optionally, specify a name for the IP and MAC address pair.  
Note: The reserved IP cannot be assigned to any other device. You can only add a given IP  
address or MAC address once.  
7
Select OK.  
Viewing a DHCP server dynamic IP list  
You can view the list of IP addresses that the DHCP server has assigned, their  
corresponding MAC addresses, and the expiry time and date for these addresses.  
To view a DHCP server dynamic IP list  
Go to System > Network > DHCP.  
Select Dynamic IP.  
1
2
3
Select the interface for which you want to view the list.  
160  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
FortiGate-800 Installation and Configuration Guide Version 2.50  
RIP configuration  
The FortiGate implementation of the Routing Information Protocol (RIP) supports both  
RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453.  
RIP version 2 enables RIP messages to carry more information, and to support simple  
authentication and subnet masks.  
RIP is a distance-vector routing protocol intended for small, relatively homogeneous,  
networks. RIP uses hop count as its routing metric. Each network is usually counted  
as one hop. The network diameter is limited to 15 hops.  
This chapter describes how to configure FortiGate RIP:  
RIP settings  
To configure RIP on the FortiGate unit  
Go to System > RIP > Settings.  
Select Enable RIP.  
1
2
When you enable RIP, the Fortigate unit starts the RIP process. The FortiGate unit  
does not send or receive RIP packets until you enable RIP on at least one interface.  
For information about configuring RIP, see “Configuring RIP for FortiGate interfaces”  
3
4
Select Enable Advertise Default if you want RIP to always send the default route to  
neighbors whether or not the default route is in the static routing table.  
If you disable Advertise Default, RIP never sends the default route.  
Change the following RIP default settings, as required.  
RIP defaults are effective in most configurations. You should only have to change  
these settings to troubleshoot problems with the RIP configuration.  
FortiGate-800 Installation and Configuration Guide  
161  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
RIP settings  
RIP configuration  
Default Metric RIP uses the default metric to advertise routes learned from other routing  
protocols. Set Default Metric to a positive integer lower than 16 to advertise  
that metric for all routes learned from other routing protocols. The default  
setting for the Default Metric is 2.  
Input Queue  
Change the depth of the RIP input queue. The higher the number, the deeper  
the input queue. Change the input queue depth to prevent loss of information  
from the routing table when you have a FortiGate unit sending at high speed  
to a router that cannot receive at high speed. The range is 0 to 1024. The  
default input queue depth is 50. A queue size of 0 means there is no input  
queue.  
Output Delay  
Add a delay in milliseconds between packets in a multiple-packet RIP  
update. Add an output delay if you are configuring RIP on a FortiGate unit  
that could be sending packets to a router that cannot receive the packets at  
the rate the FortiGate unit is sending them. Output Delay can be from 8 to 50  
milliseconds. The default output delay is 0 milliseconds.  
5
Change the following RIP timer settings, as required.  
RIP timer defaults are effective in most configurations. You should only have to  
change these timers to troubleshoot network routing problems. All routers and access  
servers in the network should have the same RIP timer settings.  
Update  
Invalid  
The time interval in seconds between RIP updates. The default is 30  
seconds.  
The time interval in seconds after which a route is declared invalid. Invalid  
should be at least three times the value of Update.  
During the invalid interval, after the first update is missed and before the  
invalid timer expires, the route is marked inaccessible and advertised as  
unreachable; however, the route is still used for forwarding packets. The  
invalid interval allows for the loss of one or more update packets before RIP  
considers the route unusable. If RIP receives an update for a route, before  
the invalid timer expires, it resets the invalid timer to 0. The default for Invalid  
is 180 seconds.  
Holddown  
The time interval in seconds during which RIP ignores routing information for  
a route. Holddown should be at least three times the value Update.  
A route enters the holddown state when RIP receives an update packet  
indicating that a route is unreachable or when the invalid timer for the route  
expires. The holddown interval allows time for bad routing information to  
clear the network during network convergence. The route is marked  
inaccessible and advertised as unreachable and is no longer used for  
forwarding packets. The default for Holddown is 180 seconds.  
Flush  
The time in seconds that must elapse after the last update for a route before  
RIP removes the route from the routing table. Flush should be greater than  
the value of Invalid to allow the route to go into the holddown state. The  
default for Flush is 240 seconds.  
6
Select Apply to save the changes.  
162  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
RIP configuration  
Configuring RIP for FortiGate interfaces  
Figure 34: Configuring RIP settings  
Configuring RIP for FortiGate interfaces  
You can customize a RIP configuration for each FortiGate interface. This allows you to  
customize RIP for the network to which each interface is connected.  
To configure RIP for FortiGate interfaces  
1
Go to System > RIP > Interface.  
On this page you can view a summary of the RIP settings for each FortiGate interface.  
2
3
Select Modify  
for the interface for which to configure RIP settings.  
Configure any of the following RIP settings:  
RIP1 Send  
Enables sending RIP version 1 broadcasts from this interface to the network  
it is connected to. The routing broadcasts are UDP packets with a destination  
port of 520.  
RIP1 Receive  
RIP2 Send  
Enables listening on port 520 of an interface for RIP version 1 broadcasts.  
Enables sending RIP version 2 broadcasts from this interface to the network  
it is connected to. The routing broadcasts are UDP packets with a destination  
port of 520.  
RIP2 Receive  
Split-Horizon  
Enables listening on port 520 of an interface for RIP version 2 broadcasts.  
Prevents RIP from sending updates for a route back out the interface from  
which it received those routes. Split horizon is enabled by default. You should  
only disable split horizon if there is no possibility of creating a counting to  
infinity loop when network topology changes.  
Authentication Enables authentication for RIP version 2 packets sent and received by an  
interface. Because the original RIP standard does not support authentication,  
authentication is only available for RIP version 2.  
FortiGate-800 Installation and Configuration Guide  
163  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring RIP for FortiGate interfaces  
RIP configuration  
Password  
Mode  
Enter the password to be used for RIP version 2 authentication. The  
password can be up to 16 characters long.  
Defines the authentication used for RIP version 2 packets sent and received  
by this interface. If you select Clear, the password is sent as plain text. If you  
select MD5, the password is used to generate an MD5 hash.  
MD5 only guarantees the authenticity of the update packet, not the  
confidentiality of the routing information in the packet.  
Metric  
Changes the metric for routes sent by this interface. All routes sent from this  
interface have this metric added to their current metric value. You can  
change the interface metric to give a higher priority to an interface. For  
example, if you have two interfaces that can be used to route packets to the  
same destination, and you set the metric of one interface higher than the  
other, the routes to the interface with the lower metric will seem to have a  
lower cost. More traffic will use routes to the interface with the lower metric.  
Metric can be from 1 to 16 with 16 equalling unreachable.  
4
Select OK to save the RIP configuration for the selected interface.  
Figure 35: Example RIP configuration for an internal interface  
164  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
RIP configuration  
Adding RIP filters  
Adding RIP filters  
Use the Filter page to create RIP filter lists and assign RIP filter lists to the neighbors  
filter, incoming route filter, or outgoing route filter. The neighbors filter allows or denies  
updates from other routers. The incoming filter accepts or rejects routes in an  
incoming RIP update packet. The outgoing filter allows or denies adding routes to  
outgoing RIP update packets.  
Each entry in a RIP filter list consists of a prefix (IP address and netmask), the action  
RIP should take for this prefix (allow or deny), and the interface to which to apply this  
RIP filter list entry. When RIP applies a filter while processing an update packet, it  
starts at the top of the filter list and works down through the list looking for a matching  
prefix. If RIP finds a matching prefix, it then checks that the interface in the filter list  
entry matches the interface that the packet is received or sent on. If both prefix and  
interface match, RIP takes the action specified. If no match is found, the default action  
is allow.  
For the neighbors filter, RIP attempts to match prefixes in the filter list against the  
source address in the update packet.  
For the incoming filter, RIP attempts to match prefixes in the filter list against  
prefixes in the routing table entries in the update packet.  
For the outgoing filter, RIP attempts to match prefixes in the filter list against  
prefixes in the RIP routing table.  
You can add up to four RIP filter lists to the FortiGate RIP configuration. You can then  
select one RIP filter list for each RIP filter type: neighbors, incoming routes, outgoing  
routes. If you do not select a RIP filter list for any of the RIP filter types, no filtering is  
applied.  
Note: To block all updates not specifically allowed in a filter list, create an entry at the bottom of  
the filter list with a prefix with 0.0.0.0 for the IP address, 0.0.0.0 for the netmask, and action set  
to deny. Because RIP uses the first match it finds in a top down search of the filter list, all the  
allowed entries are matched first, and all other entries for the specified interface are matched by  
the last entry and denied. Create a separate entry at the bottom of the filter list for each  
interface for which you want to deny all updates not specifically allowed.  
This section describes:  
Adding a RIP filter list  
Each entry in a RIP filter list consists of a prefix (IP address and netmask), the action  
RIP should take for this prefix (allow or deny), and the interface to which to apply this  
RIP filter list entry.  
To add a RIP filter list  
1
2
Go to System > RIP > Filter.  
Select New to add a RIP filter.  
FortiGate-800 Installation and Configuration Guide  
165  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Adding RIP filters  
RIP configuration  
3
4
For Filter Name, type a name for the RIP filter list.  
The name can be 15 characters long and can contain upper and lower case letters,  
numbers, and special characters. The name cannot contain spaces.  
Select the Blank Filter check box to create a RIP filter list with no entries, or enter the  
information for the first entry on the RIP filter list.  
5
6
7
8
Enter the IP address and Mask to create the prefix.  
For Action, select allow or deny.  
For Interface, enter the name of the interface to which to apply the entry.  
Select OK to save the RIP filter list.  
To add an entry to a RIP filter list  
1
2
3
4
5
6
7
Go to System > RIP > Filter.  
For the RIP filter list name, select Add Prefix to add an entry to the filter list.  
Enter the IP address and Mask to create the prefix.  
For Action, select allow or deny.  
For Interface, enter the name of the interface to which to apply the entry.  
Select OK to add the entry to the RIP filter list.  
Repeat steps 2 to 6 to add entries to the RIP filter list.  
Assigning a RIP filter list to the neighbors filter  
The neighbors filter allows or denies updates from other routers. You can assign a  
single RIP filter list to the neighbors filter.  
To assign a RIP filter list to the neighbors filter  
1
2
3
Go to System > RIP > Filter.  
Add RIP filter lists as required.  
For Neighbors Filter, select the name of the RIP filter list to assign to the neighbors  
filter.  
4
Select Apply.  
Assigning a RIP filter list to the incoming filter  
The incoming filter accepts or rejects routes in an incoming RIP update packet. You  
can assign a single RIP filter list to the incoming filter.  
To assign a RIP filter list to the incoming filter  
1
2
3
Go to System > RIP > Filter.  
Add RIP filter lists as required.  
For Incoming Routes Filter, select the name of the RIP filter list to assign to the  
incoming filter.  
4
Select Apply.  
166  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
RIP configuration  
Adding RIP filters  
Assigning a RIP filter list to the outgoing filter  
The outgoing filter allows or denies adding routes to outgoing RIP update packets.  
You can assign a single RIP filter list to the outgoing filter.  
To assign a RIP filter list to the outgoing filter  
Go to System > RIP > Filter.  
1
2
3
Add RIP filter lists as required.  
For Outgoing Routes Filter, select the name of the RIP filter list to assign to the  
outgoing filter.  
4
Select Apply.  
FortiGate-800 Installation and Configuration Guide  
167  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Adding RIP filters  
RIP configuration  
168  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
System configuration  
Use the System Config page to make any of the following changes to the FortiGate  
system configuration:  
Setting system date and time  
For effective scheduling and logging, the FortiGate system time must be accurate.  
You can either manually set the FortiGate system time or you can configure the  
FortiGate unit to automatically keep its system time correct by synchronizing with a  
Network Time Protocol (NTP) server.  
To set the date and time  
1
2
3
4
Go to System > Config > Time.  
Select Refresh to display the current FortiGate system date and time.  
Select your Time Zone from the list.  
Select the Automatically adjust clock for daylight saving changes check box if you  
want the FortiGate system clock to be adjusted automatically when your time zone  
changes to daylight saving time.  
5
6
Select Set Time and set the FortiGate system date and time to the correct date and  
time, if required.  
Select Synchronize with NTP Server to configure the FortiGate unit to use NTP to  
automatically set the system time and date.  
For more information about NTP and to find the IP address of an NTP server that you  
can use, see http://www.ntp.org.  
7
8
Enter the IP address or domain name of the NTP server that the FortiGate unit can  
use to set its time and date.  
Specify how often the FortiGate unit should synchronize its time with the NTP server.  
A typical Syn Interval would be 1440 minutes for the FortiGate unit to synchronize its  
time once a day.  
FortiGate-800 Installation and Configuration Guide  
169  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                 
Changing system options  
System configuration  
9
Select Apply.  
Figure 36: Example date and time setting  
Changing system options  
On the System Config Options page, you can:  
Set the system idle timeout.  
Set the authentication timeout.  
Select the language for the web-base manager.  
Modify the dead gateway detection settings.  
You can also restrict access to the control buttons and LCD by requiring a PIN  
(Personal Identification Number).  
To set the system idle timeout  
1
2
3
Go to System > Config > Options.  
For Idle Timeout, type a number in minutes.  
Select Apply.  
Idle Timeout controls the amount of inactive time that the web-based manager waits  
before requiring the administrator to log in again.  
The default idle time out is 5 minutes. The maximum idle time out is 480 minutes  
(8 hours).  
To set the Auth timeout  
1
2
Go to System > Config > Options.  
For Auth Timeout, type a number in minutes.  
170  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
System configuration  
Changing system options  
3
Select Apply.  
Auth Timeout controls the amount of inactive time that the firewall waits before  
requiring users to authenticate again. For more information, see “Users and  
The default Auth Timeout is 15 minutes. The maximum Auth Timeout is 480 minutes  
(8 hours).  
To select a language for the web-based manager  
1
2
3
Go to System > Config > Options.  
From the Languages list, select a language for the web-based manager to use.  
Select Apply.  
You can choose English, Simplified Chinese, Japanese, Korean, or Traditional  
Chinese.  
Note: When the web-based manager language is set to use Simplified Chinese, Japanese,  
Korean, or Traditional Chinese, you can change to English by selecting the English button on  
the upper right of the web-based manager.  
To set PIN protection for the LCD panel  
1
2
3
Go to System > Config > Options.  
In the LCD Panel section, select the PIN Protection check box.  
Type a 6-digit PIN.  
Administrators must enter the PIN to use the control buttons and LCD.  
4
Select Apply.  
Modifying the Dead Gateway Detection settings  
Modify dead gateway detection to control how the FortiGate unit confirms connectivity  
with a ping server added to an interface configuration. For information about adding a  
ping server to an interface, see “Adding a ping server to an interface” on page 142.  
To modify the dead gateway detection settings  
1
2
Go to System > Config > Options.  
For Detection Interval, type a number in seconds to specify how often the FortiGate  
unit tests the connection to the ping target.  
3
4
For Fail-over Detection, type a number of times that the connection test fails before  
the FortiGate unit assumes that the gateway is no longer functioning.  
Select Apply.  
FortiGate-800 Installation and Configuration Guide  
171  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Adding and editing administrator accounts  
System configuration  
Adding and editing administrator accounts  
When the FortiGate unit is initially installed, it is configured with a single administrator  
account with the user name admin. From this administrator account, you can add and  
edit administrator accounts. You can also control the access level of each of these  
administrator accounts and control the IP address from which the administrator can  
connect to the FortiGate unit.  
There are three administration account access levels:  
admin  
Has all permissions. Can view, add, edit, and delete administrator accounts.  
Can view and change the FortiGate configuration. The admin user is the only  
user who can go to the System Status page and manually update firmware,  
update the antivirus definitions, update the attack definitions, download or  
upload system settings, restore the FortiGate unit to factory defaults, restart  
the FortiGate unit, and shut down the FortiGate unit. There is only one admin  
user.  
Read & Write Can view and change the FortiGate configuration. Can view but cannot add,  
edit, or delete administrator accounts. Can change own administrator account  
password. Cannot make changes to system settings from the System Status  
page.  
Read Only  
Can view the FortiGate configuration.  
Adding new administrator accounts  
From the admin account, use the following procedure to add new administrator  
accounts and control their permission levels.  
To add an administrator account  
1
2
3
Go to System > Config > Admin.  
Select New to add an administrator account.  
Type a login name for the administrator account.  
The login name can contain numbers (0-9), uppercase and lowercase letters  
(A-Z, a-z), and the special characters - and _. Other special characters and spaces  
are not allowed.  
4
5
Type and confirm a password for the administrator account.  
For improved security, the password should be at least 6 characters long. The  
password can contain any characters except spaces.  
Optionally type a Trusted Host IP address and netmask for the location from which the  
administrator can log into the web-based manager.  
If you want the administrator to be able to access the FortiGate unit from any address,  
set the trusted host to 0.0.0.0 and the netmask to 0.0.0.0.  
To limit the administrator to only access the FortiGate unit from a specific network, set  
the trusted host to the address of the network and set the netmask to the netmask for  
the network. For example, to limit an administrator to accessing the FortiGate unit  
from your internal network, set the trusted host to the address of your internal network  
(for example, 192.168.1.0) and set the netmask to 255.255.255.0.  
6
7
Set the Permission level for the administrator.  
Select OK to add the administrator account.  
172  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
               
System configuration  
Configuring SNMP  
Editing administrator accounts  
The admin account user can change individual administrator account passwords,  
configure the IP addresses from which administrators can access the web-based  
manager, and change the administrator permission levels.  
Administrator account users with Read & Write access can change their own  
administrator passwords.  
To edit an administrator account  
1
2
3
4
Go to System > Config > Admin.  
To change an administrator account password, select Change Password  
Type the Old Password.  
.
Type and confirm a new password.  
For improved security, the password should be at least 6 characters long. The  
password can contain any characters except spaces. If you enter a password that is  
less than 6 characters long, the system displays a warning message but still accepts  
the password.  
5
6
7
Select OK.  
To edit the settings of an administrator account, select Edit  
.
Optionally type a Trusted Host IP address and netmask for the location from which the  
administrator can log into the web-based manager.  
If you want the administrator to be able to access the FortiGate unit from any address,  
set the trusted host to 0.0.0.0 and the netmask to 255.255.255.255.  
To limit the administrator to only be able to access the FortiGate unit from a specific  
network, set the trusted host to the address of the network and set the netmask to the  
netmask for the network. For example, to limit an administrator to accessing the  
FortiGate unit from your internal network, set the trusted host to the address of your  
internal network (for example, 192.168.1.0) and set the netmask to 255.255.255.0.  
8
9
Change the administrator’s permission level as required.  
Select OK.  
10  
To delete an administrator account, choose the account to delete and select  
Delete  
.
Configuring SNMP  
You can configure the FortiGate SNMP agent to report system information and send  
traps to SNMP managers. Using an SNMP manager, you can access SNMP traps and  
data from any FortiGate interface or VLAN subinterface configured for SNMP  
management access.  
The FortiGate SNMP implementation is read-only. SNMP v1 and v2c compliant SNMP  
managers have read-only access to FortiGate system information and can receive  
FortiGate traps. To monitor FortiGate system information and receive FortiGate traps  
you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard  
MIBs into your SNMP manager.  
FortiGate-800 Installation and Configuration Guide  
173  
Download from Www.Somanuals.com. All Manuals Search And Download.  
               
Configuring SNMP  
System configuration  
RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of  
RFC 1213 (MIB II) (for more information, see FortiGate MIBs).  
This section describes:  
Configuring the FortiGate unit for SNMP monitoring  
Before a remote SNMP manager can connect to the FortiGate agent, you must  
configure one or more FortiGate interfaces to accept SNMP connections. See  
Configuring FortiGate SNMP support  
Use the information in this section to configure the FortiGate unit so that an SNMP  
manager can connect to the FortiGate SNMP agent to receive management  
information and traps.  
Configuring SNMP access to an interface  
Before a remote SNMP manager can connect to the FortiGate agent, you must  
configure one or more FortiGate interface‘s to accept SNMP connections. The  
configuration steps to follow depend on whether the FortiGate unit is operating in  
NAT/Route mode or Transparent mode.  
To configure SNMP access to an interface in NAT/Route mode  
Go to System > Network > Interface.  
1
2
3
4
Choose the interface that the SNMP manager connects to and select Modify  
For Administrative Access select SNMP.  
.
Select OK.  
To configure SNMP access to an interface in Transparent mode  
Go to System > Network > Management.  
1
2
Choose the interface that the SNMP manager connects to and select SNMP.  
Select Apply.  
Configuring SNMP community settings  
You can configure a single SNMP community for each FortiGate device. An SNMP  
community consists of identifying information about the FortiGate unit, your SNMP get  
community and trap community strings, and the IP addresses of up to three SNMP  
managers that can receive traps sent by the FortiGate SNMP agent.  
174  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
System configuration  
Configuring SNMP  
To configure SNMP community settings  
Go to System > Config > SNMP v1/v2c.  
Select the Enable SNMP check box.  
Configure the following SNMP settings:  
1
2
3
System Name  
Automatically set to the FortiGate host name. To change the System  
System Location  
Describe the physical location of the FortiGate unit. The system location  
description can be up to 31 characters long and can contain spaces,  
numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the  
special characters - and _. The \ < > [ ] ` $ % & characters are not  
allowed.  
Contact Information Add the contact information for the person responsible for this FortiGate  
unit. The contact information can be up to 31 characters long and can  
contain spaces, numbers (0-9), uppercase and lowercase letters (A-Z,  
a-z), and the special characters - and _. The \ < > [ ] ` $ % & characters  
are not allowed.  
Get Community  
Also called read community, get community is a password to identify  
SNMP get requests sent to the FortiGate unit. When an SNMP manager  
sends a get request to the FortiGate unit, it must include the correct get  
community string.  
The default get community string is “public”. Change the default get  
community string to keep intruders from using get requests to retrieve  
information about your network configuration. The get community string  
must be used in your SNMP manager to enable it to access FortiGate  
SNMP information.  
The get community string can be up to 31 characters long and can  
contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Spaces and the \ < > [ ] ` $ % &  
characters are not allowed.  
Trap Community  
The trap community string functions like a password that is sent with  
SNMP traps.  
The default trap community string is “public”. Change the trap  
community string to the one accepted by your trap receivers.  
The trap community string can be up to 31 characters long and can  
contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Spaces and the \ < > [ ] ` $ % &  
characters are not allowed.  
Trap Receiver IP  
Addresses  
Type the IP addresses of up to three trap receivers on your network that  
are configured to receive traps from your FortiGate unit. Traps are only  
sent to the configured addresses.  
4
Select Apply.  
FortiGate-800 Installation and Configuration Guide  
175  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Configuring SNMP  
System configuration  
Figure 37: Sample SNMP configuration  
FortiGate MIBs  
The FortiGate SNMP agent supports FortiGate proprietary MIBs as well as standard  
RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Table 20. You can  
obtain these MIB files from Fortinet technical support. To be able to communicate with  
the SNMP agent, you must compile all of these MIBs into your SNMP manager.  
Your SNMP manager might already include standard and private MIBs in a compiled  
database that is ready to use. You must add the Fortinet proprietary MIBs to this  
database. If the standard MIBs used by the Fortinet SNMP agent are already  
compiled into your SNMP manager you do not have to compile them again.  
Table 20: FortiGate MIBs  
MIB file name or  
RFC  
Description  
fortinet-trap.mib  
The Fortinet trap MIB is a proprietary MIB that is required for your SNMP  
manager to receive traps from the FortiGate SNMP agent. For more  
information about FortiGate traps, see “FortiGate traps” on page 177.  
fortinet.mib  
The Fortinet MIB is a proprietary MIB that includes detailed FortiGate  
system configuration information. Add this MIB to your SNMP manager  
to monitor all FortiGate configuration settings.  
RFC-1213 (MIB II) The FortiGate SNMP agent supports MIB II groups with the following  
exceptions.  
No support for the EGP group from MIB II (RFC 1213, section 3.11 and  
6.10).  
Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do  
not accurately capture all FortiGate traffic activity. More accurate infor-  
mation can be obtained from the information reported by the Fortinet  
MIB.  
RFC-2665  
(Ethernet-like  
MIB)  
The FortiGate SNMP agent supports Ethernet-like MIB information with  
the following exception.  
No support for the dot3Tests and dot3Errors groups.  
176  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
System configuration  
Configuring SNMP  
FortiGate traps  
The FortiGate agent can send traps to up to three SNMP trap receivers on your  
network that are configured to receive traps from the FortiGate unit. For these SNMP  
managers to receive traps, you must load and compile the Fortinet trap MIB onto the  
SNMP manager.  
General FortiGate traps  
Table 21: General FortiGate traps  
Trap message  
Description  
Cold Start  
The FortiGate unit starts or restarts. An administrator enables the  
SNMP agent or changes FortiGate SNMP settings. This trap is sent  
when the agent starts during system startup.  
System Down  
Agent Down  
Agent Up  
The SNMP agent stops because the FortiGate unit shuts down.  
An administrator disables the SNMP agent.  
An administrator enables the SNMP agent. This trap is also sent  
when the agent starts during system startup.  
The <interface_name> The IP address of an interface of a FortiGate unit changes. The trap  
Interface IP is changed message includes the name of the interface, the new IP address of  
to <new_IP> (Serial  
No.:  
the interface, and the serial number of the FortiGate unit. This trap  
can be used to track interface IP address changes for interfaces  
<FortiGate_serial_no>) configured with dynamic IP addresses set using DHCP or PPPoE.  
System traps  
Table 22: FortiGate system traps  
Trap message  
Description  
interface  
<interface_name> is  
up.  
An interface changes from the up state to the running state, indicating  
that the interface has been connected to a network.  
When the interface is up it is administratively up but not connected to  
a network. When the interface is running it is administratively up and  
connected to a network.  
interface  
<interface_name> is  
down.  
An interface changes from the running state to the up state, indicating  
that the interface has been disconnected from a network.  
CPU usage high  
memory low  
disk low  
CPU usage exceeds 90%.  
Memory usage exceeds 90%.  
On a FortiGate unit with a hard drive, hard drive usage exceeds 90%.  
<FortiGate_serial_no> The configuration of an interface of a FortiGate unit changes. The trap  
<interface_name>  
HA switch  
message includes the name of the interface and the serial number of  
the FortiGate unit.  
The primary unit in an HA cluster fails and is replaced with a new pri-  
mary unit.  
FortiGate-800 Installation and Configuration Guide  
177  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring SNMP  
System configuration  
VPN traps  
Table 23: FortiGate VPN traps  
Trap message  
Description  
VPN tunnel is up  
An IPSec VPN tunnel starts up and begins processing network traf-  
fic.  
VPN tunnel down  
An IPSec VPN tunnel shuts down.  
NIDS traps  
Table 24: FortiGate NIDS traps  
Trap message  
Description  
Flood attack happened.  
NIDS attack prevention detects and provides protection from a  
syn flood attack.  
Port scan attack hap-  
pened.  
NIDS attack prevention detects and provides protection from a  
port scan attack.  
Antivirus traps  
Table 25: FortiGate antivirus traps  
Trap message Description  
virus detected  
The FortiGate unit detects a virus and removes the infected file from an  
HTTP or FTP download or from an email message.  
Logging traps  
Table 26: FortiGate logging traps  
Trap message Description  
log full  
On a FortiGate unit with a hard drive, hard drive usage exceeds 90%. On a  
FortiGate unit without a hard drive, log to memory usage has exceeds 90%.  
178  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
System configuration  
Configuring SNMP  
Fortinet MIB fields  
The Fortinet MIB contains fields for configuration settings and current status  
information for all parts of the FortiGate product. This section lists the names of the  
high-level MIB fields and describes the configuration and status information available  
for each one. You can view more details about the information available from all  
Fortinet MIB fields by compiling the fortinet.mib file into your SNMP manager and  
browsing the Fortinet MIB fields.  
System configuration and status  
Table 27: System MIB fields  
MIB field  
Description  
fnSysStatus  
FortiGate system configuration including operation mode, firmware version,  
virus definition version, attack definition version, and serial number. Status  
monitor information including current CPU usage, CPU idle status, CPU  
interrupts, memory usage, system up time, the number of active communi-  
cation sessions, as well as descriptive information for each active communi-  
cation session.  
fnSysUpdate  
FortiGate system update configuration including connection status to the  
FDN, push update status, periodic update status, and current virus and  
attack definitions versions.  
fnSysNetwork FortiGate system network configuration including the interface, VLAN, rout-  
ing, DHCP, zone, and DNS configuration.  
fnSysConfig  
fnSysSnmp  
FortiGate system configuration including time, options, administrative users,  
and HA configuration.  
FortiGate SNMP configuration.  
Firewall configuration  
Table 28: Firewall MIB fields  
MIB field  
Description  
fnFirewallPolicy  
FortiGate firewall policy list including complete configuration  
information for each policy.  
fnFirewallAddress  
fnFirewallService  
fnFirewallSchedule  
fnFirewallVirtualIP  
fnFirewallIpPool  
FortiGate firewall address and address group list.  
FortiGate firewall service and service group list.  
FortiGate firewall schedule list.  
FortiGate firewall virtual IP list.  
FortiGate firewall IP pool list.  
fnFirewallIPMACBinding FortiGate firewall IP/MAC binding configuration.  
fnFirewallContProfiles FortiGate firewall content profile list.  
FortiGate-800 Installation and Configuration Guide  
179  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Configuring SNMP  
System configuration  
Users and authentication configuration  
Table 29: User and authentication MIB fields  
FnUserLocalTable  
FnUserRadiusSrvTable RADIUS server list.  
FnUserGrpTable User group list.  
Local user list.  
VPN configuration and status  
Table 30: VPN MIB fields  
fnVpnIpsec  
IPSec VPN configuration including the Phase 1 list, Phase 2 list, manual key  
list, and VPN concentrator list. Status and timeout for each VPN tunnel  
(Phase 2) and the dialup monitor list showing dialup tunnel status.  
fnVpnPPTP  
fnVpnL2TP  
fnVpnCert  
PPTP VPN configuration.  
L2TP VPN configuration.  
IPSec VPN with certificates configuration.  
NIDS configuration  
Table 31: NIDS MIB fields  
fnNidsDetection NIDS detection configuration.  
fnNidsPrevention NIDS prevention configuration.  
fnNidsResponse NIDS response configuration.  
Antivirus configuration  
Table 32: Antivirus MIB fields  
fnAvFileBlock  
Antivirus file blocking configuration.  
fnAvQuarantine Antivirus quarantine configuration.  
fnAVConfig  
Antivirus configuration including the current virus definition virus list.  
Web filter configuration  
Table 33: Web filter MIB fields  
fnWebFiltercfgMsgTable Web filter content block list and configuration.  
fnWebFilterUrlBlk  
fnWebFilterScripts  
fnWebFilterExemptUrl  
Web filter URL block list.  
Web filter script blocking configuration.  
Web filter exempt URL list.  
180  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
System configuration  
Replacement messages  
Logging and reporting configuration  
Table 34: Logging and reporting MIB fields  
fnLoglogSetting  
fnLoglog  
Log setting configuration.  
Log setting traffic filter configuration.  
Alert email configuration.  
fnLogAlertEmail  
Replacement messages  
Replacement messages are added to content passing through the firewall to replace:  
Files or other content removed from POP3 and IMAP email messages by the  
antivirus system,  
Files or other content removed from HTTP downloads by the antivirus system or  
web filtering,  
Files removed from FTP downloads by the antivirus system.  
You can edit the content of replacement messages.  
You can also edit the content added to alert email messages to control the information  
that appears in alert emails for virus incidents, NIDS events, critical system events,  
and disk full events.  
This section describes:  
Figure 38: Sample replacement message  
FortiGate-800 Installation and Configuration Guide  
181  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Replacement messages  
System configuration  
Customizing replacement messages  
Each of the replacement messages in the replacement message list is created by  
combining replacement message sections. You can use these sections as building  
blocks to create your own replacement messages.  
You can edit any of the replacement messages in the replacement message list and  
add and edit the replacement message sections as required.  
To customize a replacement message  
1
2
3
Go to System > Config > Replacement Messages.  
For the replacement message that you want to customize, select Modify  
.
In the Message setup dialog box, edit the content of the message.  
Table 35 lists the replacement message sections that can be added to replacement  
messages and describes the tags that can appear in each section. In addition to the  
allowed tags you can add text. For mail and HTTP messages you can also add HTML  
code.  
4
Select OK to save the changes.  
Table 35: Replacement message sections  
File blocking  
Section Start  
Allowed Tags  
Used for file blocking (all services).  
<**BLOCKED**>  
%%FILE%%  
The name of the file that was blocked.  
The URL of the blocked web page.  
%%URL%%  
Section End  
<**/BLOCKED**>  
Scanning  
Used for virus scanning (all services).  
<**INFECTED**>  
Section Start  
Allowed Tags  
%%FILE%%  
The name of the file that was infected.  
%%VIRUS%% The name of the virus infecting the file.  
%%URL%%  
The URL of the blocked web page or file.  
Section End  
Quarantine  
<**/INFECTED**>  
Used when quarantine is enabled (permitted for all scan services and block  
services for email only).  
Section Start  
Allowed Tag  
<**QUARANTINE**>  
%%QUARFILE The name of the file that was quarantined.  
NAME%%  
Section End  
<**/QUARANTINE**>  
182  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
System configuration  
Replacement messages  
Customizing alert emails  
Customize alert emails to control the content displayed in alert email messages sent  
to system administrators.  
To customize alert emails  
1
2
3
Go to System > Config > Replacement Messages.  
For the alert email message that you want to customize, select Modify  
.
In the Message setup dialog box, edit the text of the message.  
Table 36 lists the replacement message sections that can be added to alert email  
messages and describes the tags that can appear in each section. In addition to the  
allowed tags you can add text and HTML code.  
4
Select OK to save the changes.  
Table 36: Alert email message sections  
Used for NIDS event alert email messages  
<**NIDS_EVENT**>  
NIDS event  
Section Start  
Allowed Tags  
Section End  
%%NIDS_EVENT%% The NIDS attack message.  
<**/NIDS_EVENT**>  
Used for virus alert email messages  
<**VIRUS_ALERT**>  
Virus alert  
Section Start  
Allowed Tags  
%%VIRUS%%  
The name of the virus.  
%%PROTOCOL%%  
%%SOURCE_IP%%  
The service for which the virus was detected.  
The IP address from which the virus was received.  
For email this is the IP address of the email server  
that sent the email containing the virus. For HTTP  
this is the IP address of web page that sent the  
virus.  
%%DEST_IP%%  
The IP address of the computer that would have  
received the virus. For POP3 this is the IP address  
of the user’s computer that attempted to download  
the email containing the virus.  
%%EMAIL_FROM%% The email address of the sender of the message in  
which the virus was found.  
%%EMAIL_TO%%  
The email address of the intended receiver of the  
message in which the virus was found.  
Section End  
<**/VIRUS_ALERT**>  
Used for file block alert email messages  
<**BLOCK_ALERT**>  
Block alert  
Section Start  
Allowed Tags  
%%FILE%%  
The name of the file that was blocked.  
The service for which the file was blocked.  
%%PROTOCOL%%  
FortiGate-800 Installation and Configuration Guide  
183  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Replacement messages  
System configuration  
Table 36: Alert email message sections  
%%SOURCE_IP%%  
The IP address from which the block file was  
received. For email this is the IP address of the  
email server that sent the email containing the  
blocked file. For HTTP this is the IP address of  
web page that sent the blocked file.  
%%DEST_IP%%  
The IP address of the computer that would have  
received the blocked file. For email this is the IP  
address of the user’s computer that attempted to  
download the message from which the file ware  
removed.  
%%EMAIL_FROM%% The email address of the sender of the message  
from which the file was removed.  
%%EMAIL_TO%%  
The email address of the intended receiver of the  
message from which the file was removed.  
Section End  
<**/BLOCK_ALERT**>  
Used for critical firewall event alert emails.  
<**CRITICAL_EVENT**>  
Critical event  
Section Start  
Allowed Tags  
%%CRITICAL_EVENT The firewall critical event message  
%%  
Section End  
<**/CRITICAL_EVENT**>  
184  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Firewall configuration  
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies  
are instructions that the FortiGate unit uses to decide what to do with a connection  
request. When the firewall receives a connection request in the form of a packet, it  
analyzes the packet to extract its source address, destination address, and service  
(port number).  
For the packet to be connected through the FortiGate unit, a firewall policy must be in  
place that matches the source address, destination address, and service of the  
packet. The policy directs the firewall action on the packet. The action can be to allow  
the connection, deny the connection, require authentication before the connection is  
allowed, or process the packet as an IPSec VPN packet. You can also add schedules  
to policies so that the firewall can process connections differently depending on the  
time of day or the day of the week, month, or year.  
Each policy can be individually configured to route connections or apply network  
address translation (NAT) to translate source and destination IP addresses and ports.  
You can add IP pools to use dynamic NAT when the firewall translates source  
addresses. You can use policies to configure port address translation (PAT) through  
the FortiGate.  
You can add content profiles to policies to apply antivirus protection, web filtering, and  
email filtering to web, file transfer, and email services. You can create content profiles  
that perform one or any combination of the following actions:  
Apply antivirus protection to HTTP, FTP, SMTP, IMAP, or POP3 services.  
Quarantine files that are infected or that might be infected by a virus.  
Apply web filtering to HTTP services.  
Apply email filtering to IMAP and POP3 services.  
You can also add logging to a firewall policy so that the FortiGate unit logs all  
connections that use this policy.  
FortiGate-800 Installation and Configuration Guide  
185  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Default firewall configuration  
Firewall configuration  
This chapter describes:  
Default firewall configuration  
By default, the users on your internal network can connect through the FortiGate unit  
to the Internet. The firewall blocks all other connections. The firewall is configured with  
a default policy that matches any connection request received from the internal  
network and instructs the firewall to forward the connection to the Internet.  
The default policy also applies virus scanning to all HTTP, FTP, SMTP, POP3, and  
IMAP traffic matched by the policy. The policy applies virus scanning because the  
Antivirus & Web Filter option is selected and the Content profile is set to Scan. For  
more information about content profiles, see “Content profiles” on page 218.  
Figure 39: Default firewall policy  
186  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Firewall configuration  
Default firewall configuration  
Interfaces  
Add policies to control connections between FortiGate interfaces and between the  
networks connected to these interfaces. By default, you can add policies for  
connections that include the internal, external, and DMZ interfaces.  
To add policies that include the port1 to port4 interfaces, you must use the following  
steps to add these interfaces to the firewall policy grid:  
1
2
3
If they are down, start the interfaces up.  
Add IP addresses to the interfaces.  
Add firewall addresses for these interfaces.  
VLAN subinterfaces  
You can also add VLAN subinterfaces to the FortiGate configuration to control  
connections between VLANs. For more information about VLANs, see “VLANs in  
To add policies that include VLAN subinterfaces, you must use the following steps to  
add the VLAN subinterfaces to the firewall policy grid:  
1
2
Add VLAN subinterfaces to the FortiGate configuration.  
Add firewall addresses for the VLAN subinterface.  
Zones  
You can add zones to the FortiGate configuration to group together related interfaces  
and VLAN subinterfaces to simplify firewall policy creation. For more information  
To add policies for zones, you must use the following steps to add the zones to the  
firewall policy grid:  
1
2
3
Add zones to the FortiGate configuration.  
Add interfaces and VLAN subinterfaces to the zone.  
Add firewall addresses for the zone.  
FortiGate-800 Installation and Configuration Guide  
187  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Default firewall configuration  
Firewall configuration  
Addresses  
To add policies between interfaces, VLAN subinterfaces, and zones, the firewall  
configuration must contain addresses for each interface, VLAN subinterface, or zone.  
By default the firewall configuration includes the addresses listed in Table 37.  
Table 37: Default addresses  
Interface Address  
Description  
Internal  
External  
DMZ  
Internal_All This address matches all addresses on the internal network.  
External_All This address matches all addresses on the external network.  
DMZ_All  
This address matches all addresses on the DMZ network.  
The firewall uses these addresses to match the source and destination addresses of  
packets received by the firewall. The default policy matches all connections from the  
internal network because it includes the Internal_All address. The default policy also  
matches all connections to the Internet because it includes the External_All address.  
You can add more addresses to each interface to improve the control you have over  
connections through the firewall. For more information about addresses, see  
You can also add firewall policies that perform network address translation (NAT). To  
use NAT to translate destination addresses, you must add virtual IPs. Virtual IPs map  
addresses on one network to a translated address on another network. For more  
information about Virtual IPs, see “Virtual IPs” on page 208.  
Services  
Policies can control connections based on the service or destination port number of  
packets. The default policy accepts connections using any service or destination port  
number. The firewall is configured with over 40 predefined services. You can add  
these services to a policy for more control over the services that can be used by  
connections through the firewall. You can also add user-defined services. For more  
information about services, see “Services” on page 200.  
Schedules  
Policies can control connections based on the time of day or day of the week when the  
firewall receives the connection. The default policy accepts connections at any time.  
The firewall is configured with one schedule that accepts connections at any time. You  
can add more schedules to control when policies are active. For more information  
about schedules, see “Schedules” on page 205.  
188  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Firewall configuration  
Adding firewall policies  
Content profiles  
Add content profiles to policies to apply antivirus protection, web filtering, and email  
filtering to web, file transfer, and email services. The FortiGate unit includes the  
following default content profiles:  
Strict—to apply maximum content protection to HTTP, FTP, IMAP, POP3, and  
SMTP content traffic.  
Scan—to apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content  
traffic.  
Web—to apply antivirus scanning and Web content blocking to HTTP content  
traffic.  
Unfiltered—to allow oversized files to pass through the FortiGate unit without  
scanned for viruses.  
The default policy includes the scan content profile.  
For more information about content profiles, see “Content profiles” on page 218.  
Adding firewall policies  
Add Firewall policies to control connections and traffic between FortiGate interfaces,  
zones, and VLAN subinterfaces.  
To add a firewall policy  
1
2
3
Go to Firewall > Policy.  
Select the policy list to which you want to add the policy.  
Select New to add a new policy.  
You can also select Insert Policy before  
policy above a specific policy.  
on a policy in the list to add the new  
4
Configure the policy:  
For information about configuring the policy, see “Firewall policy options” on page 190.  
5
6
Select OK to add the policy.  
Arrange policies in the policy list so that they have the results that you expect.  
For information about arranging policies in a policy list, see “Configuring policy lists”  
FortiGate-800 Installation and Configuration Guide  
189  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Adding firewall policies  
Firewall configuration  
Figure 40: Adding a NAT/Route policy  
Firewall policy options  
This section describes the options that you can add to firewall policies.  
Source  
Select an address or address group that matches the source address of the packet.  
Before you can add this address to a policy, you must add it to the source interface.  
For information about adding an address, see “Addresses” on page 197.  
190  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Firewall configuration  
Adding firewall policies  
Destination  
Select an address or address group that matches the destination address of the  
packet. Before you can add this address to a policy, you must add it to the destination  
interface, VLAN subinterface, or zone. For information about adding an address, see  
For NAT/Route mode policies where the address on the destination network is hidden  
from the source network using NAT, the destination can also be a virtual IP that maps  
the destination address of the packet to a hidden destination address. See “Virtual  
Schedule  
Select a schedule that controls when the policy is available to be matched with  
connections. See “Schedules” on page 205.  
Service  
Select a service that matches the service (port number) of the packet. You can select  
from a wide range of predefined services or add custom services and service groups.  
Action  
Select how you want the firewall to respond when the policy matches a connection  
attempt.  
ACCEPT  
DENY  
Accept the connection. If you select ACCEPT, you can also configure NAT  
and Authentication for the policy.  
Deny the connection. The only other policy option that you can configure is  
Log Traffic, to log the connections denied by this policy.  
ENCRYPT  
Make this policy an IPSec VPN policy. If you select ENCRYPT, you can  
select an AutoIKE Key or Manual Key VPN tunnel for the policy and  
configure other IPSec settings. You cannot add authentication to an  
ENCRYPT policy. ENCRYPT is not available in Transparent mode. See  
FortiGate-800 Installation and Configuration Guide  
191  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Adding firewall policies  
Firewall configuration  
NAT  
Configure the policy for NAT. NAT translates the source address and the source port  
of packets accepted by the policy. If you select NAT, you can also select Dynamic IP  
Pool and Fixed Port. NAT is not available in Transparent mode.  
Dynamic IP  
Pool  
Select Dynamic IP Pool to translate the source address to an address  
randomly selected from an IP pool. The IP pool must be added to the  
destination interface or VLAN subinterface of the policy or to an interface or  
VLAN subinterface in the destination zone of the policy.  
You cannot select Dynamic IP Pool if the destination interface or VLAN  
subinterface is configured using DHCP or PPPoE.  
For information about adding IP pools, see “IP pools” on page 213.  
Fixed Port  
Select Fixed Port to prevent NAT from translating the source port. Some  
applications do not function correctly if the source port is changed. If you  
select Fixed Port, you must also select Dynamic IP Pool and add a dynamic  
IP pool address range to the destination interface of the policy. If you do not  
select Dynamic IP Pool, a policy with Fixed Port selected can only allow one  
connection at a time for this port or service.  
VPN Tunnel  
Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or  
Manual Key tunnel. VPN Tunnel is not available in Transparent mode.  
Allow inbound Select Allow inbound so that users behind the remote VPN gateway can  
connect to the source address.  
Allow outbound Select Allow outbound so that users can connect to the destination address  
behind the remote VPN gateway.  
Inbound NAT  
Select Inbound NAT to translate the source address of incoming packets to  
the FortiGate internal IP address.  
Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to  
the FortiGate external IP address.  
Traffic Shaping  
Traffic Shaping controls the bandwidth available to and sets the priority of the traffic  
processed by the policy. Traffic Shaping makes it possible to control which policies  
have the highest priority when large amounts of data are moving through the  
FortiGate device. For example, the policy for the corporate web server might be given  
higher priority than the policies for most employees’ computers. An employee who  
needs unusually high-speed Internet access could have a special outgoing policy set  
up with higher bandwidth.  
If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does  
not allow any traffic.  
Guaranteed  
Bandwidth  
You can use traffic shaping to guarantee the amount of bandwidth available  
through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make  
sure that there is enough bandwidth available for a high-priority service.  
192  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                   
Firewall configuration  
Adding firewall policies  
Maximum  
Bandwidth  
You can also use traffic shaping to limit the amount of bandwidth available  
through the firewall for a policy. Limit bandwidth to keep less important  
services from using bandwidth needed for more important services.  
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so that the FortiGate unit  
manages the relative priorities of different types of traffic. For example, a  
policy for connecting to a secure web server needed to support e-commerce  
traffic should be assigned a high traffic priority. Less important services  
should be assigned a low priority. The firewall provides bandwidth to low-  
priority connections only when bandwidth is not needed for high-priority  
connections.  
Authentication  
Select Authentication and select a user group to require users to enter a user name  
and password before the firewall accepts the connection. Select the user group to  
control the users that can authenticate with this policy. For information about adding  
and configuring user groups, see “Configuring user groups” on page 229. You must  
add user groups before you can select Authentication.  
You can select Authentication for any service. Users can authenticate with the firewall  
using HTTP, Telnet, or FTP. For users to be able to authenticate you must add an  
HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt  
to connect through the firewall using this policy they are prompted to enter a firewall  
username and password.  
If you want users to authenticate to use other services (for example POP3 or IMAP)  
you can create a service group that includes the services for which you want to  
require authentication, as well as HTTP, Telnet, and FTP. Then users could  
authenticate with the policy using HTTP, Telnet, or FTP before using the other service.  
In most cases you should make sure that users can use DNS through the firewall  
without authentication. If DNS is not available users cannot connect to a web, FTP, or  
Telnet server using a domain name.  
Anti-Virus & Web filter  
Enable antivirus protection and web filter content filtering for traffic controlled by this  
policy. You can select Anti-Virus & Web filter if Service is set to ANY, HTTP, SMTP,  
POP3, IMAP, or FTP or to a service group that includes the HTTP, SMTP, POP3,  
IMAP, or FTP services.  
Select a content profile to configure how antivirus protection and content filtering is  
applied to the policy. For information about selecting a content profile, see “Content  
FortiGate-800 Installation and Configuration Guide  
193  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Adding firewall policies  
Firewall configuration  
Figure 41: Adding a Transparent mode policy  
Log Traffic  
Select Log Traffic to write messages to the traffic log whenever the policy processes a  
connection. For information about logging, see “Logging and reporting” on page 309.  
Comments  
You can add a description or other information about the policy. The comment can be  
up to 63 characters long, including spaces.  
194  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Firewall configuration  
Configuring policy lists  
Configuring policy lists  
The firewall matches policies by searching for a match starting at the top of the policy  
list and moving down until it finds the first match. You must arrange policies in the  
policy list from more specific to more general.  
For example, the default policy is a very general policy because it matches all  
connection attempts. When you create exceptions to that policy, you must add them to  
the policy list above the default policy. No policy below the default policy will ever be  
matched.  
This section describes:  
Policy matching in detail  
When the FortiGate unit receives a connection attempt at an interface, it must select a  
policy list to search through for a policy that matches the connection attempt. The  
FortiGate unit chooses the policy list based on the source and destination addresses  
of the connection attempt.  
The FortiGate unit then starts at the top of the selected policy list and searches down  
the list for the first policy that matches the connection attempt source and destination  
addresses, service port, and time and date at which the connection attempt was  
received. The first policy that matches is applied to the connection attempt. If no policy  
matches, the connection is dropped.  
The default policy accepts all connection attempts from the internal network to the  
Internet. From the internal network, users can browse the web, use POP3 to get  
email, use FTP to download files through the firewall, and so on. If the default policy is  
at the top of the internal->external policy list, the firewall allows all connections from  
the internal network to the Internet because all connections match the default policy. If  
more specific policies are added to the list below the default policy, they are never  
matched.  
A policy that is an exception to the default policy, for example, a policy to block FTP  
connections, must be placed above the default policy in the internal->external policy  
list. In this example, all FTP connection attempts from the internal network would then  
match the FTP policy and be blocked. Connection attempts for all other kinds of  
services would not match with the FTP policy but they would match with the default  
policy. Therefore, the firewall would still accept all other connections from the internal  
network.  
Note: Policies that require authentication must be added to the policy list above matching  
policies that do not; otherwise, the policy that does not require authentication is selected first.  
FortiGate-800 Installation and Configuration Guide  
195  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Configuring policy lists  
Firewall configuration  
Changing the order of policies in a policy list  
To change the order of a policy in a policy list  
Go to Firewall > Policy.  
1
2
3
Select the policy list that you want to change the order of.  
Choose the policy that you want to move and select Move To  
in the policy list.  
to change its order  
4
Type a number in the Move to field to specify where in the policy list to move the policy  
and select OK.  
Enabling and disabling policies  
You can enable and disable policies in the policy list to control whether the policy is  
active or not. The FortiGate unit matches enabled policies but does not match  
disabled policies.  
Disabling policies  
Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling  
a policy does not stop active communications sessions that have been allowed by the  
policy. For information about stopping active communication sessions, see “System  
To disable a policy  
1
2
3
Go to Firewall > Policy.  
Select the policy list that contains the policy that you want to disable.  
Clear the check box of the policy to disable it.  
Enabling policies  
Enable a policy that has been disabled so that the firewall can match connections with  
the policy.  
To enable a policy  
1
2
3
Go to Firewall > Policy.  
Select the policy list that contains the policy that you want to enable.  
Select the check box of the policy to enable it.  
196  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Firewall configuration  
Addresses  
Addresses  
All policies require source and destination addresses. To add addresses to a policy,  
you must first add addresses to the address list for the interfaces, zones, or VLAN  
subinterfaces of the policy.  
You can add, edit, and delete all firewall addresses as required. You can also organize  
related addresses into address groups to simplify policy creation.  
A firewall address consists of an IP address and a netmask. This information can  
represent:  
The address of a subnet (for example, for a class C subnet,  
IP address: 192.168.20.0 and Netmask: 255.255.255.0).  
A single IP address (for example, IP Address: 192.168.20.1 and  
Netmask: 255.255.255.255)  
All possible IP addresses (represented by IP Address: 0.0.0.0 and Netmask:  
0.0.0.0)  
Note: IP address: 0.0.0.0 and Netmask: 255.255.255.255 is not a valid firewall address.  
This section describes:  
Adding addresses  
To add an address  
1
2
3
4
Go to Firewall > Address.  
Select the interface, VLAN subinterface, or zone that you want to add the address to.  
Select New to add a new address.  
Enter an Address Name to identify the address.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Spaces and other special characters are not allowed.  
5
Enter the IP Address.  
The IP address can be:  
The IP address of a single computer (for example, 192.45.46.45).  
The IP address of a subnetwork (for example, 192.168.1.0 for a class C subnet).  
0.0.0.0 to represent all possible IP addresses  
FortiGate-800 Installation and Configuration Guide  
197  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Addresses  
Firewall configuration  
6
Enter the Netmask.  
The netmask corresponds to the type of address that you are adding. For example:  
The netmask for the IP address of a single computer should be 255.255.255.255.  
The netmask for a class A subnet should be 255.0.0.0.  
The netmask for a class B subnet should be 255.255.0.0.  
The netmask for a class C subnet should be 255.255.255.0.  
The netmask for all addresses should be 0.0.0.0  
Note: To add an address to represent any address on a network set the IP Address to 0.0.0.0  
and the Netmask to 0.0.0.0  
7
Select OK to add the address.  
Figure 42: Adding an internal address  
Editing addresses  
Edit an address to change its IP address and netmask. You cannot edit the address  
name. To change the address name, you must delete the address entry and then add  
the address again with a new name.  
To edit an address  
1
2
3
4
Go to Firewall > Address.  
Select the interface list containing the address that you want to edit.  
Choose an address to edit and select Edit Address  
.
Make the required changes and select OK to save the changes.  
198  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Firewall configuration  
Addresses  
Deleting addresses  
Deleting an address removes it from an address list. To delete an address that has  
been added to a policy, you must first remove the address from the policy.  
To delete an address  
1
2
Go to Firewall > Address.  
Select the interface list containing the address that you want to delete.  
You can delete any address that has a Delete Address icon  
.
3
4
Choose an address to delete and select Delete  
Select OK to delete the address.  
.
Organizing addresses into address groups  
You can organize related addresses into address groups to make it easier to add  
policies. For example, if you add three addresses and then add them to an address  
group, you only have to add one policy using the address group rather than a separate  
policy for each address.  
You can add address groups to any interface, VLAN subinterface, or zone. The  
address group can only contain addresses from that interface, VLAN subinterface, or  
zone. Address groups are available in interface, VLAN subinterface, or zone source or  
destination address lists.  
Address groups cannot have the same names as individual addresses. If an address  
group is included in a policy, it cannot be deleted unless it is first removed from the  
policy.  
To organize addresses into an address group  
1
2
Go to Firewall > Address > Group.  
Select the interface, VLAN subinterface, or zone that you want to add the address  
group to.  
3
Enter a Group Name to identify the address group.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
6
To add addresses to the address group, select an address from the Available  
Addresses list and select the right arrow to add it to the Members list.  
To remove addresses from the address group, select an address from the Members  
list and select the left arrow to remove it from the group.  
Select OK to add the address group.  
FortiGate-800 Installation and Configuration Guide  
199  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Services  
Firewall configuration  
Figure 43: Adding an internal address group  
Services  
Use services to determine the types of communication accepted or denied by the  
firewall. You can add any of the predefined services to a policy. You can also create  
custom services and add services to service groups.  
This section describes:  
Predefined services  
The FortiGate predefined firewall services are listed in Table 38. You can add these  
services to any policy.  
Table 38: FortiGate predefined services  
Service name  
Description  
Protocol  
Port  
ANY  
Match connections on any port. A connection all  
that uses any of the predefined services is  
allowed through the firewall.  
all  
200  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Firewall configuration  
Services  
Table 38: FortiGate predefined services (Continued)  
Service name  
Description  
Protocol  
Port  
GRE  
Generic Routing Encapsulation. A protocol  
that allows an arbitrary network protocol to be  
transmitted over any other arbitrary network  
protocol, by encapsulating the packets of the  
protocol within GRE packets.  
47  
AH  
Authentication Header. AH provides source  
host authentication and data integrity, but not  
secrecy. This protocol is used for  
51  
50  
authentication by IPSec remote gateways set  
to aggressive mode.  
ESP  
Encapsulating Security Payload. This service  
is used by manual key and AutoIKE VPN  
tunnels for communicating encrypted data.  
AutoIKE key VPN tunnels use ESP after  
establishing the tunnel using IKE.  
AOL  
BGP  
AOL instant messenger protocol.  
tcp  
tcp  
5190-5194  
179  
Border Gateway Protocol routing protocol.  
BGP is an interior/exterior routing protocol.  
DHCP-Relay  
Dynamic Host Configuration Protocol (DHCP) udp  
allocates network addresses and delivers  
configuration parameters from DHCP servers  
to hosts.  
67  
DNS  
Domain name service for translating domain tcp  
53  
53  
79  
names into IP addresses.  
udp  
FINGER  
A network service that provides information  
about users.  
tcp  
FTP  
FTP service for transferring files.  
tcp  
tcp  
21  
70  
GOPHER  
Gopher communication service. Gopher  
organizes and displays Internet server  
contents as a hierarchically structured list of  
files.  
H323  
H.323 multimedia protocol. H.323 is a  
standard approved by the International  
Telecommunication Union (ITU) that defines  
how audiovisual conferencing data is  
transmitted across networks.  
tcp  
1720, 1503  
HTTP  
HTTPS  
IKE  
HTTP is the protocol used by the word wide tcp  
web for transferring data for web pages.  
80  
HTTP with secure socket layer (SSL) service tcp  
for secure communication with web servers.  
443  
500  
IKE is the protocol to obtain authenticated  
keying material for use with ISAKMP for  
IPSEC.  
udp  
IMAP  
Internet Message Access Protocol is a  
protocol used for retrieving email messages.  
tcp  
143  
Internet-Locator- Internet Locator Service includes LDAP, User tcp  
389  
Service  
Locator Service, and LDAP over TLS/SSL.  
IRC  
Internet Relay Chat allows people connected tcp  
to the Internet to join live discussions.  
6660-6669  
1701  
L2TP  
L2TP is a PPP-based tunnel protocol for  
remote access.  
tcp  
FortiGate-800 Installation and Configuration Guide  
201  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Services  
Firewall configuration  
Table 38: FortiGate predefined services (Continued)  
Service name  
Description  
Protocol  
Port  
LDAP  
Lightweight Directory Access Protocol is a set tcp  
of protocols used to access information  
directories.  
389  
NetMeeting  
NFS  
NetMeeting allows users to teleconference  
using the Internet as the transmission  
medium.  
tcp  
1720  
Network File System allows network users to tcp  
access shared files stored on computers of  
different types.  
111, 2049  
119  
NNTP  
Network News Transport Protocol is a  
protocol used to post, distribute, and retrieve  
USENET messages.  
tcp  
NTP  
Network time protocol for synchronizing a  
computer’s time with a time server.  
tcp  
123  
89  
OSPF  
Open Shortest Path First (OSPF) routing  
protocol. OSPF is a common link state  
routing protocol.  
PC-Anywhere  
PING  
PC-Anywhere is a remote control and file  
transfer protocol.  
udp  
5632  
8
ICMP echo request/reply for testing  
connections to other devices.  
icmp  
TIMESTAMP  
ICMP timestamp request messages.  
icmp  
icmp  
icmp  
tcp  
13  
INFO_REQUEST ICMP information request messages.  
INFO_ADDRESS ICMP address mask request messages.  
15  
17  
POP3  
Post office protocol email protocol for  
downloading email from a POP3 server.  
110  
PPTP  
Point-to-Point Tunneling Protocol is a  
protocol that allows corporations to extend  
their own corporate network through private  
tunnels over the public Internet.  
tcp  
1723  
QUAKE  
For connections used by the popular Quake udp  
multi-player computer game.  
26000,  
27000,  
27910,  
27960  
RAUDIO  
RLOGIN  
For streaming real audio multimedia traffic.  
udp  
tcp  
7070  
513  
Rlogin service for remotely logging into a  
server.  
RIP  
Routing Information Protocol is a common  
distance vector routing protocol.  
udp  
tcp  
520  
25  
SMTP  
SNMP  
For sending mail between email servers on  
the Internet.  
Simple Network Management Protocol is a  
set of protocols for managing complex  
networks  
tcp  
161-162  
161-162  
udp  
SSH  
SSH service for secure connections to  
computers for remote management.  
tcp  
22  
udp  
udp  
22  
SYSLOG  
TALK  
Syslog service for remote logging.  
514  
A protocol supporting conversations between udp  
two or more users.  
517-518  
202  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Firewall configuration  
Services  
Table 38: FortiGate predefined services (Continued)  
Service name  
TCP  
Description  
Protocol  
tcp  
Port  
All TCP ports.  
0-65535  
23  
TELNET  
Telnet service for connecting to a remote  
computer to run commands.  
tcp  
TFTP  
Trivial file transfer protocol, a simple file  
transfer protocol similar to FTP but with no  
security features.  
udp  
69  
UDP  
All UDP ports.  
udp  
0-65535  
540  
UUCP  
Unix to Unix copy utility, a simple file copying udp  
protocol.  
VDOLIVE  
WAIS  
For VDO Live streaming multimedia traffic.  
tcp  
tcp  
7000-7010  
210  
Wide Area Information Server. An Internet  
search protocol.  
WINFRAME  
For WinFrame communications between  
computers running Windows NT.  
tcp  
tcp  
1494  
X-WINDOWS  
For remote communications between an  
X-Window server and X-Window clients.  
6000-6063  
Adding custom TCP and UDP services  
Add a custom TCP or UDP service if you need to create a policy for a service that is  
not in the predefined service list.  
To add a custom TCP or UDP service  
Go to Firewall > Service > Custom.  
Select TCP/UDP from the Protocol list.  
Select New.  
1
2
3
4
Type a Name for the new custom TCP or UDP service. This name appears in the  
service list used when you add a policy.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
5
6
Select the Protocol (either TCP or UDP) used by the service.  
Specify a Source and Destination Port number range for the service by entering the  
low and high port numbers. If the service uses one port number, enter this number in  
both the low and high fields.  
7
8
If the service has more than one port range, select Add to specify additional protocols  
and port ranges.  
If there are too many port range rows, select Delete  
to remove each extra row.  
Select OK to add the custom service.  
You can now add this custom service to a policy.  
FortiGate-800 Installation and Configuration Guide  
203  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Services  
Firewall configuration  
Adding custom ICMP services  
Add a custom ICMP service if you need to create a policy for a service that is not in  
the predefined service list.  
To add a custom ICMP service  
Go to Firewall > Service > Custom.  
Select ICMP from the Protocol list.  
Select New.  
1
2
3
4
Type a Name for the new custom ICMP service. This name appears in the service list  
used when you add a policy.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
5
6
Specify the ICMP type and code for the service.  
Select OK to add the custom service.  
You can now add this custom service to a policy.  
Adding custom IP services  
Add a custom IP service if you need to create a policy for a service that is not in the  
predefined service list.  
To add a custom IP service  
Go to Firewall > Service > Custom.  
Select IP from the Protocol list.  
Select New.  
1
2
3
4
Type a Name for the new custom IP service. This name appears in the service list  
used when you add a policy.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
5
6
Specify the IP protocol number for the service.  
Select OK to add the custom service.  
You can now add this custom service to a policy.  
Grouping services  
To make it easier to add policies, you can create groups of services and then add one  
policy to provide or block access for all the services in the group. A service group can  
contain predefined services and custom services in any combination. You cannot add  
service groups to another service group.  
To group services  
1
2
Go to Firewall > Service > Group.  
Select New.  
204  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Firewall configuration  
Schedules  
3
Type a Group Name to identify the group.  
This name appears in the service list when you add a policy and cannot be the same  
as a predefined service name.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
6
To add services to the service group, select a service from the Available Services list  
and select the right arrow to copy it to the Members list.  
To remove services from the service group, select a service from the Members list and  
select the left arrow to remove it from the group.  
Select OK to add the service group.  
Figure 44: Adding a service group  
Schedules  
Use schedules to control when policies are active or inactive. You can create one-time  
schedules and recurring schedules.  
You can use one-time schedules to create policies that are effective once for the  
period of time specified in the schedule. Recurring schedules repeat weekly. You can  
use recurring schedules to create policies that are effective only at specified times of  
the day or on specified days of the week.  
This section describes:  
FortiGate-800 Installation and Configuration Guide  
205  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Schedules  
Firewall configuration  
Creating one-time schedules  
You can create a one-time schedule that activates or deactivates a policy for a  
specified period of time. For example, your firewall might be configured with the  
default policy that allows access to all services on the Internet at all times. You can  
add a one-time schedule to block access to the Internet during a holiday period.  
To create a one-time schedule  
Go to Firewall > Schedule > One-time.  
Select New.  
1
2
3
Type a Name for the schedule.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
6
Set the Start date and time for the schedule.  
Set Start and Stop times to 00 for the schedule to be active for the entire day.  
Set the Stop date and time for the schedule.  
One-time schedules use a 24-hour clock.  
Select OK to add the one-time schedule.  
Figure 45: Adding a one-time schedule  
206  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Firewall configuration  
Schedules  
Creating recurring schedules  
You can create a recurring schedule that activates or deactivates policies at specified  
times of the day or on specified days of the week. For example, you might want to  
prevent Internet use outside working hours by creating a recurring schedule.  
If you create a recurring schedule with a stop time that occurs before the start time,  
the schedule starts at the start time and finishes at the stop time on the next day. You  
can use this technique to create recurring schedules that run from one day to the next.  
You can also create a recurring schedule that runs for 24 hours by setting the start and  
stop times to the same time.  
To create a recurring schedule  
Go to Firewall > Schedule > Recurring.  
Select New to create a new schedule.  
Type a Name for the schedule.  
1
2
3
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
Select the days of the week that you want the schedule to be active on.  
Set the Start and Stop hours in between which you want the schedule to be active.  
Recurring schedules use a 24-hour clock.  
6
Select OK to save the recurring schedule.  
Figure 46: Adding a recurring schedule  
FortiGate-800 Installation and Configuration Guide  
207  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Virtual IPs  
Firewall configuration  
Adding schedules to policies  
After you create schedules, you can add them to policies to schedule when the  
policies are active. You can add the new schedules to policies when you create the  
policy, or you can edit existing policies and add a new schedule to them.  
To add a schedule to a policy  
1
2
3
4
5
6
Go to Firewall > Policy.  
Create a new policy or edit a policy to change its schedule.  
Configure the policy as required.  
Add a schedule by selecting it from the Schedule list.  
Select OK to save the policy.  
Arrange the policy in the policy list to have the effect that you expect.  
For example, to use a one-time schedule to deny access to a policy, add a policy that  
matches the policy to be denied in every way. Choose the one-time schedule that you  
added and set Action to DENY. Then place the policy containing the one-time  
schedule in the policy list above the policy to be denied.  
Virtual IPs  
Use virtual IPs to access IP addresses on a destination network that are hidden from  
the source network by NAT security policies. To allow connections between these  
networks, you must create a mapping between an address on the source network and  
the real address on the destination network. This mapping is called a virtual IP.  
For example, if the computer hosting your web server is located on your DMZ  
network, it could have a private IP address such as 10.10.10.3. To get packets from  
the Internet to the web server, you must have an external address for the web server  
on the Internet. You must then add a virtual IP to the firewall that maps the external IP  
address of the web server to the actual address of the web server on the DMZ  
network. To allow connections from the Internet to the web server, you must then add  
an external->DMZ firewall policy and set Destination to the virtual IP.  
You can create two types of virtual IPs:  
Static NAT  
Used to translate an address on a source network to a hidden address on a  
destination network. Static NAT translates the source address of return  
packets to the address on the source network.  
Port Forwarding Used to translate an address and a port number on a source network to a  
hidden address and, optionally, a different port number on a destination  
network. Using port forwarding you can also route packets with a specific  
port number and a destination address that matches the IP address of the  
interface that receives the packets. This technique is called port forwarding  
or port address translation (PAT). You can also use port forwarding to change  
the destination port of the forwarded packets.  
208  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Firewall configuration  
Virtual IPs  
This section describes:  
Adding static NAT virtual IPs  
To add a static NAT virtual IP  
1
2
3
Go to Firewall > Virtual IP.  
Select New to add a virtual IP.  
Type a Name for the virtual IP.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
Select the virtual IP External Interface from the list.  
The external interface is the interface connected to the source network that receives  
the packets to be forwarded to the destination network.  
You can select any firewall interface or a VLAN subinterface.  
You can set the virtual IP external interface to any FortiGate interface. Table 39  
contains example virtual IP external interface settings and describes the policies that  
you can add the resulting virtual IP to.  
Table 39: Virtual IP External Interface examples  
External Interface Description  
internal  
To map an internal address to an address on a network connected to  
another interface, VLAN subinterface, or zone. If you select internal, the  
static NAT virtual IP can be added to policies for connections from the  
internal interface or any zone containing the internal interface, to any  
other interface, VLAN subinterface, or zone.  
external  
To map an external address to an address on a network connected to  
another interface, VLAN subinterface, or zone. If you select external, the  
static NAT virtual IP can be added to policies for connections from the  
external interface or any zone containing the external interface, to any  
other interface, VLAN subinterface, or zone.  
5
6
In the Type section, select Static NAT.  
Enter the External IP Address that you want to map to an address on the destination  
network.  
For example, if the virtual IP provides access from the Internet to a web server on a  
destination network, the external IP address must be a static IP address obtained from  
your ISP for your web server. This address must be a unique address that is not used  
by another host and cannot be the same as the IP address of the external interface  
selected in step 4. However, this address must be routed to this interface. The virtual  
IP address and the external IP address can be on different subnets.  
If the IP address of the external interface selected in step 4 is set using PPPoE or  
DHCP, you can enter 0.0.0.0 for the external IP address. The FortiGate unit  
substitutes the IP address set for this external interface using PPPoE or DHCP.  
FortiGate-800 Installation and Configuration Guide  
209  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Virtual IPs  
Firewall configuration  
7
8
In Map to IP, type the real IP address on the destination network, for example, the IP  
address of a web server on an internal network.  
Note: The firewall translates the source address of outbound packets from the host with the  
Map to IP address to the virtual IP External IP Address, instead of the firewall external address.  
Select OK to save the virtual IP.  
You can now add the virtual IP to firewall policies.  
Figure 47: Adding a static NAT virtual IP  
Adding port forwarding virtual IPs  
To add port forwarding virtual IPs  
Go to Firewall > Virtual IP.  
1
2
3
Select New to add a virtual IP.  
Type a Name for the virtual IP.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
Select the virtual IP External Interface from the list.  
The external interface is the interface connected to the source network that receives  
the packets to be forwarded to the destination network.  
You can select any firewall interface or a VLAN subinterface.  
In the Type section, select Port Forwarding.  
210  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Firewall configuration  
Virtual IPs  
6
Enter the External IP Address that you want to map to an address on the destination  
zone.  
You can set the external IP address to the IP address of the external interface  
selected in step 4 or to any other address.  
If the IP address of the external interface selected in step 4 is set using PPPoE or  
DHCP, you can enter 0.0.0.0 for the External IP Address. The FortiGate unit  
substitutes the IP address set for this external interface using PPPoE or DHCP.  
For example, if the virtual IP provides access from the Internet to a server on your  
internal network, the external IP address must be a static IP address obtained from  
your ISP for this server. This address must be a unique address that is not used by  
another host. However, this address must be routed to the external interface selected  
in step 4. The virtual IP address and the external IP address can be on different  
subnets.  
7
Enter the External Service Port number that you want to configure port forwarding for.  
The external service port number must match the destination port of the packets to be  
forwarded. For example, if the virtual IP provides access from the Internet to a web  
server, the external service port number is 80 (the HTTP port).  
8
9
In Map to IP, enter the real IP address on the destination network.  
For example, the real IP address could be the IP address of a web server on an  
internal network.  
In Map to Port, enter the port number to be added to packets when they are  
forwarded.  
If you do not want to translate the port, enter the same number as the External Service  
Port.  
If you want to translate the port, enter the port number to which to translate the  
destination port of the packets when they are forwarded by the firewall.  
10  
11  
Select the protocol (TCP or UDP) that you want the forwarded packets to use.  
Select OK to save the port forwarding virtual IP.  
FortiGate-800 Installation and Configuration Guide  
211  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Virtual IPs  
Firewall configuration  
Figure 48: Adding a port forwarding virtual IP  
Adding policies with virtual IPs  
Use the following procedure to add a policy that uses a virtual IP to forward packets.  
To add a policy with a virtual IP  
Go to Firewall > Policy.  
1
2
Select the type of policy that you want to add.  
The source interface must match the interface selected in the External Interface  
list.  
The destination interface must match the interface connected to the network with  
the Map to IP address.  
3
Use the following information to configure the policy.  
Source  
Select the source address from which users can access the server.  
Destination  
Schedule  
Service  
Select the virtual IP.  
Select a schedule as required.  
Select the service that matches the Map to Service that you selected  
for the port-forwarding virtual IP.  
Action  
NAT  
Set action to ACCEPT to accept connections to the internal server.  
You can also select DENY to deny access.  
Select NAT if the firewall is protecting the private addresses on the  
destination network from the source network.  
212  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Firewall configuration  
IP pools  
Authentication  
Optionally select Authentication and select a user group to require  
users to authenticate with the firewall before accessing the server  
using port forwarding.  
Log Traffic  
Anti-Virus & Web filter  
Select these options to log port-forwarded traffic and apply antivirus  
and web filter protection to this traffic.  
4
Select OK to save the policy.  
IP pools  
An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a  
firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool  
when you configure a policy with the destination set to this interface. You can add an  
IP pool if you want to add NAT mode policies that translate source addresses to  
addresses randomly selected from the IP pool rather than being limited to the IP  
address of the destination interface.  
If you add an IP pool to the internal interface, you can select Dynamic IP pool for  
policies with the internal interface as the destination. For example, you can add IP  
pools to External->Internal and DMZ->Internal policies.  
You can add multiple IP pools to any interface but only the first IP pool is used by the  
firewall.  
This section describes:  
Adding an IP pool  
To add an IP pool  
1
2
Go to Firewall > IP Pool.  
Select the interface to which to add the IP pool.  
You can select a firewall interface or a VLAN subinterface.  
3
4
Select New to add a new IP pool to the selected interface.  
Enter the Start IP and End IP addresses for the range of addresses in the IP pool.  
The start IP and end IP must define the start and end of an address range. The start  
IP must be lower than the end IP. The start IP and end IP must be on the same subnet  
as the IP address of the interface that you are adding the IP pool.  
5
Select OK to save the IP pool.  
FortiGate-800 Installation and Configuration Guide  
213  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
IP/MAC binding  
Firewall configuration  
Figure 49: Adding an IP Pool  
IP Pools for firewall policies that use fixed ports  
Some network configurations do not operate correctly if a NAT policy translates the  
source port of packets used by the connection. NAT translates source ports to keep  
track of connections for a particular service. You can select fixed port for NAT policies  
to prevent source port translation. However, selecting fixed port means that only one  
connection can be supported through the firewall for this service. To be able to support  
multiple connections, you can add an IP pool to the destination interface, and then  
select dynamic IP pool in the policy. The firewall randomly selects an IP address from  
the IP pool and assigns it to each connection. In this case the number of connections  
that the firewall can support is limited by the number of IP addresses in the IP pool.  
IP pools and dynamic NAT  
You can use IP pools for dynamic NAT. For example, your organization might have  
purchased a range of Internet addresses but you might have only one Internet  
connection on the external interface of your FortiGate unit.  
You can assign one of your organization’s Internet IP addresses to the external  
interface of the FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all  
connections from your network to the Internet appear to come from this IP address.  
If you want connections to originate from all your Internet IP addresses, you can add  
this address range to an IP pool for the external interface. Then you can select  
Dynamic IP Pool for all policies with the external interface as the destination. For each  
connection, the firewall dynamically selects an IP address from the IP pool to be the  
source address for the connection. As a result, connections to the Internet appear to  
be originating from any of the IP addresses in the IP pool.  
IP/MAC binding  
IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks.  
IP spoofing attacks try to use the IP address of a trusted computer to connect to, or  
through, the FortiGate unit from a different computer. The IP address of a computer is  
easy to change to a trusted address, but MAC addresses are added to ethernet cards  
at the factory and are not easy to change.  
214  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Firewall configuration  
IP/MAC binding  
You can enter the static IP addresses and corresponding MAC addresses of trusted  
computers in the static IP/MAC table.  
If you have trusted computers with dynamic IP addresses that are set by the FortiGate  
DHCP server, the FortiGate unit adds these IP addresses and their corresponding  
MAC addresses to the dynamic IP/MAC table. For information about viewing the table,  
binding table is not available in Transparent mode.  
You can enable IP/MAC binding for packets in sessions connecting to the firewall or  
passing through the firewall.  
Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or  
MAC address in the IP/MAC list, you must also change the entry in the IP/MAC list or the  
computer does not have access to or through the FortiGate unit. You must also add the IP/MAC  
address pair of any new computer that you add to your network or the new computer does not  
have access to or through the FortiGate unit.  
This section describes:  
Configuring IP/MAC binding for packets going through the firewall  
Use the following procedure to use IP/MAC binding to filter packets that a firewall  
policy would normally allow through the firewall.  
To configure IP/MAC binding for packets going through the firewall  
1
2
3
4
Go to Firewall > IP/MAC Binding > Setting.  
Select the Enable IP/MAC binding going through the firewall check box.  
Go to Firewall > IP/MAC Binding > Static IP/MAC.  
Select New to add IP/MAC binding pairs to the IP/MAC binding list.  
All packets that would normally be allowed through the firewall by a firewall policy are  
first compared with the entries in the IP/MAC binding list. If a match is found, then the  
firewall attempts to match the packet with a policy.  
FortiGate-800 Installation and Configuration Guide  
215  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
IP/MAC binding  
Firewall configuration  
For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the  
IP/MAC binding list:  
A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is  
allowed to go on to be matched with a firewall policy.  
A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately  
to prevent IP spoofing.  
A packet with a different IP address but with a MAC address of  
12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.  
A packet with both the IP address and MAC address not defined in the IP/MAC  
binding table:  
is allowed to go on to be matched with a firewall policy if IP/MAC binding is set  
to Allow traffic,  
is blocked if IP/MAC binding is set to Block traffic.  
Configuring IP/MAC binding for packets going to the firewall  
Use the following procedure to use IP/MAC binding to filter packets that would  
normally connect with the firewall (for example, when an administrator is connecting to  
the FortiGate unit for management).  
To configure IP/MAC binding for packets going to the firewall  
1
2
3
4
Go to Firewall > IP/MAC Binding > Setting.  
Select the Enable IP/MAC binding going to the firewall check box.  
Go to Firewall > IP/MAC Binding > Static IP/MAC.  
Select New to add IP/MAC binding pairs to the IP/MAC binding list.  
All packets that would normally connect to the firewall are first compared with the  
entries in the IP/MAC binding table.  
For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the  
IP/MAC binding list:  
A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is  
allowed to connect to the firewall.  
A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately  
to prevent IP spoofing.  
A packet with a different IP address but with a MAC address of  
12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing.  
A packet with both the IP address and MAC address not defined in the IP/MAC  
binding table:  
is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic,  
is blocked if IP/MAC binding is set to Block traffic.  
Adding IP/MAC addresses  
To add an IP/MAC address  
1
2
Go to Firewall > IP/MAC Binding > Static IP/MAC.  
Select New to add an IP address/MAC address pair.  
216  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Firewall configuration  
IP/MAC binding  
3
Enter the IP Address and the MAC Address.  
You can bind multiple IP addresses to the same MAC address. You cannot bind  
multiple MAC addresses to the same IP address.  
However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This  
means that all packets with these MAC addresses are matched with the IP/MAC  
binding list.  
Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP  
addresses. This means that all packets with these IP addresses are matched with the  
IP/MAC binding list.  
4
Type a Name for the new IP/MAC address pair.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
5
6
Select the Enable check box to enable IP/MAC binding for the IP/MAC pair.  
Select OK to save the IP/MAC binding pair.  
Viewing the dynamic IP/MAC list  
To view the dynamic IP/MAC list  
Go to Firewall > IP/MAC Binding > Dynamic IP/MAC.  
1
Enabling IP/MAC binding  
Caution: Make sure that you have added the IP/MAC Address pair of your management  
!
computer before enabling IP/MAC binding.  
To enable IP/MAC binding  
1
Go to Firewall > IP/MAC Binding > Setting.  
2
3
4
Select the Enable IP/MAC binding going through the firewall check box if you want to  
turn on IP/MAC binding for packets that could be matched by policies.  
Select the Enable IP/MAC binding going to the firewall check box if you want to turn  
on IP/MAC binding for packets connecting to the firewall.  
Configure how IP/MAC binding handles packets with IP and MAC addresses that are  
not defined in the IP/MAC list.  
Select Allow traffic to allow all packets with IP and MAC address pairs that are not  
added to the IP/MAC binding list.  
Select Block traffic to block packets with IP and MAC address pairs that are not added  
to the IP/MAC binding list.  
5
Select Apply to save the changes.  
FortiGate-800 Installation and Configuration Guide  
217  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Content profiles  
Firewall configuration  
Figure 50: IP/MAC settings  
Content profiles  
Use content profiles to apply different protection settings for content traffic that is  
controlled by firewall policies. You can use content profiles to:  
Configure antivirus protection for HTTP, FTP, POP3, SMTP, and IMAP policies  
Configure web filtering for HTTP policies  
Configure email filtering for IMAP and POP3 policies  
Configure oversized file and email blocking for HTTP, FTP, POP3, SMTP, and  
IMAP policies  
Pass fragmented email for POP3, SMTP, and IMAP policies  
Using content profiles, you can build protection configurations that can be applied to  
different types of firewall policies. This allows you to customize types and levels of  
protection for different firewall policies.  
For example, while traffic between internal and external addresses might need strict  
protection, traffic between trusted internal addresses might need moderate protection.  
You can configure policies for different traffic services to use the same or different  
content profiles.  
Content profiles can be added to NAT/Route mode and Transparent mode policies.  
218  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Firewall configuration  
Content profiles  
Default content profiles  
The FortiGate unit has the following four default content profiles that are displayed on  
the Firewall Content Profile page. You can use the default content profiles or create  
your own.  
Strict  
To apply maximum content protection to HTTP, FTP, IMAP, POP3, and  
SMTP content traffic. You would not use the strict content profile under  
normal circumstances but it is available if you have extreme problems with  
viruses and require maximum content screening protection.  
Scan  
To apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content  
traffic. Quarantine is also selected for all content services. On FortiGate  
models with a hard disk, if antivirus scanning finds a virus in a file, the file is  
quarantined on the FortiGate hard disk. If required, system administrators  
can recover quarantined files.  
Web  
To apply antivirus scanning and web content blocking to HTTP content  
traffic. You can add this content profile to firewall policies that control HTTP  
traffic.  
Unfiltered  
Use if you do not want to apply content protection to content traffic. You can  
add this content profile to firewall policies for connections between highly  
trusted or highly secure networks where content does not need to be  
protected.  
Adding content profiles  
If the default content profiles do not provide the protection that you require, you can  
create custom content profiles.  
To add a content profile  
1
2
3
4
Go to Firewall > Content Profile.  
Select New.  
Type a Profile Name.  
Enable the antivirus protection options that you want.  
Anti Virus Scan  
File Block  
Scan web, FTP, and email traffic for viruses and worms. See “Antivirus  
Delete files with blocked file patterns even if they do not contain  
viruses. Enable file blocking when a virus has been found that is so  
new that virus scanning does not detect it. See “File blocking” on  
Quarantine  
Quarantine blocked and infected files according to the quarantine  
configuration.  
Note: If both Anti Virus Scan and File Block are enabled, the FortiGate unit blocks files that  
match enabled file patterns before they are scanned for viruses.  
5
Enable the web filtering options that you want.  
Web URL Block  
Block unwanted web pages and web sites. This option adds  
FortiGate Web URL blocking (see “Configuring FortiGate Web URL  
FortiGate-800 Installation and Configuration Guide  
219  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Content profiles  
Firewall configuration  
Web Content Block  
Block web pages that contain unwanted words or phrases. See  
Web Script Filter  
Web Exempt List  
Remove scripts from web pages. See “Script filtering” on page 299.  
Exempt URLs from web filtering and virus scanning. See “Exempt  
6
Enable the email filter protection options that you want.  
Email Block List  
Add a subject tag to email from unwanted addresses. See “Email  
Email Exempt List  
Exempt sender address patterns from email filtering. See “Email  
Email Content Block Add a subject tag to email that contains unwanted words or phrases.  
7
8
Enable the fragmented email and oversized file and email options that you want.  
Oversized File/Email Block or pass files and email that exceed thresholds configured as a  
percent of system memory. See “Blocking oversized files and emails”  
Pass Fragmented  
Email  
Allow email messages that have been fragmented to bypass antivirus  
Select OK.  
Figure 51: Example content profile  
220  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Firewall configuration  
Content profiles  
Adding content profiles to policies  
You can add content profiles to policies with action set to allow or encrypt and with  
service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes  
these services.  
To add a content profile to a policy  
1
2
Go to Firewall > Policy.  
Select a policy list that contains policies that you want to add a content profile to.  
For example, to enable network protection for files downloaded by internal network  
users from the web, select an internal to external policy list.  
3
4
5
6
7
8
Select New to add a new policy, or choose a policy and select Edit  
Select the Anti-Virus & Web filter check box.  
Select a content profile from the list.  
.
Configure the remaining policy settings, if required.  
Select OK.  
Repeat this procedure for any policies that you want to enable network protection for.  
FortiGate-800 Installation and Configuration Guide  
221  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Content profiles  
Firewall configuration  
222  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Users and authentication  
FortiGate units support user authentication to the FortiGate user database, a RADIUS  
server, and an LDAP server. You can add user names to the FortiGate user database  
and then add a password to allow the user to authenticate using the internal database.  
You can also add the names of RADIUS and LDAP servers. You can select RADIUS  
to allow the user to authenticate using the selected RADIUS server or LDAP to allow  
the user to authenticate using the selected LDAP server. You can disable a user name  
so that the user cannot authenticate.  
To enable authentication, you must add user names to one or more user groups. You  
can also add RADIUS servers and LDAP servers to user groups. You can then select  
a user group when you require authentication.  
You can select user groups to require authentication for:  
any firewall policy with Action set to ACCEPT  
IPSec dialup user phase 1 configurations  
XAuth functionality for phase 1 IPSec VPN configurations  
PPTP  
L2TP  
When a user enters a user name and password, the FortiGate unit searches the  
internal user database for a matching user name. If Disable is selected for that user  
name, the user cannot authenticate and the connection is dropped. If Password is  
selected for that user and the password matches, the connection is allowed. If the  
password does not match, the connection is dropped.  
If RADIUS is selected and RADIUS support is configured and the user name and  
password match a user name and password on the RADIUS server, the connection is  
allowed. If the user name and password do not match a user name and password on  
the RADIUS server, the connection is dropped.  
If LDAP is selected and LDAP support is configured and the user name and password  
match a user name and password on the LDAP server, the connection is allowed. If  
the user name and password do not match a user name and password on the LDAP  
server, the connection is dropped.  
If the user group contains user names, RADIUS servers, and LDAP servers, the  
FortiGate unit checks them in the order in which they have been added to the user  
group.  
FortiGate-800 Installation and Configuration Guide  
223  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Setting authentication timeout  
Users and authentication  
This chapter describes:  
Setting authentication timeout  
Authentication timeout controls how long authenticated firewall connections can  
remain idle before users must authenticate again to get access through the firewall.  
To set authentication timeout  
1
2
Go to System > Config > Options.  
In Auth Timeout, type a number, in minutes.  
The default authentication timeout is 15 minutes.  
Adding user names and configuring authentication  
Use the following procedures to add user names and configure authentication.  
This section describes:  
Adding user names and configuring authentication  
To add a user name and configure authentication  
1
2
3
Go to User > Local.  
Select New to add a new user name.  
Type the User Name.  
The user name can contain numbers (0-9), uppercase and lowercase letters (A-Z,  
a-z), and the special characters - and _. Other special characters and spaces are not  
allowed.  
4
Select one of the following authentication configurations:  
Disable  
Prevent this user from authenticating.  
Password  
Enter the password that this user must use to authenticate. The password  
should be at least six characters long. The password can contain numbers  
(0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters  
- and _. Other special characters and spaces are not allowed.  
224  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Users and authentication  
Adding user names and configuring authentication  
LDAP  
Require the user to authenticate to an LDAP server. Select the name of the  
LDAP server to which the user must authenticate. You can only select an  
LDAP server that has been added to the FortiGate LDAP configuration. See  
Radius  
Require the user to authenticate to a RADIUS server. Select the name of the  
RADIUS server to which the user must authenticate. You can only select a  
RADIUS server that has been added to the FortiGate RADIUS configuration.  
5
6
Select the Try other servers if connect to selected server fails check box if you have  
selected Radius and you want the FortiGate unit to try to connect to other RADIUS  
servers added to the FortiGate RADIUS configuration.  
Select OK.  
Figure 52: Adding a user name  
Deleting user names from the internal database  
You cannot delete user names that have been added to user groups. Remove user  
names from user groups before deleting them.  
To delete a user name from the internal database  
1
2
3
Go to User > Local.  
Select Delete User  
Select OK.  
for the user name that you want to delete.  
Note: Deleting the user name deletes the authentication configured for the user.  
FortiGate-800 Installation and Configuration Guide  
225  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring RADIUS support  
Users and authentication  
Configuring RADIUS support  
If you have configured RADIUS support and a user is required to authenticate using a  
RADIUS server, the FortiGate unit contacts the RADIUS server for authentication.  
This section describes:  
Adding RADIUS servers  
To add a RADIUS server  
1
2
3
Go to User > RADIUS.  
Select New to add a new RADIUS server.  
Type the Name of the RADIUS server.  
You can type any name. The name can contain numbers (0-9), uppercase and  
lowercase letters (A-Z, a-z), and the special characters - and _. Other special  
characters and spaces are not allowed.  
4
5
6
Enter the Server Name or IP address of the RADIUS server.  
Enter the RADIUS server secret.  
Select OK.  
Figure 53: Example RADIUS configuration  
Deleting RADIUS servers  
You cannot delete a RADIUS server that has been added to a user group.  
To delete a RADIUS server  
1
2
3
Go to User > RADIUS.  
Select Delete  
Select OK.  
beside the RADIUS server name that you want to delete.  
226  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Users and authentication  
Configuring LDAP support  
Configuring LDAP support  
If you have configured LDAP support and a user is required to authenticate using an  
LDAP server, the FortiGate unit contacts the LDAP server for authentication. To  
authenticate with the FortiGate unit, the user enters a user name and password. The  
FortiGate unit sends this user name and password to the LDAP server. If the LDAP  
server can authenticate the user, the user is successfully authenticated with the  
FortiGate unit. If the LDAP server cannot authenticate the user, the connection is  
refused by the FortiGate unit.  
The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for  
looking up and validating user names and passwords. ForitGate LDAP supports all  
LDAP servers compliant with LDAP v3.  
FortiGate LDAP support does not extend to proprietary functionality, such as  
notification of password expiration, that is available from some LDAP servers.  
FortiGate LDAP support does not supply information to the user about why  
authentication failed.  
LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall  
authentication. With PPTP, L2TP, and IPSec VPN, PAP (packet authentication  
protocol) is supported and CHAP (Challenge-Handshake Authentication Protocol) is  
not.  
This section describes:  
Adding LDAP servers  
To add an LDAP server  
1
2
3
Go to User > LDAP.  
Select New to add a new LDAP server.  
Type the Name of the LDAP server.  
You can type any name. The name can contain numbers (0-9), uppercase and  
lowercase letters (A-Z, a-z), and the special characters - and _. Other special  
characters and spaces are not allowed.  
4
5
Enter the Server Name or IP address of the LDAP server.  
Enter the Server Port used to communicate with the LDAP server.  
By default LDAP uses port 389.  
6
Enter the common name identifier for the LDAP server.  
The common name identifier for most LDAP servers is cn. However some servers use  
other common name identifiers such as uid.  
FortiGate-800 Installation and Configuration Guide  
227  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuring LDAP support  
Users and authentication  
7
Enter the distinguished name used to look up entries on the LDAP server.  
Enter the base distinguished name for the server using the correct X.500 or LDAP  
format. The FortiGate unit passes this distinguished name unchanged to the server.  
For example, you could use the following base distinguished name:  
ou=marketing,dc=fortinet,dc=com  
where ou is organization unit and dc is domain component  
You can also specify multiple instances of the same field in the distinguished name,  
for example, to specify multiple organization units:  
ou=accounts,ou=marketing,dc=fortinet,dc=com  
8
Select OK.  
Figure 54: Example LDAP configuration  
Deleting LDAP servers  
You cannot delete an LDAP server that has been added to a user group.  
To delete an LDAP server  
1
2
3
Go to User > LDAP.  
Select Delete  
Select OK.  
beside the LDAP server name that you want to delete.  
228  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Users and authentication  
Configuring user groups  
Configuring user groups  
To enable authentication, you must add user names, RADIUS servers, and LDAP  
servers to one or more user groups. You can then select a user group when you  
require authentication. You can select a user group to configure authentication for:  
Policies that require authentication. Only users in the selected user group or users  
that can authenticate with the RADIUS servers added to the user group can  
authenticate with these policies.  
IPSec VPN Phase 1 configurations for dialup users. Only users in the selected  
user group can authenticate to use the VPN tunnel.  
XAuth for IPSec VPN Phase 1 configurations. Only users in the selected user  
group can be authenticated using XAuth.  
The FortiGate PPTP configuration. Only users in the selected user group can use  
PPTP.  
The FortiGate L2TP configuration. Only users in the selected user group can use  
L2TP.  
When you add user names, RADIUS servers, and LDAP servers to a user group, the  
order in which they are added determines the order in which the FortiGate unit checks  
for authentication. If user names are first, then the FortiGate unit checks for a match  
with these local users. If a match is not found, the FortiGate unit checks the RADIUS  
or LDAP server. If a RADIUS or LDAP server is added first, the FortiGate unit checks  
the server and then the local users.  
If the user group contains users, RADIUS servers, and LDAP servers, the FortiGate  
unit checks them in the order in which they have been added to the user group.  
This section describes:  
Adding user groups  
Use the following procedure to add user groups to the FortiGate configuration. You  
can add user names, RADIUS servers, and LDAP servers to user groups.  
To add a user group  
1
2
Go to User > User Group.  
Select New to add a new user group.  
FortiGate-800 Installation and Configuration Guide  
229  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Configuring user groups  
Users and authentication  
Figure 55: Adding a user group  
3
Enter a Group Name to identify the user group.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
6
7
To add users to the user group, select a user from the Available Users list and select  
the right arrow to add the name to the Members list.  
To add a RADIUS server to the user group, select a RADIUS server from the Available  
Users list and select the right arrow to add the RADIUS server to the Members list.  
To add an LDAP server to the user group, select an LDAP server from the Available  
Users list and select the right arrow to add the LDAP server to the Members list.  
To remove users, RADIUS servers, or LDAP servers from the user group, select a  
user, RADIUS server, or LDAP server from the Members list and select the left arrow  
to remove the name, RADIUS server, or LDAP server from the group.  
8
Select OK.  
Deleting user groups  
You cannot delete user groups that have been selected in a policy, a dialup user  
phase 1 configuration, or a PPTP or L2TP configuration.  
To delete a user group  
1
2
3
Go to User > User Group  
Select Delete  
Select OK.  
beside the user group that you want to delete.  
230  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
FortiGate-800 Installation and Configuration Guide Version 2.50  
IPSec VPN  
A Virtual Private Network (VPN) is an extension of a private network that  
encompasses links across shared or public networks such as the Internet. For  
example, a company that has two offices in different cities, each with its own private  
network, can use a VPN to create a secure tunnel between the offices. Similarly, a  
teleworker can use a VPN client for remote access to a private office network. In both  
cases, the secure connection appears to the user as a private network  
communication, even though the communication is over a public network.  
Secure VPN connections are enabled by a combination of tunneling, data encryption,  
and authentication. Tunneling encapsulates data so that it can be transferred over the  
public network. Instead of being sent in its original format, the data frames are  
encapsulated within an additional header and then routed between tunnel endpoints.  
Upon arrival at the destination endpoint, the data is decapsulated and forwarded to its  
destination within the private network.  
Encryption changes a data stream from clear text (something that a human or a  
program can interpret) to cipher text (something that cannot be interpreted). The  
information is encrypted and decrypted using mathematical algorithms known as  
keys.  
Authentication provides a means to verify the origin of a packet and the integrity of its  
contents. Authentication is done using checksums calculated with keyed hash  
function algorithms.  
This chapter provides an overview about how to configure FortiGate IPSec VPN. For  
a complete description of FortiGate VPN, see the FortiGate VPN Guide.  
FortiGate-800 Installation and Configuration Guide  
231  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Key management  
IPSec VPN  
Key management  
There are three basic elements in any encryption system:  
an algorithm that changes information into code,  
a cryptographic key that serves as a secret starting point for the algorithm,  
a management system to control the key.  
IPSec provides two ways to handle key exchange and management:  
Manual Keys  
When using manual keys, matching security settings must be entered at both ends of  
the tunnel. These settings, which include both the encryption and authentication keys,  
must be kept secret so that unauthorized parties cannot decrypt the data, even if they  
know which encryption algorithm is being used.  
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates  
For using multiple tunnels, an automated system of key management is required.  
IPSec supports the automated generation and negotiation of keys using the Internet  
Key Exchange protocol. This method of key management is referred to as AutoIKE.  
Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates.  
AutoIKE with pre-shared keys  
If both peers in a session are configured with the same pre-shared key, they can use it  
to authenticate themselves to each other. The peers do not send the key to each  
other. Instead, as part of the security negotiation process, they use it in combination  
with a Diffie-Hellman group to create a session key. The session key is used for  
encryption and authentication and is automatically regenerated by IKE during the  
communication session.  
Pre-shared keys are similar to manual keys in that they require the network  
administrator to distribute and manage matching information at the VPN peer sites.  
Whenever a pre-shared key changes, the administrator must update both sites.  
AutoIKE with certificates  
This method of key management involves a trusted third party, the certificate authority  
(CA). Each peer in a VPN is first required to generate a set of keys, known as a  
public/private key pair. The CA signs the public key for each peer, creating a signed  
digital certificate. The peer then contacts the CA to retrieve their own certificates, plus  
that of the CA. After the certificates are uploaded to the FortiGate units and  
appropriate IPSec tunnels and policies are configured, the peers are ready to  
communicate. As they do, IKE manages the exchange of certificates, sending signed  
digital certificates from one peer to another. The signed digital certificates are  
validated by the presence of the CA certificate at each end. With authentication  
complete, the IPSec tunnel is then established.  
232  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
IPSec VPN  
Manual key IPSec VPNs  
In some respects, certificates are simpler to manage than manual keys or pre-shared  
keys. For this reason, certificates are best suited to large network deployments.  
Manual key IPSec VPNs  
When using manual keys, complementary security parameters must be entered at  
both ends of the tunnel. In addition to encryption and authentication algorithms and  
keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that  
defines the structure of the communication between the peers. With other methods,  
the SPI is generated automatically but with the manual key configuration it must be  
entered as part of the VPN setup.  
The encryption and authentication keys must match on the local and remote peers,  
that is, the SPI values must be mirror images of each other. After you enter these  
values, the VPN tunnel can start without a need for the authentication and encryption  
algorithms to be negotiated. Provided you entered correct, complementary values, the  
tunnels are established between the peers. This means that the tunnel already exists  
between the peers. As a result, when traffic matches a policy requiring the tunnel, it  
can be authenticated and encrypted immediately.  
General configuration steps for a manual key VPN  
A manual key VPN configuration consists of a manual key VPN tunnel, the source and  
destination addresses for both ends of the tunnel, and an encrypt policy to control  
access to the VPN tunnel.  
To create a manual key VPN configuration  
1
2
Add a manual key VPN tunnel. See “Adding a manual key VPN tunnel” on page 233.  
Configure an encrypt policy that includes the tunnel, source address, and destination  
address for both ends of the tunnel. See “Configuring encrypt policies” on page 245.  
Adding a manual key VPN tunnel  
Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate  
unit and a remote IPSec VPN client or gateway that is also using manual key.  
To add a manual key VPN tunnel  
1
2
3
Go to VPN > IPSec > Manual Key.  
Select New to add a new manual key VPN tunnel.  
Type a VPN Tunnel Name.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
Enter the Local SPI.  
The Local Security Parameter Index is a hexadecimal number of up to eight digits  
(digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added  
to the Remote SPI at the opposite end of the tunnel.  
FortiGate-800 Installation and Configuration Guide  
233  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Manual key IPSec VPNs  
IPSec VPN  
5
6
Enter the Remote SPI.  
The Remote Security Parameter Index is a hexadecimal number of up to eight digits  
(digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added  
to the Local SPI at the opposite end of the tunnel.  
Enter the Remote Gateway.  
This is the external IP address of the FortiGate unit or other IPSec gateway at the  
opposite end of the tunnel.  
7
8
Select an Encryption Algorithm from the list.  
Use the same algorithm at both ends of the tunnel.  
Enter the Encryption Key.  
Each two-character combination entered in hexadecimal format represents one byte.  
Depending on the encryption algorithm that you select, you might be required to enter  
the key in multiple segments. Use the same encryption key at both ends of the tunnel.  
DES  
Enter a 16-character (8 byte) hexadecimal number (0-9, A-F).  
3DES  
Enter a 48-character (24 byte) hexadecimal number (0-9, A-F). Separate the  
number into three segments of 16 characters.  
AES128  
AES192  
AES256  
Enter a 32-character (16 byte) hexadecimal number (0-9, A-F). Separate the  
number into two segments of 16 characters.  
Enter a 48-character (24 byte) hexadecimal number (0-9, A-F). Separate the  
number into three segments of 16 characters.  
Enter a 64-character (32 byte) hexadecimal number (0-9, A-F). Separate the  
number into four segments of 16 characters.  
9
Select an Authentication Algorithm from the list.  
Use the same algorithm at both ends of the tunnel.  
10  
Enter the Authentication Key.  
Each two-character combination entered in hexadecimal format represents one byte.  
Use the same authentication key at both ends of the tunnel.  
MD5  
Enter a 32-character (16 byte) hexadecimal number (0-9, A-F). Separate the  
number into two segments of 16 characters.  
SHA1  
Enter a 40-character (20 byte) hexadecimal number (0-9, A-F). Separate the  
number into two segments—the first of 16 characters; the second of 24  
characters.  
11  
12  
Select a concentrator if you want the tunnel to be part of a hub and spoke VPN  
Select OK to save the manual key VPN tunnel.  
234  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
IPSec VPN  
AutoIKE IPSec VPNs  
AutoIKE IPSec VPNs  
FortiGate units support two methods of Automatic Internet Key Exchange (AutoIKE)  
for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with  
digital certificates.  
General configuration steps for an AutoIKE VPN  
An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration  
parameters, the source and destination addresses for both ends of the tunnel, and an  
encrypt policy to control access to the VPN tunnel.  
To create an AutoIKE VPN configuration  
Note: Prior to configuring an AutoIKE VPN that uses digital certificates, you must add the CA  
and local certificates to the FortiGate unit. For information about digital certificates, see  
1
2
3
Configure an encrypt policy that includes the tunnel, source address, and destination  
address for both ends of the tunnel. See “Configuring encrypt policies” on page 245.  
Adding a phase 1 configuration for an AutoIKE VPN  
When you add a phase 1 configuration, you define the terms by which the FortiGate  
unit and a remote VPN peer (gateway or client) authenticate themselves to each other  
prior to establishing an IPSec VPN tunnel.  
The phase 1 configuration is related to the phase 2 configuration. In phase 1 the VPN  
peers are authenticated; in phase 2 the tunnel is established. You have the option to  
use the same phase 1 parameters to establish multiple tunnels. In other words, the  
same remote VPN peer (gateway or client) can have multiple tunnels to the local VPN  
peer (the FortiGate unit).  
When the FortiGate unit receives an IPSec VPN connection request, it authenticates  
the VPN peers according to the phase 1 parameters. Then, depending on the source  
and destination addresses of the request, it starts an IPSec VPN tunnel and applies  
an encrypt policy.  
To add a phase 1 configuration  
1
2
Go to VPN > IPSEC > Phase 1.  
Select New to add a new phase 1 configuration.  
FortiGate-800 Installation and Configuration Guide  
235  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
AutoIKE IPSec VPNs  
IPSec VPN  
3
4
Type a Gateway Name for the remote VPN peer.  
The remote VPN peer can be either a gateway to another network or an individual  
client on the Internet.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
Select a Remote Gateway address type.  
If the remote VPN peer has a static IP address, select Static IP Address.  
If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE),  
or if the remote VPN peer has a static IP address that is not required in the peer  
identification process, select Dialup User.  
Depending on the Remote Gateway address type you selected, other fields become  
available.  
Remote Gateway: Static IP Address  
IP Address  
If you select Static IP Address, the IP Address field appears. Enter the IP  
address of the remote IPSec VPN gateway or client that can connect to the  
FortiGate unit. This is a mandatory entry.  
Remote Gateway: Dialup User  
Peer Options  
If you select Dialup User, the Peer Options become available under  
Advanced Options. Use the Peer Options to authenticate remote VPN  
peers with peer IDs during phase 1 negotiations.  
5
6
Select Aggressive or Main (ID Protection) mode.  
When using aggressive mode, the VPN peers exchange identifying information in the  
clear. When using main mode, identifying information is hidden.  
The VPN peers must use the same mode.  
Configure the P1 Proposal.  
Select up to three encryption and authentication algorithm combinations to propose  
for phase 1.  
The VPN peers must use the same P1 proposal settings.  
7
8
Select the DH Group(s).  
Select one or more Diffie-Hellman groups to propose for phase 1.  
As a general rule, the VPN peers should use the same DH Group settings.  
Enter the Keylife.  
The keylife is the amount of time in seconds before the phase 1 encryption key  
expires. When the key expires, a new key is generated without interrupting service.  
P1 proposal keylife can be from 120 to 172,800 seconds.  
9
For Authentication Method, select Preshared Key or RSA Signature.  
Preshared Key: Enter a key that is shared by the VPN peers. The key must contain  
at least 6 printable characters and should only be known by network  
administrators. For optimum protection against currently known attacks, make sure  
the key consists of a minimum of 16 randomly chosen alphanumeric characters.  
RSA Signature: Select a local certificate that has been digitally signed by the  
certificate authority (CA). To add a local certificate to the FortiGate unit, see  
236  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
IPSec VPN  
AutoIKE IPSec VPNs  
10  
Configure the Local ID the that the FortiGate unit sends to the remote VPN peer.  
Preshared key: If the FortiGate unit is functioning as a client and uses its ID to  
authenticate itself to the remote VPN peer, enter an ID. If no ID is specified, the  
FortiGate unit transmits its IP address.  
RSA Signature: No entry is required because the Local ID field contains the  
Distinguished Name (DN) of the certificate associated with this phase 1  
configuration. The DN identifies the owner of the certificate and includes, as a  
minimum, a Common Name (CN). The DN is transmitted in place of an ID or IP  
address.  
Configuring advanced options  
To configure phase 1 advanced options  
1
2
Select Advanced Options.  
Select a Peer Option if you want to authenticate remote VPN peers by the ID that they  
transmit during phase 1.  
Accept any peer ID  
Accept this peer ID  
Select to accept any peer ID (and therefore not authenticate  
remote VPN peers by peer ID).  
Select to authenticate a specific VPN peer or a group of VPN  
peers with a shared user name (ID) and password (pre-  
shared key). Also add the peer ID.  
Accept peer ID in dialup group Select to authenticate each remote VPN peer with a unique  
user name (ID) and password (pre-shared key). Also select  
a dialup group (user group).  
Configure the user group prior to configuring this peer  
option.  
3
Optionally, configure XAuth.  
XAuth (IKE eXtended Authentication) authenticates VPN peers at the user level. If the  
the FortiGate unit (the local VPN peer) is configured as an XAuth server, it  
authenticates remote VPN peers by referring to a user group. The users contained in  
the user group can be configured locally on the FortiGate unit or on remotely located  
LDAP or RADIUS servers. If the FortiGate unit is configured as an XAuth client, it  
provides a user name and password when it is challenged.  
XAuth: Enable as a Client  
Name  
Enter the user name the local VPN peer uses to authenticate itself to the  
remote VPN peer.  
Password  
Enter the password the local VPN peer uses to authenticate itself to the  
remote VPN peer.  
FortiGate-800 Installation and Configuration Guide  
237  
Download from Www.Somanuals.com. All Manuals Search And Download.  
AutoIKE IPSec VPNs  
IPSec VPN  
XAuth: Enable as a Server  
Encryption  
method  
Select the encryption method used between the XAuth client, the FortiGate  
unit and the authentication server.  
PAP— Password Authentication Protocol.  
CHAP—Challenge-Handshake Authentication Protocol.  
MIXED—Select MIXED to use PAP between the XAuth client and the  
FortiGate unit, and CHAP between the FortiGate unit and the  
authentication server.  
Use CHAP whenever possible. Use PAP if the authentication server does  
not support CHAP. (Use PAP with all implementations of LDAP and some  
implementations of Microsoft RADIUS). Use MIXED if the authentication  
server supports CHAP but the XAuth client does not. (Use MIXED with the  
Fortinet Remote VPN Client.).  
Usergroup  
Select a group of users to be authenticated by XAuth. The individual users  
within the group can be authenticated locally or by one or more LDAP or  
RADIUS servers.  
The user group must be added to the FortiGate configuration before it can  
be selected here.  
4
Optionally, configure NAT Traversal.  
Enable  
Select Enable if you expect the IPSec VPN traffic to go through a gateway  
that performs NAT. If no NAT device is detected, enabling NAT traversal  
has no effect. Both ends of the VPN (both VPN peers) must have the same  
NAT traversal setting.  
Keepalive  
Frequency  
If you enable NAT-traversal, you can change the number of seconds in the  
Keepalive Frequency field. This number specifies, in seconds, how  
frequently empty UDP packets are sent through the NAT device to ensure  
that the NAT mapping does not change until P1 and P2 keylife expires. The  
keepalive frequency can be from 0 to 900 seconds.  
5
Optionally, configure Dead Peer Detection.  
Use these settings to monitor the status of the connection between VPN peers. DPD  
allows dead connections to be cleaned up and new VPN tunnels established. DPD is  
not supported by all vendors.  
Enable  
Select Enable to enable DPD between the local and remote peers.  
Short Idle  
Set the time, in seconds, that a link must remain unused before the local  
VPN peer considers it to be idle. After this period of time expires, whenever  
the local peer sends traffic to the remote VPN peer it also sends a DPD  
probe to determine the status of the link. To control the length of time that  
the FortiGate unit takes to detect a dead peer with DPD probes, configure  
the Retry Count and the Retry Interval.  
Retry Count  
Set the number of times that the local VPN peer retries the DPD probe  
before it considers the channel to be dead and tears down the security  
association (SA). To avoid false negatives because of congestion or other  
transient failures, set the retry count to a sufficiently high value for your  
network.  
Retry Interval  
Long Idle  
Set the time, in seconds, that the local VPN peer unit waits between  
retrying DPD probes.  
Set the time, in seconds, that a link must remain unused before the local  
VPN peer pro-actively probes its state. After this period of time expires, the  
local peer sends a DPD probe to determine the status of the link even if  
there is no traffic between the local peer and the remote peer.  
6
Select OK to save the phase 1 parameters.  
238  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
IPSec VPN  
AutoIKE IPSec VPNs  
Figure 56: Adding a phase 1 configuration (Standard options)  
Figure 57: Adding a phase 1 configuration (Advanced options)  
FortiGate-800 Installation and Configuration Guide  
239  
Download from Www.Somanuals.com. All Manuals Search And Download.  
AutoIKE IPSec VPNs  
IPSec VPN  
Adding a phase 2 configuration for an AutoIKE VPN  
Add a phase 2 configuration to specify the parameters used to create and maintain a  
VPN tunnel between the local VPN peer (the FortiGate unit) and the remote VPN peer  
(the VPN gateway or client).  
Note: Adding a Phase 2 configuration is the same for pre-shared key and certification VPNs.  
To add a phase 2 configuration  
Go to VPN > IPSEC > Phase 2.  
Select New to add a new phase 2 configuration.  
Enter a Tunnel Name.  
1
2
3
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
Select a Remote Gateway to associate with the VPN tunnel.  
A remote gateway can be either a gateway to another network or an individual client  
on the Internet. Remote gateways are added as part of the phase 1 configuration. For  
Choose either a single DIALUP remote gateway, or up to three STATIC remote  
gateways. Multiple STATIC remote gateways are necessary if you are configuring  
IPSec redundancy. For information about IPSec redundancy, see “Redundant IPSec  
5
6
Configure the P2 Proposal.  
Select up to three encryption and authentication algorithm combinations to propose  
for phase 2.  
The VPN peers must use the same P2 proposal settings.  
Optionally, enable Replay Detection.  
Replay detection protects the VPN tunnel from replay attacks.  
Note: Do not select replay detection if you have also selected Null Authentication for the P2  
Proposal.  
7
Optionally, enable Perfect Forward Secrecy (PFS).  
PFS improves security by forcing a new Diffie-Hellman exchange whenever keylife  
expires.  
8
9
Select the DH Group(s).  
The VPN peers must use the same DH Group settings.  
Enter the Keylife.  
The keylife causes the phase 2 key to expire after a specified time, after a specified  
number of Kbytes of data have been processed by the VPN tunnel, or both. If you  
select both, the key does not expire until both the time has passed and the number of  
Kbytes have been processed.  
When the key expires, a new key is generated without interrupting service. P2  
proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 Kbytes.  
240  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IPSec VPN  
AutoIKE IPSec VPNs  
10  
11  
Enable Autokey Keep Alive if you want to keep the VPN tunnel running even if no data  
is being processed.  
Select a concentrator if you want the tunnel to be part of a hub and spoke VPN  
configuration.  
If you use the procedure, “Adding a VPN concentrator” on page 251 to add the tunnel  
to a concentrator, the next time you open the tunnel, the Concentrator field displays  
the name of the concentrator to which you added the tunnel.  
12  
Select a Quick Mode Identity.  
Use selectors from policy  
Select this option for policy-based VPNs. A policy-based  
VPN uses an encrypt policy to select which VPN tunnel to  
use for the connection. In this configuration, the VPN tunnel  
is referenced directly from the encrypt policy.  
You must select this option if both VPN peers are FortiGate  
units.  
Use wildcard selectors  
Select this option for routing-based VPNs. A routing-based  
VPN uses routing information to select which VPN tunnel to  
use for the connection. In this configuration, the tunnel is  
referenced indirectly by a route that points to a tunnel  
interface.  
You must select this option if the remote VPN peer is a non-  
FortiGate unit that has been configured to operate in tunnel  
interface mode.  
13  
Select OK to save the AutoIKE key VPN tunnel.  
Figure 58: Adding a phase 2 configuration  
FortiGate-800 Installation and Configuration Guide  
241  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Managing digital certificates  
IPSec VPN  
Managing digital certificates  
Use digital certificates to make sure that both participants in an IPSec communication  
session are trustworthy, prior to setting up an encrypted VPN tunnel between the  
participants.  
Fortinet uses a manual procedure to obtain certificates. This involves copying and  
pasting text files from your local computer to the certificate authority, and from the  
certificate authority to your local computer.  
Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are  
an advanced feature provided for the convenience of system administrators. This manual  
assumes the user has prior knowledge of how to configure digital certificates for their  
implementation.  
Obtaining a signed local certificate  
The signed local certificate provides the FortiGate unit with a means to authenticate  
itself to other devices.  
Note: The VPN peers must use digital certificates that adhere to the X.509 standard.  
Generating the certificate request  
With this procedure, you generate a private and public key pair. The public key is the  
base component of the certificate request.  
To generate the certificate request  
Go to VPN > Certificates > Local Certificates.  
Select Generate.  
1
2
3
Type a Certificate Name.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
Configure the Subject Information that identifies the object being certified.  
Preferably use an IP address or domain name. If this is impossible (such as with a  
dialup client), use an email address.  
Host IP  
For Host IP, enter the IP address of the FortiGate unit being certified.  
Domain Name  
For Domain name, enter the fully qualified domain name of the FortiGate  
unit being certified. Do not include the protocol specification (http://) or  
any port number or path names.  
E-Mail  
For E-mail, enter the email address of the owner of the FortiGate unit  
being certified. Typically, e-mail addresses are entered only for clients, not  
gateways.  
5
Configure the Optional Information to further identify the object being certified.  
242  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
IPSec VPN  
Managing digital certificates  
Organization Unit Enter a name that identifies the department or unit within the organization  
that is requesting the certificate for the FortiGate unit (such as  
Manufacturing or MF).  
Organization  
Enter the legal name of the organization that is requesting the certificate  
for the FortiGate unit (such as Fortinet).  
Locality  
Enter the name of the city or town where the FortiGate unit is located  
(such as Vancouver).  
State/Province  
Enter the name of the state or province where the FortiGate unit is located  
(such as California or CA).  
Country  
e-mail  
Select the country where the FortiGate unit is located.  
Enter a contact email address for the FortiGate unit. Typically, email  
addresses are entered only for clients, not gateways.  
6
7
Configure the key.  
Key Type  
Key Size  
Select RSA as the key encryption type. No other key type is supported.  
Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate  
but more secure. Not all IPSec VPN products support all three key sizes.  
Select OK to generate the private and public key pair and the certificate request.  
The private/public key pair are generated and the certificate request is displayed on  
the Local Certificates list with a status of Pending.  
Figure 59: Adding a Local Certificate  
FortiGate-800 Installation and Configuration Guide  
243  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Managing digital certificates  
IPSec VPN  
Downloading the certificate request  
Use the following procedure to download a certificate request from the FortiGate unit  
to the management computer.  
To download the certificate request  
1
2
3
4
Go to VPN > Certificates > Local Certificates.  
Select Download  
Select Save.  
to download the local certificate to the management computer.  
Name the file and save it in a directory on the management computer.  
After downloading the certificate request, you can submit it tor your CA so that your  
CA can sign the certificate.  
Importing the signed local certificate  
With this procedure, you import the signed local certificate from the management  
computer to the FortiGate unit.  
To import the signed local certificate  
Go to VPN > Certificates > Local Certificates.  
Select Import.  
1
2
3
Enter the path or browse to locate the signed local certificate on the management  
computer.  
4
Select OK.  
The signed local certificate is displayed on the Local Certificates list with a status of  
OK.  
Backing up and restoring the local certificate and private key  
When you back up a FortiGate configuration that includes IPSec VPN tunnels using  
certificates, you must also back up the local certificate and private key in a password-  
protected PKCS12 file. Before restoring the configuration, you must import the  
PKCS12 file and set the local certificate name to the same that was in the original  
configuration.  
Public Key Cryptography Standard 12 (PKCS12) describes the syntax for securely  
exchanging personal information.  
Note: Use the execute vpn certificates keyCLI command to back up and restore the  
local certificate and private key. For more information, see the FortiGate CLI Reference Guide.  
244  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
IPSec VPN  
Configuring encrypt policies  
Obtaining CA certificates  
For the VPN peers to authenticate themselves to each other, they must both obtain a  
CA certificate from the same certificate authority. The CA certificate provides the VPN  
peers with a means to validate the digital certificates that they receive from other  
devices.  
The FortiGate unit obtains the CA certificate to validate the digital certificate that it  
receives from the remote VPN peer. The remote VPN peer obtains the CA certificate  
to validate the digital certificate that it receives from the FortiGate unit.  
Note: The CA certificate must adhere to the X.509 standard.  
Importing CA certificates  
Import the CA certificate from the management computer to the FortiGate unit.  
To import the CA certificate  
1
2
3
4
Go to VPN > Certificates > CA Certificates.  
Select Import.  
Enter the path or browse to locate the CA certificate on the management computer.  
Select OK.  
The CA is displayed on the CA Certificates list.  
The system assigns a unique name to each CA certificate. The names are numbered  
consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).  
Configuring encrypt policies  
A VPN connects the local, internal network to a remote, external network. The  
principal role of the encrypt policy is to define (and limit) which addresses on these  
networks can use the VPN.  
A VPN requires only one encrypt policy to control both inbound and outbound  
connections. Depending on how you configure it, the policy controls whether users on  
your internal network can establish a tunnel to the remote network (the outbound  
connection), and whether users on the remote network can establish a tunnel to your  
internal network (the inbound connection). This flexibility allows one encrypt policy to  
do the same function as two regular firewall policies.  
Although the encrypt policy controls both incoming and outgoing connections, it must  
always be configured as an outgoing policy. An outgoing policy has a source address  
on an internal network and a destination address on an external network. The source  
address identifies the addresses on the internal network that are part of the VPN. The  
destination address identifies the addresses on the remote network that are part of the  
VPN.  
FortiGate-800 Installation and Configuration Guide  
245  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuring encrypt policies  
IPSec VPN  
Note: The destination address can be a VPN client address on the Internet or the address of a  
network behind a remote VPN gateway.  
In addition to defining membership in the VPN by address, you can configure the  
encrypt policy for services such as DNS, FTP, and POP3, and to allow connections  
according to a predefined schedule (by the time of the day or the day of the week,  
month, or year). You can also configure the encrypt policy for:  
Inbound NAT to translate the source of incoming packets.  
Outbound NAT to translate the source address of outgoing packets.  
Traffic shaping to control the bandwidth available to the VPN and the priority of the  
VPN.  
Content profiles to apply antivirus protection, web filtering, and email filtering to  
web, file transfer, and email services in the VPN.  
Logging so that the FortiGate unit logs all connections that use the VPN.  
The policy must also include the VPN tunnel that you created to communicate with the  
remote FortiGate VPN gateway. When users on your internal network attempt to  
connect to the network behind the remote VPN gateway, the encrypt policy intercepts  
the connection attempt and starts the VPN tunnel added to the policy. The tunnel uses  
the remote gateway added to its configuration to connect to the remote VPN gateway.  
When the remote VPN gateway receives the connection attempt, it checks its own  
policy, gateway, and tunnel configuration. If the configuration is allowed, an IPSec  
VPN tunnel is negotiated between the two VPN peers.  
Adding a source address  
The source address is located within the internal network of the local VPN peer. It can  
be a single computer address or the address of a network.  
To add a source address  
Go to Firewall > Address.  
Select an internal interface.  
Select New to add an address.  
1
2
3
4
Enter the Address Name, IP Address, and NetMask for a single computer or for an  
entire subnetwork on an internal interface of the local VPN peer.  
5
Select OK to save the source address.  
246  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IPSec VPN  
Configuring encrypt policies  
Adding a destination address  
The destination address can be a VPN client address on the Internet or the address of  
a network behind a remote VPN gateway.  
To add a destination address  
Go to Firewall > Address.  
Select an external interface.  
Select New to add an address.  
1
2
3
4
Enter the Address Name, IP Address, and NetMask for a single computer or for an  
entire subnetwork on an internal interface of the remote VPN peer.  
5
Select OK to save the destination address.  
Adding an encrypt policy  
To add an encrypt policy  
1
2
3
4
5
6
Go to Firewall > Policy.  
Select the policy list that you want to add the policy to (usually, Internal->External).  
Select New to add a new policy.  
Set Source to the source address.  
Set Destination to the destination address.  
Set Service to control the services allowed over the VPN connection.  
You can select ANY to allow all supported services over the VPN connection or select  
a specific service or service group to limit the services allowed over the VPN  
connection.  
7
8
Set Action to ENCRYPT.  
Configure the ENCRYPT parameters.  
FortiGate-800 Installation and Configuration Guide  
247  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring encrypt policies  
IPSec VPN  
VPN Tunnel  
Select an Auto Key tunnel for this encrypt policy.  
Allow inbound Select Allow inbound to enable inbound users to connect to the source  
address.  
Allow outbound Select Allow outbound to enable outbound users to connect to the  
destination address.  
Inbound NAT  
The FortiGate unit translates the source address of incoming packets to the  
IP address of the FortiGate interface connected to the source address  
network. Typically, this is an internal interface of the FortiGate unit.  
Inbound NAT makes it impossible for local hosts to see the IP addresses of  
remote hosts (hosts located on the network behind the remote VPN  
gateway).  
Outbound NAT The FortiGate unit translates the source address of outgoing packets to the  
IP address of the FortiGate interface connected to the destination address  
network. Typically, this is an external interface of the FortiGate unit.  
Outbound NAT makes it impossible for remote hosts to see the IP  
addresses of local hosts (hosts located on the network behind the local VPN  
gateway).  
If Outbound NAT is implemented, it is subject to these limitations:  
Configure Outbound NAT only at one end of the tunnel.  
The end that does not implement Outbound NAT requires an internal to  
external policy that specifies the remote external interface as the  
Destination (usually a public IP address).  
The tunnel, and the traffic within the tunnel, can only be initiated at the end  
that implements Outbound NAT.  
For information about configuring the remaining policy settings, see “Adding firewall  
9
Select OK to save the encrypt policy.  
To make sure that the encrypt policy is matched for VPN connections, arrange the  
encrypt policy above other policies with similar source and destination addresses and  
services in the policy list.  
248  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
IPSec VPN  
IPSec VPN concentrators  
Figure 60: Adding an encrypt policy  
IPSec VPN concentrators  
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer called a  
hub. The peers that connect to the hub are known as spokes. The hub functions as a  
concentrator on the network, managing the VPN connections between the spokes.  
The advantage of a hub-and-spoke network is that the spokes are simpler to configure  
because they require fewer policy rules. Also, a hub-and-spoke network provides  
some processing efficiencies, particularly on the spokes. The disadvantage of a hub-  
and-spoke network is its reliance on a single peer to handle management of all VPNs.  
If this peer fails, encrypted communication in the network is impossible.  
A hub-and-spoke VPN network requires a special configuration. Setup varies  
depending on the role of the VPN peer.  
If the VPN peer is a FortiGate unit functioning as the hub, or concentrator, it requires a  
VPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings or  
manual key settings, plus encrypt policies). It also requires a concentrator  
configuration that groups the hub-and-spoke tunnels together. The concentrator  
configuration defines the FortiGate unit as the hub in a hub-and-spoke network.  
FortiGate-800 Installation and Configuration Guide  
249  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IPSec VPN concentrators  
IPSec VPN  
If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but  
not to the other spokes). It also requires policies that control its encrypted connections  
to the other spokes and its non-encrypted connections to other networks, such as the  
Internet.  
VPN concentrator (hub) general configuration steps  
A central FortiGate that is functioning as a hub requires the following configuration:  
A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration)  
for each spoke.  
Destination addresses for each spoke.  
A concentrator configuration.  
An encrypt policy for each spoke.  
To create a VPN concentrator configuration  
1
Configure one of the following tunnels for each spoke:  
A manual key tunnel consists of a name for the tunnel, the IP address of the spoke  
(client or gateway) at the opposite end of the tunnel, and the encryption and  
authentication algorithms to use for the tunnel.  
An AutoIKE tunnel consists of phase 1 and phase 2 parameters. The phase 1  
parameters include the name of the spoke (client or gateway), designation of how  
the spoke receives its IP address (static or dialup), encryption and authentication  
algorithms, and the authentication method (either pre-shared keys or PKI  
certificates). The phase 2 parameters include the name of the tunnel, selection of  
the spoke (client or gateway) configured in phase 1, encryption and authentication  
algorithms, and a number of security parameters.  
2
3
Add a destination address for each spoke. The destination address is the address of  
the spoke (either a client on the Internet or a network located behind a gateway).  
Add the concentrator configuration. This step groups the tunnels together on the  
FortiGate unit. The tunnels link the hub to the spokes. The tunnels are added as part  
of the AutoIKE phase 2 configuration or the manual key configuration.  
Note: Add the concentrator configuration to the central FortiGate unit (the hub) after adding the  
tunnels for all spokes.  
4
Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic  
through the hub and allow inbound and outbound VPN connections between the hub  
and the spokes. The encrypt policy for each spoke must include the tunnel name of  
the spoke. The source address must be Internal_All. Use the following configuration  
for the encrypt policies:  
250  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IPSec VPN  
IPSec VPN concentrators  
Source  
Internal_All  
Destination  
Action  
The VPN spoke address.  
ENCRYPT  
VPN Tunnel  
The VPN spoke tunnel name.  
Allow inbound Select allow inbound.  
Allow outbound Select allow outbound  
Inbound NAT  
Select inbound NAT if required.  
Outbound NAT Select outbound NAT if required.  
Arrange the policies in the following order:  
5
encrypt policies  
default non-encrypt policy (Internal_All -> External_All)  
Adding a VPN concentrator  
To add a VPN concentrator configuration  
1
2
3
4
Go to VPN > IPSec > Concentrator.  
Select New to add a VPN concentrator.  
Enter the name of the new concentrator in the Concentrator Name field.  
To add tunnels to the VPN concentrator, select a VPN tunnel from the Available  
Tunnels list and select the right arrow.  
5
6
To remove tunnels from the VPN concentrator, select the tunnel in the Members list  
and select the left arrow.  
Select OK to add the VPN concentrator.  
Figure 61: Adding a VPN concentrator  
FortiGate-800 Installation and Configuration Guide  
251  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IPSec VPN concentrators  
IPSec VPN  
VPN spoke general configuration steps  
A remote VPN peer that functions as a spoke requires the following configuration:  
A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration)  
for the hub.  
The source address of the local VPN spoke.  
The destination address of each remote VPN spoke.  
A separate outbound encrypt policy for each remote VPN spoke. These policies  
allow the local VPN spoke to initiate encrypted connections.  
A single inbound encrypt policy. This policy allows the local VPN spoke to accept  
encrypted connections.  
To create a VPN spoke configuration  
1
Configure a tunnel between the spoke and the hub.  
Choose between a manual key tunnel or an AutoIKE tunnel.  
To add a manual key tunnel, see “Manual key IPSec VPNs” on page 233.  
To add an AutoIKE tunnel, see “AutoIKE IPSec VPNs” on page 235.  
2
3
Add the source address. One source address is required for the local VPN spoke.  
Add a destination address for each remote VPN spoke. The destination address is the  
address of the spoke (either a client on the Internet or a network located behind a  
gateway).  
4
Add a separate outbound encrypt policy for each remote VPN spoke. These policies  
control the encrypted connections initiated by the local VPN spoke.  
The encrypt policy must include the appropriate source and destination addresses  
and the tunnel added in step 1. Use the following configuration:  
Source  
The local VPN spoke address.  
The remote VPN spoke address.  
ENCRYPT  
Destination  
Action  
VPN Tunnel  
The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt  
policies.)  
Allow inbound Do not enable.  
Allow outbound Select allow outbound  
Inbound NAT  
Select inbound NAT if required.  
Outbound NAT Select outbound NAT if required.  
5
Add an inbound encrypt policy. This policy controls the encrypted connections initiated  
by the remote VPN spokes.  
The encrypt policy for the hub must include the appropriate source and destination  
addresses and the tunnel added in step 1. Use the following configuration:  
Source  
The local VPN spoke address.  
External_All  
Destination  
252  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IPSec VPN  
Redundant IPSec VPNs  
Action  
ENCRYPT  
VPN Tunnel  
The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt  
policies.)  
Allow inbound Select allow inbound.  
Allow outbound Do not enable.  
Inbound NAT  
Select inbound NAT if required.  
Outbound NAT Select outbound NAT if required.  
Arrange the policies in the following order:  
6
outbound encrypt policies  
inbound encrypt policy  
default non-encrypt policy (Internal_All -> External_All)  
Note: The default non-encrypt policy is required to allow the VPN spoke to access other  
networks, such as the Internet.  
Redundant IPSec VPNs  
To ensure the continuous availability of an IPSec VPN tunnel, you can configure  
multiple connections between the local FortiGate unit and the remote VPN peer  
(remote gateway). With a redundant configuration, if one connection fails the  
FortiGate unit establishes a tunnel using the other connection.  
The configuration depends on the number of connections that each VPN peer has to  
the Internet. For example, if the local VPN peer has two connections to the Internet,  
then it can provide two redundant connections to the remote VPN peer.  
A single VPN peer can be configured with up to three redundant connections.  
The VPN peers are not required to have a matching number of Internet connections.  
For example, between two VPN peers, one peer can have multiple Internet  
connections while the other has only one Internet connection. In the case of an  
asymmetrical configuration, the level of redundancy varies from one end of the VPN to  
the other.  
Note: IPSec Redundancy is only available to VPN peers that have static IP addresses and that  
authenticate themselves to each other with pre-shared keys or digital certificates. It is not  
available to VPN peers that have dynamically assigned IP addresses (dialup users). Nor is it  
available to VPN peers that use manual keys.  
FortiGate-800 Installation and Configuration Guide  
253  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Redundant IPSec VPNs  
IPSec VPN  
Configuring redundant IPSec VPNs  
Prior to configuring the VPN, make sure that both FortiGate units have multiple  
connections to the Internet. For each unit, first add multiple (two or more) external  
interfaces. Then assign each interface to an external zone. Finally, add a route to the  
Internet through each interface.  
Configure the two FortiGate units with symmetrical settings for their connections to the  
Internet. For example, if the remote FortiGate unit has two external interfaces grouped  
in one zone, then the local FortiGate unit should have two external interfaces grouped  
in one zone. Similarly, if the remote FortiGate has two external interfaces in separate  
zones, then the local FortiGate unit should have two external interfaces in separate  
zones.  
The configuration is simpler if all external interfaces are grouped in one zone, rather  
than multiple zones. However, this might not always be possible because of security  
considerations or other reasons.  
After you define the Internet connections for both FortiGate units, you can configure  
the VPN tunnel.  
To configure a redundant IPSec VPN  
1
2
Add the phase 1 parameters for up to three VPN connections.  
Enter identical values for each VPN connection, with the exception of the Gateway  
Name and IP Address. Make sure that the remote VPN peer (Remote Gateway) has a  
static IP address.  
Add the phase 2 parameters (VPN tunnel) for up to three VPN connections.  
If the Internet connections are in the same zone, add one VPN tunnel and add the  
remote gateways to it. You can add up to three remote gateways.  
If the Internet connections are in separate zones or assigned to unique interfaces,  
add a VPN tunnel for each remote gateway entered.  
3
4
Add the source and destination addresses.  
Add encrypt policies for up to three VPN connections.  
If the VPN connections are in the same zone, add one outgoing encrypt policy; for  
example an Internal->External policy. Add the AutoIKE key tunnel to this policy.  
If the VPN connections are in different zones, add a separate outgoing encrypt  
policy for each connection. The source and destination of both policies must be the  
same. Add a different AutoIKE key tunnel to each policy.  
254  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
IPSec VPN  
Monitoring and Troubleshooting VPNs  
Monitoring and Troubleshooting VPNs  
Viewing VPN tunnel status  
You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key  
VPN tunnels. For each tunnel, the list shows the status and the tunnel time out.  
To view VPN tunnel status  
1
2
Go to VPN > IPSEC > Phase 2.  
View the status and timeout for each VPN tunnel.  
Status  
The status of each tunnel. If Status is Up, the tunnel is active. If Status is  
Down, the tunnel is not active. If Status is Connecting, the tunnel is  
attempting to start a VPN connection with a remote VPN gateway or client.  
The time before the next key exchange. The time is calculated by  
subtracting the time elapsed since the last key exchange from the keylife.  
Timeout  
Figure 62: AutoIKE key tunnel status  
Viewing dialup VPN connection status  
You can use the dialup monitor to view the status of dialup VPNs. The dialup monitor  
lists the remote gateways and the active VPN tunnels for each gateway. The monitor  
also lists the tunnel lifetime, timeout, proxy ID source, and proxy ID destination for  
each tunnel.  
To view dialup connection status  
1
2
Go to VPN > IPSec > Dialup Monitor.  
View the dialup connection status information for the FortiGate unit:  
Remote gateway The IP address of the remote dialup remote gateway on the FortiGate unit.  
Lifetime  
The amount of time that the dialup VPN connection has been active.  
FortiGate-800 Installation and Configuration Guide  
255  
Download from Www.Somanuals.com. All Manuals Search And Download.  
               
Monitoring and Troubleshooting VPNs  
IPSec VPN  
Timeout  
The time before the next key exchange. The time is calculated by  
subtracting the time elapsed since the last key exchange from the keylife.  
Proxy ID Source The actual IP address or subnet address of the remote peer.  
Proxy ID  
The actual IP address or subnet address of the local peer.  
Destination  
Figure 63: Dialup Monitor  
Testing a VPN  
To confirm that a VPN between two networks has been configured correctly, use the  
ping command from one internal network to connect to a computer on the other  
internal network. The IPSec VPN tunnel starts automatically when the first data packet  
destined for the VPN is intercepted by the FortiGate unit.  
To confirm that a VPN between a network and one or more clients has been  
configured correctly, start a VPN client and use the ping command to connect to a  
computer on the internal network. The VPN tunnel initializes automatically when the  
client makes a connection attempt. You can start the tunnel and test it at the same  
time by pinging from the client to an address on the internal network.  
256  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
FortiGate-800 Installation and Configuration Guide Version 2.50  
PPTP and L2TP VPN  
You can use PPTP and L2TP to create a virtual private network (VPN) between a  
remote client computer that is running Windows and your internal network. Because  
PPTP and L2TP are supported by Windows you do not require third-party software on  
the client computer. Provided your ISP supports PPTP and L2TP connections, you  
can create a secure connection by making some configuration changes to the client  
computer and the FortiGate unit.  
This chapter provides an overview of how to configure FortiGate PPTP and L2TP  
VPN. For a complete description of FortiGate PPTP and L2TP, see the FortiGate VPN  
Guide.  
This chapter describes:  
Configuring PPTP  
Point-to-Point protocol (PPTP) packages data within PPP packets and then  
encapsulates the PPP packets within IP packets for transmission through a VPN  
tunnel.  
Note: PPTP VPNs are supported only in NAT/Route mode.  
This section describes:  
FortiGate-800 Installation and Configuration Guide  
257  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring PPTP  
PPTP and L2TP VPN  
Configuring the FortiGate unit as a PPTP gateway  
Use the following procedures to configure the FortiGate unit as a PPTP gateway:  
To add users and user groups  
Add a user for each PPTP client.  
Go to User > Local.  
1
2
Add and configure PPTP users.  
For information about adding and configuring users, see “Adding user names and  
3
4
Go to User > User Group.  
Add and configure PPTP user groups.  
For information about adding and configuring user groups, see “Configuring user  
To enable PPTP and specify an address range  
Go to VPN > PPTP > PPTP Range.  
1
2
3
4
5
Select Enable PPTP.  
Enter the Starting IP and the Ending IP for the PPTP address range.  
Select the User Group that you added in To add users and user groups” on page 258.  
Select Apply to enable PPTP through the FortiGate unit.  
Figure 64: Example PPTP Range configuration  
To add a source address  
Add a source address for every address in the PPTP address range.  
Go to Firewall > Address.  
1
2
Select the interface to which PPTP clients connect.  
This can be an interface, VLAN subinterface, or zone.  
258  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
PPTP and L2TP VPN  
Configuring PPTP  
3
4
Select New to add an address.  
Enter the Address Name, IP Address, and NetMask for an address in the PPTP  
address range.  
5
6
Select OK to save the source address.  
Repeat for all addresses in the PPTP address range.  
Note: If the PPTP address range is comprised of an entire subnet, add an address for this  
subnet. Do not add an address group.  
To add a source address group  
Organize the source addresses into an address group.  
Go to Firewall > Address > Group.  
1
2
Add a new address group to the interface to which PPTP clients connect.  
This can be an interface, VLAN subinterface, or zone.  
3
Enter a Group Name to identify the address group.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
6
To add addresses to the address group, select an address from the Available  
Addresses list and select the right arrow to add it to the Members list.  
To remove addresses from the address group, select an address from the Members  
list and select the left arrow to remove it from the group.  
Select OK to add the address group.  
To add a destination address  
Add an address to which PPTP users can connect.  
Go to Firewall > Address.  
1
2
3
4
Select the internal interface or the DMZ interface.  
Select New to add an address.  
Enter the Address Name, IP Address, and NetMask for a single computer or for an  
entire subnetwork on an internal interface of the local VPN peer.  
5
Select OK to save the destination address.  
To add a firewall policy  
Add a policy which specifies the source and destination addresses and sets the  
service for the policy to the traffic type inside the PPTP VPN tunnel.  
1
2
3
4
5
Go to Firewall > Policy.  
Select the policy list that you want to add the policy to (usually, External->Internal).  
Select New to add a new policy.  
Set Source to the group that matches the PPTP address range.  
Set Destination to the address to which PPTP users can connect.  
FortiGate-800 Installation and Configuration Guide  
259  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Configuring PPTP  
PPTP and L2TP VPN  
6
Set Service to match the traffic type inside the PPTP VPN tunnel.  
For example, if PPTP users can access a web server, select HTTP.  
7
8
Set Action to ACCEPT.  
Select NAT if address translation is required.  
You can also configure traffic shaping, logging, and antivirus and web filter settings for  
PPTP policies.  
9
Select OK to save the firewall policy.  
Configuring a Windows 98 client for PPTP  
Use the following procedure to configure a client computer running Windows 98 so  
that it can connect to a FortiGate PPTP VPN. To configure the Windows 98 client, you  
must install and configure Windows dialup networking and virtual private networking  
support.  
To install PPTP support  
1
2
3
4
5
6
7
8
9
Go to Start > Settings > Control Panel > Network.  
Select Add.  
Select Adapter.  
Select Add.  
Select Microsoft as the manufacturer.  
Select Microsoft Virtual Private Networking Adapter.  
Select OK twice.  
Insert diskettes or CDs as required.  
Restart the computer.  
To configure a PPTP dialup connection  
1
2
3
4
5
Go to My Computer > Dial-Up Networking > Configuration.  
Double-click Make New Connection.  
Name the connection and select Next.  
Enter the IP address or host name of the FortiGate unit to connect to and select Next.  
Select Finish.  
An icon for the new connection appears in the Dial-Up Networking folder.  
6
7
Right-click the new icon and select Properties.  
Go to Server Types.  
8
Uncheck IPX/SPX Compatible.  
Select TCP/IP Settings.  
9
10  
11  
12  
Uncheck Use IP header compression.  
Uncheck Use default gateway on remote network.  
Select OK twice.  
260  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
PPTP and L2TP VPN  
Configuring PPTP  
To connect to the PPTP VPN  
1
2
3
Start the dialup connection that you configured in the previous procedure.  
Enter your PPTP VPN User Name and Password.  
Select Connect.  
Configuring a Windows 2000 client for PPTP  
Use the following procedure to configure a client computer running Windows 2000 so  
that it can connect to a FortiGate PPTP VPN.  
To configure a PPTP dialup connection  
1
2
Go to Start > Settings > Network and Dial-up Connections.  
Double-click Make New Connection to start the Network Connection Wizard and  
select Next.  
3
4
For Network Connection Type, select Connect to a private network through the  
Internet and select Next.  
For Destination Address, enter the IP address or host name of the FortiGate unit to  
connect to and select Next.  
5
6
Set Connection Availability to Only for myself and select Next.  
Select Finish.  
7
In the Connect window, select Properties.  
Select the Security tab.  
8
9
Uncheck Require data encryption.  
Select OK.  
10  
To connect to the PPTP VPN  
1
2
3
4
Start the dialup connection that you configured in the previous procedure.  
Enter your PPTP VPN User Name and Password.  
Select Connect.  
In the connect window, enter the User Name and Password that you use to connect to  
your dialup network connection.  
This user name and password is not the same as your VPN user name and password.  
Configuring a Windows XP client for PPTP  
Use the following procedure to configure a client computer running Windows XP so  
that it can connect to a FortiGate PPTP VPN.  
To configure a PPTP dialup connection  
1
2
3
4
Go to Start > Settings > Control Panel.  
Select Network and Internet Connections.  
Select Create a Connection to the network of your workplace and select Next.  
Select Virtual Private Network Connection and select Next.  
FortiGate-800 Installation and Configuration Guide  
261  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                   
Configuring PPTP  
PPTP and L2TP VPN  
5
6
Name the connection and select Next.  
If the Public Network dialog box appears, choose the appropriate initial connection  
and select Next.  
7
8
In the VPN Server Selection dialog, enter the IP address or host name of the  
FortiGate unit to connect to and select Next.  
Select Finish.  
To configure the VPN connection  
1
2
3
4
Right-click the Connection icon that you created in the previous procedure.  
Select Properties > Security.  
Select Typical to configure typical settings.  
Select Require data encryption.  
Note: If a RADIUS server is used for authentication do not select Require data encryption.  
PPTP encryption is not supported for RADIUS server authentication.  
5
6
Select Advanced to configure advanced settings.  
Select Settings.  
7
Select Challenge Handshake Authentication Protocol (CHAP).  
Make sure that none of the other settings are selected.  
Select the Networking tab.  
8
9
10  
Make sure that the following options are selected:  
TCP/IP  
QoS Packet Scheduler  
11  
12  
Make sure that the following options are not selected:  
File and Printer Sharing for Microsoft Networks  
Client for Microsoft Networks  
Select OK.  
To connect to the PPTP VPN  
1
2
3
4
5
Connect to your ISP.  
Start the VPN connection that you configured in the previous procedure.  
Enter your PPTP VPN User Name and Password.  
Select Connect.  
In the connect window, enter the User Name and Password that you use for your  
dialup network connection.  
This user name and password is not the same as your VPN user name and password.  
262  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
PPTP and L2TP VPN  
Configuring L2TP  
Configuring L2TP  
Some implementations of L2TP support elements of IPSec. These elements must be  
disabled when L2TP is used with a FortiGate unit.  
Note: L2TP VPNs are only supported in NAT/Route mode.  
This section describes:  
Configuring the FortiGate unit as an L2TP gateway  
Use the following procedures to configure the FortiGate unit as an L2TP gateway:  
To add users and user groups  
Add a user for each L2TP client.  
Go to User > Local.  
1
2
Add and configure L2TP users.  
3
4
Go to User > User Group.  
Add and configure L2TP user groups.  
To enable L2TP and specify an address range  
Go to VPN > L2TP > L2TP Range.  
1
2
3
4
5
Select Enable L2TP.  
Enter the Starting IP and the Ending IP for the L2TP address range.  
Select the User Group that you added in To add users and user groups” on page 263.  
Select Apply to enable L2TP through the FortiGate unit.  
FortiGate-800 Installation and Configuration Guide  
263  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Configuring L2TP  
PPTP and L2TP VPN  
Figure 65: Sample L2TP address range configuration  
To add source addresses  
Add a source address for every address in the L2TP address range.  
1
2
Go to Firewall > Address.  
Select the interface to which L2TP clients connect.  
This can be an interface, VLAN subinterface, or zone.  
3
1
Select New to add an address.  
Enter the Address Name, IP Address, and NetMask for an address in the L2TP  
address range.  
2
3
Select OK to save the source address.  
Repeat for all addresses in the L2TP address range.  
Note: If the L2TP address range is comprised of an entire subnet, add an address for this  
subnet. Do not add an address group.  
To add a source address group  
Organize the source addresses into an address group.  
Go to Firewall > Address > Group.  
1
2
Add a new address group to the interface to which L2TP clients connect.  
This can be an interface, VLAN subinterface, or zone.  
3
Enter a Group Name to identify the address group.  
The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and  
the special characters - and _. Other special characters and spaces are not allowed.  
4
5
To add addresses to the address group, select an address from the Available  
Addresses list and select the right arrow to add it to the Members list.  
To remove addresses from the address group, select an address from the Members  
list and select the left arrow to remove it from the group.  
264  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
PPTP and L2TP VPN  
Configuring L2TP  
6
Select OK to add the address group.  
To add a destination address  
Add an address to which L2TP users can connect.  
Go to Firewall > Address.  
1
2
3
4
Select the internal interface or the DMZ interface.  
Select New to add an address.  
Enter the Address Name, IP Address, and NetMask for a single computer or for an  
entire subnetwork on an internal interface of the local VPN peer.  
5
Select OK to save the source address.  
To add a firewall policy  
Add a policy that specifies the source and destination addresses and sets the service  
for the policy to the traffic type inside the L2TP VPN tunnel.  
1
2
3
4
5
6
Go to Firewall > Policy.  
Select the policy list that you want to add the policy to (usually, External->Internal).  
Select New to add a policy.  
Set Source to the group that matches the L2TP address range.  
Set Destination to the address to which L2TP users can connect.  
Set Service to match the traffic type inside the L2TP VPN tunnel.  
For example, if L2TP users can access a web server, select HTTP.  
7
8
Set Action to ACCEPT.  
Select NAT if address translation is required.  
You can also configure traffic shaping, logging, and antivirus and web filter settings for  
L2TP policies.  
9
Select OK to save the firewall policy.  
Configuring a Windows 2000 client for L2TP  
Use the following procedure to configure a client computer running Windows 2000 so  
that it can connect to a FortiGate L2TP VPN.  
To configure an L2TP dialup connection  
1
2
Go to Start > Settings > Network and Dial-up Connections.  
Double-click Make New Connection to start the Network Connection Wizard and  
select Next.  
3
4
For Network Connection Type, select Connect to a private network through the  
Internet and select Next.  
For Destination Address, enter the address of the FortiGate unit to connect to and  
select Next.  
5
6
Set Connection Availability to Only for myself and select Next.  
Select Finish.  
FortiGate-800 Installation and Configuration Guide  
265  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring L2TP  
PPTP and L2TP VPN  
7
8
9
In the Connect window, select Properties.  
Select the Security tab.  
Make sure that Require data encryption is selected.  
Note: If a RADIUS server is used for authentication do not select Require data encryption.  
L2TP encryption is not supported for RADIUS server authentication.  
10  
11  
12  
Select the Networking tab.  
Set VPN server type to Layer-2 Tunneling Protocol (L2TP).  
Save the changes and continue with the following procedure.  
To disable IPSec  
1
2
3
4
5
6
Select the Networking tab.  
Select Internet Protocol (TCP/IP) properties.  
Double-click the Advanced tab.  
Go to the Options tab and select IP security properties.  
Make sure that Do not use IPSEC is selected.  
Select OK and close the connection properties window.  
Note: The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without IPSec  
encryption. You can disable default behavior by editing the Windows 2000 Registry as  
described in the following steps. See the Microsoft documentation for editing the Windows  
Registry.  
7
8
Use the registry editor (regedit) to locate the following key in the registry:  
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\  
Parameters  
Add the following registry value to this key:  
Value Name: ProhibitIpSec  
Data Type: REG_DWORD  
Value: 1  
9
Save the changes and restart the computer for the changes to take effect.  
You must add the ProhibitIpSecregistry value to each Windows 2000-based  
endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for  
L2TP and IPSec traffic from being created. When the ProhibitIpSecregistry value  
is set to 1, your Windows 2000-based computer does not create the automatic filter  
that uses CA authentication. Instead, it checks for a local or active directory IPSec  
policy.  
To connect to the L2TP VPN  
1
2
3
Start the dialup connection that you configured in the previous procedure.  
Enter your L2TP VPN User Name and Password.  
Select Connect.  
266  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
PPTP and L2TP VPN  
Configuring L2TP  
4
In the connect window, enter the User Name and Password that you use to connect to  
your dialup network connection.  
This user name and password is not the same as your VPN user name and password.  
Configuring a Windows XP client for L2TP  
Use the following procedure to configure a client computer running Windows XP so  
that it can connect to a FortiGate L2TP VPN.  
To configure an L2TP VPN dialup connection  
Go to Start > Settings.  
1
2
3
4
5
6
Select Network and Internet Connections.  
Select Create a connection to the network of your workplace and select Next.  
Select Virtual Private Network Connection and select Next.  
Name the connection and select Next.  
If the Public Network dialog box appears, choose the appropriate initial connection  
and select Next.  
7
8
In the VPN Server Selection dialog, enter the IP address or host name of the  
FortiGate unit to connect to and select Next.  
Select Finish.  
To configure the VPN connection  
Right-click the icon that you created.  
Select Properties > Security.  
1
2
3
4
Select Typical to configure typical settings.  
Select Require data encryption.  
Note: If a RADIUS server is used for authentication do not select Require data encryption.  
L2TP encryption is not supported for RADIUS server authentication.  
5
6
Select Advanced to configure advanced settings.  
Select Settings.  
7
Select Challenge Handshake Authentication Protocol (CHAP).  
Make sure that none of the other settings are selected.  
Select the Networking tab.  
8
9
10  
Make sure that the following options are selected:  
TCP/IP  
QoS Packet Scheduler  
11  
Make sure that the following options are not selected:  
File and Printer Sharing for Microsoft Networks  
Client for Microsoft Networks  
FortiGate-800 Installation and Configuration Guide  
267  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuring L2TP  
PPTP and L2TP VPN  
To disable IPSec  
1
2
3
4
5
6
Select the Networking tab.  
Select Internet Protocol (TCP/IP) properties.  
Double-click the Advanced tab.  
Go to the Options tab and select IP security properties.  
Make sure that Do not use IPSEC is selected.  
Select OK and close the connection properties window.  
Note: The default Windows XP L2TP traffic policy does not allow L2TP traffic without IPSec  
encryption. You can disable default behavior by editing the Windows XP Registry as described  
in the following steps. See the Microsoft documentation for editing the Windows Registry.  
7
8
Use the registry editor (regedit) to locate the following key in the registry:  
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\  
Parameters  
Add the following registry value to this key:  
Value Name: ProhibitIpSec  
Data Type: REG_DWORD  
Value: 1  
9
Save the changes and restart the computer for the changes to take effect.  
You must add the ProhibitIpSecregistry value to each Windows XP-based  
endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for  
L2TP and IPSec traffic from being created. When the ProhibitIpSecregistry value  
is set to 1, your Windows XP-based computer does not create the automatic filter that  
uses CA authentication. Instead, it checks for a local or active directory IPSec policy.  
To connect to the L2TP VPN  
1
2
3
4
5
Connect to your ISP.  
Start the VPN connection that you configured in the previous procedure.  
Enter your L2TP VPN User Name and Password.  
Select Connect.  
In the connect window, enter the User Name and Password that you use to connect to  
your dialup network connection.  
This user name and password is not the same as your VPN user name and password.  
268  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
FortiGate-800 Installation and Configuration Guide Version 2.50  
Network Intrusion Detection System  
(NIDS)  
The FortiGate NIDS is a real-time network intrusion detection sensor that uses attack  
signature definitions to both detect and prevent a wide variety of suspicious network  
traffic and direct network-based attacks. Also, whenever an attack occurs, the  
FortiGate NIDS can record the event in a log and send an alert email to the system  
administrator.  
This chapter describes:  
Detecting attacks  
The NIDS Detection module detects a wide variety of suspicious network traffic and  
network-based attacks. Use the following procedures to configure the general NIDS  
settings and the NIDS Detection module Signature List.  
For the general NIDS settings, you must select which interfaces you want to be  
monitored for network-based attacks. You also need to decide whether to enable  
checksum verification. Checksum verification tests the integrity of packets received at  
the monitored interfaces.  
This section describes:  
FortiGate-800 Installation and Configuration Guide  
269  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Detecting attacks  
Network Intrusion Detection System (NIDS)  
Selecting the interfaces to monitor  
To select the interfaces to monitor for attacks  
Go to NIDS > Detection > General.  
1
2
Select the interfaces to monitor for network attacks.  
You can select up to a total of 4 interfaces and VLAN subinterfaces.  
3
Select Apply.  
Disabling monitoring interfaces  
To disable monitoring interfaces for attacks  
1
2
3
Go to NIDS > Detection > General.  
Clear the check box for all the interfaces that you do not want monitored.  
Select Apply.  
Configuring checksum verification  
Checksum verification tests the files that pass through the FortiGate unit to make sure  
that they have not been changed in transit. The NIDS can run checksum verification  
on IP, TCP, UDP, and ICMP traffic. For maximum detection, you can turn on checksum  
verification for all types of traffic. However, if the FortiGate unit does not need to run  
checksum verification, you can turn it off for some or all types of traffic to improve  
system performance. For example, you might not need to run checksum verification if  
the FortiGate unit is installed behind a router that also does checksum verification.  
To configure checksum verification  
Go to NIDS > Detection > General.  
1
2
3
Select the type of traffic that you want to run Checksum Verifications on.  
Select Apply.  
Figure 66: Example NIDS detection configuration  
270  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                   
Network Intrusion Detection System (NIDS)  
Detecting attacks  
Viewing the signature list  
You can display the current list of NIDS signature groups and the members of a  
signature group.  
To view the signature list  
1
2
Go to NIDS > Detection > Signature List.  
View the names and action status of the signature groups in the list.  
The NIDS detects attacks listed in all the signature groups that have check marks in  
the Enable column.  
Note: The user-defined signature group is the last item in the signature list. See “Adding user-  
3
Select View Details  
.to display the members of a signature group.  
The Signature Group Members list displays the attack ID, Rule Name, and Revision  
number for each group member.  
Viewing attack descriptions  
Fortinet provides online information for all NIDS attacks. You can view the  
FortiResponse Attack Analysis web page for an attack listed on the signature list.  
To view attack descriptions  
1
2
3
4
Go to NIDS > Detection > Signature List.  
Select View Details  
.to display the members of a signature group.  
Select a signature and copy its attack ID.  
Open a web browser and enter the following URL:  
http://www.fortinet.com/ids/ID<attack-ID>  
Make sure that you include the attack ID.  
For example, to view the Fortinet Attack Analysis web page for the ssh CRC32  
overflow /bin/shattack (ID 101646338), use the following URL:  
Note: Each attack log message includes a URL that links directly to the FortiResponse Attack  
Analysis web page for that attack. This URL is available in the Attack Log messages and Alert  
email messages. For information about log message content and formats, and about log  
locations, see the FortiGate Logging and Message Reference Guide. For information about  
logging attack messages, see “Logging attacks” on page 276.  
FortiGate-800 Installation and Configuration Guide  
271  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Detecting attacks  
Network Intrusion Detection System (NIDS)  
Figure 67: Example signature group members list  
Disabling NIDS attack signatures  
By default, all NIDS attack signatures are enabled. You can use the NIDS signature  
list to disable detection of some attacks. Disabling unnecessary NIDS attack  
signatures can improve system performance and reduce the number of IDS log  
messages and alert emails that the NIDS generates. For example, the NIDS detects a  
large number of web server attacks. If you do not provide access to a web server  
behind your firewall, you might want to disable all web server attack signatures.  
Note: To save your NIDS attack signature settings, Fortinet recommends that you back up your  
FortiGate configuration before you update the firmware and restore the saved configuration  
after the update.  
To disable NIDS attack signatures  
1
2
Go to NIDS > Detection > Signature List.  
Scroll through the signature list to find the signature group that you want to disable.  
Attack ID numbers and rule names in attack log messages and alert email match  
those in the signature group members list. You can scroll through a signature group  
members list to locate specific attack signatures by ID number and name.  
3
4
5
Clear the Enable check box.  
Select OK.  
Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable.  
Select Check All  
to enable all NIDS attack signature groups in the signature list.  
to disable all NIDS attack signature groups in the signature  
Select Uncheck All  
list.  
Adding user-defined signatures  
You can create a user-defined signature list in a text file and upload it from the  
management computer to the FortiGate unit.  
Note: You cannot upload individual signatures. You must include, in a single text file, all the  
user-defined signatures that you want to upload. The file can contain one or more signatures.  
For information about how to write user-defined signatures, see the FortiGate NIDS  
Guide.  
272  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Network Intrusion Detection System (NIDS)  
Detecting attacks  
To add user-defined signatures  
Go to NIDS > Detection > User Defined Signature List.  
Select Upload  
1
2
.
Caution: Uploading the user-defined signature list overwrites the existing file.  
!
3
Type the path and filename of the text file for the user-defined signature list or select  
Browse and locate the file.  
4
5
Select OK to upload the text file for the user-defined signature list.  
Select Return to display the uploaded user-defined signature list.  
Figure 68: Example user-defined signature list  
Downloading the user-defined signature list  
You can back up the user-defined signature list by downloading it to a text file on the  
management computer.  
Note: You cannot download individual signatures. You must download the entire user-defined  
signature list.  
To download the user-defined signature list  
Go to NIDS > Detection > User Defined Signature List.  
Select Download.  
1
2
The FortiGate unit downloads the user-defined signature list to a text file on the  
management computer. You can specify a location to which to download the text file  
as well as a name for the text file.  
FortiGate-800 Installation and Configuration Guide  
273  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Preventing attacks  
Network Intrusion Detection System (NIDS)  
Preventing attacks  
NIDS attack prevention protects the FortiGate unit and the networks connected to it  
from common TCP, ICMP, UDP, and IP attacks. You can enable NIDS attack  
prevention to prevent a set of default attacks with default threshold values. You can  
also enable or disable and set the threshold values for individual attack prevention  
signatures.  
Note: After the FortiGate unit reboots, NIDS attack prevention and synflood prevention are  
always disabled.  
Enabling NIDS attack prevention  
To enable NIDS attack prevention  
Go to NIDS > Prevention.  
Select the Enable Prevention check box, in the top left corner.  
1
2
Enabling NIDS attack prevention signatures  
The NIDS Prevention module contains signatures that are designed to protect your  
network against attacks. Some signatures are enabled by default, others must be  
enabled. For a complete list of NIDS Prevention signatures and descriptions, see the  
FortiGate NIDS Guide.  
To enable attack prevention signatures  
1
2
3
Go to NIDS > Prevention.  
Select the Enable check box beside each signature that you want to enable.  
Select Check All  
list.  
to enable all signatures in the NIDS attack prevention signature  
4
5
Select Uncheck All  
signature list.  
to disable all signatures in the NIDS attack prevention  
Select Reset to Default Values  
to enable only the default NIDS attack prevention  
signatures and return to the default threshold values.  
274  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Network Intrusion Detection System (NIDS)  
Preventing attacks  
Setting signature threshold values  
You can change the default threshold values for the NIDS Prevention signatures listed  
in Table 40. The threshold depends on the type of attack. For flooding attacks, the  
threshold is the maximum number of packets received per second. For overflow  
attacks, the threshold is the buffer size for the command. For large ICMP attacks, the  
threshold is the ICMP packet size limit to pass through.  
For example, setting the icmpflood signature threshold to 500 allows 500 echo  
requests from a source address, to which the system sends echo replies. The  
FortiGate unit drops any requests over the threshold of 500.  
If you enter a threshold value of 0 or a number out of the allowable range, the  
FortiGate unit uses the default value.  
Table 40: NIDS Prevention signatures with threshold values  
Signature  
Threshold value units  
Default  
Minimum Maximum  
abbreviation  
threshold threshold threshold  
value  
value  
value  
synflood  
Threshold: Maximum number of SYN  
segments received per second.  
2048  
1
1000000  
Queue Size: Maximum proxied  
connections.  
4096  
15  
100  
1
1000000  
3600  
Timeout: Number of seconds for the  
SYN cookie to keep a proxied  
connection alive.  
portscan  
srcsession  
ftpovfl  
Maximum number of SYN segments  
received per second  
512  
1
1000000  
1000000  
1408  
Total number of TCP sessions initiated 2048  
from the same source  
1
Maximum buffer size for an FTP  
command (bytes)  
256  
512  
512  
2048  
32  
32  
32  
1
smtpovfl  
pop3ovfl  
udpflood  
Maximum buffer size for an SMTP  
command (bytes)  
1408  
Maximum buffer size for a POP3  
command (bytes)  
1408  
Maximum number of UDP packets  
received from the same source or sent  
to the same destination per second  
1000000  
udpsrcsession  
icmpflood  
Total number of UDP sessions initiated 2048  
from the same source  
1
1
1000000  
1000000  
Maximum number of ICMP packets  
received from the same source or sent  
to the same destination per second  
256  
icmpsrcsession Total number of ICMP sessions  
initiated from the same source  
128  
128  
1
1
1000000  
1000000  
icmpsweep  
Maximum number of ICMP packets  
received from the same source per  
second  
icmplarge  
Maximum ICMP packet size (bytes)  
32000  
64  
64000  
FortiGate-800 Installation and Configuration Guide  
275  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Logging attacks  
Network Intrusion Detection System (NIDS)  
To set Prevention signature threshold values  
1
2
Go to NIDS > Prevention.  
Select Modify  
beside the signature for which you want to set the Threshold value.  
Signatures that do not have threshold values do not have Modify  
icons.  
3
4
5
Type the Threshold value.  
Select the Enable check box.  
Select OK.  
Logging attacks  
Whenever the NIDS detects or prevents an attack, it generates an attack message.  
You can configure the system to add the message to the attack log.  
Logging attack messages to the attack log  
To log attack messages to the attack log  
1
2
3
4
5
Go to Log&Report > Log Setting.  
Select Config Policy for the log locations you have set.  
Select Attack Log.  
Select Attack Detection and Attack Prevention.  
Select OK.  
Note: For information about log message content and formats, and about log locations, see the  
FortiGate Logging and Message Reference Guide.  
Reducing the number of NIDS attack log and email messages  
Intrusion attempts might generate an excessive number of attack messages. Based  
on the frequency that messages are generated, the FortiGate unit automatically  
deletes duplicates. If you still receive an excessive number of unnecessary  
messages, you can manually disable message generation for unneeded signature  
groups.  
Automatic message reduction  
The attack log and alert email messages that the NIDS produces include the ID  
number and name of the attack that generated the message. The attack ID number  
and name in the message are identical to the ID number and rule name that appear  
on the NIDS Signature Group Members list.  
276  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Network Intrusion Detection System (NIDS)  
Logging attacks  
The FortiGate unit uses an alert email queue in which each new message is  
compared with the previous messages. If the new message is not a duplicate, the  
FortiGate unit sends it immediately and puts a copy in the queue. If the new message  
is a duplicate, the FortiGate unit deletes it and increases an internal counter for the  
number of message copies in the queue.  
The FortiGate unit holds duplicate alert email messages for 60 seconds. If a duplicate  
message has been in the queue for more than 60 seconds, the FortiGate unit deletes  
the message and increases the copy number. If the copy number is greater than 1, the  
FortiGate unit sends a summary email that includes “Repeated x times” in the subject  
header, the statement “The following email has been repeated x times in the last y  
seconds”, and the original message.  
Manual message reduction  
If you want to reduce the number of alerts that the NIDS generates, you can review  
the content of attack log messages and alert email. If a large number of the alerts are  
nuisance alerts (for example, web attacks when you are not running a web server),  
you can disable the signature group for that attack type. Use the ID number in the  
attack log or alert email to locate the attack in the signature group list. See “Disabling  
FortiGate-800 Installation and Configuration Guide  
277  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Logging attacks  
Network Intrusion Detection System (NIDS)  
278  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Antivirus protection  
You can enable antivirus protection in firewall policies. You can select a content profile  
that controls how the antivirus protection behaves. Content profiles control the type of  
traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and  
the treatment of fragmented email and oversized files or email.  
This chapter describes:  
General configuration steps  
Configuring antivirus protection involves the following general steps.  
1
2
Select antivirus protection options in a new or existing content profile. See “Adding  
Select the Anti-Virus & Web filter option in firewall policies that allow web (HTTP),  
FTP, and email (IMAP, POP3, and SMTP) connections through the FortiGate unit.  
Select a content profile that provides the antivirus protection options that you want to  
3
Configure antivirus protection settings to control how the FortiGate unit applies  
antivirus protection to the web, FTP, and email traffic allowed by policies. See:  
4
5
Configure file quarantine settings to control the quarantining of infected or blocked  
files by traffic type, age, and file size. See “Configuring quarantine options” on  
Configure the messages that users receive when the FortiGate unit blocks or deletes  
an infected file. See “Replacement messages” on page 181.  
FortiGate-800 Installation and Configuration Guide  
279  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Antivirus scanning  
Antivirus protection  
6
Configure the FortiGate unit to send an alert email when it blocks or deletes an  
infected file. See “Configuring alert email” in the Logging and Message Reference  
Guide.  
Note: For information about receiving virus log messages, see “Configuring logging”, and for  
information about log message content and format, see “Virus log messages” in the Logging  
Configuration and Reference Guide  
Antivirus scanning  
Virus scanning intercepts most files (including files compressed with up to 12 layers of  
compression using zip, rar, gzip, tar, upx, and OLE) in the content streams for which  
you enable antivirus protection. Each file is tested to determine the file type and the  
most effective method of scanning the file for viruses. For example, binary files are  
scanned using binary virus scanning and Microsoft Office files containing macros are  
scanned for macro viruses.  
FortiGate virus scanning does not scan the following file types:  
cdimage  
floppy image  
.ace  
.bzip2  
.Tar+Gzip+Bzip2  
If a file is found to contain a virus, the FortiGate unit removes the file from the content  
stream and replaces it with a replacement message.  
If your FortiGate unit includes a hard disk and if quarantine is enabled for infected files  
for the matching traffic protocol, the FortiGate unit adds the file to the quarantine list.  
To scan FortiGate firewall traffic for viruses  
1
Select antivirus scanning in a content profile.  
For information about content profiles, see “Adding content profiles” on page 219.  
2
3
Optionally select Quarantine in this content profile.  
Add this content profile to firewall policies to apply virus scanning to the traffic  
controlled by the firewall policy.  
4
Configure file quarantine settings to control the quarantining of infected files.  
For information about configuring quarantine options, see “Configuring quarantine  
280  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Antivirus protection  
File blocking  
Figure 69: Example content profile for virus scanning  
File blocking  
Enable file blocking to remove all files that are a potential threat and to provide the  
best protection from active computer virus attacks. Blocking files is the only protection  
from a virus that is so new that antivirus scanning cannot detect it. You would not  
normally operate the FortiGate unit with blocking enabled. However, it is available for  
extremely high-risk situations in which there is no other way to prevent viruses from  
entering your network.  
On a FortiGate unit with a hard disk, if quarantining is enabled for blocked files for the  
matching traffic protocol, the FortiGate unit adds the file to the quarantine list.  
File blocking deletes all files that match a list of enabled file patterns. The FortiGate  
unit replaces the file with an alert message that is forwarded to the user. The  
FortiGate unit also writes a message to the virus log and sends an alert email if it is  
configured to do so.  
Note: If both blocking and scanning are enabled, the FortiGate unit blocks files that match  
enabled file patterns and does not scan these files for viruses.  
FortiGate-800 Installation and Configuration Guide  
281  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
File blocking  
Antivirus protection  
By default, when blocking is enabled, the FortiGate unit blocks the following file  
patterns:  
executable files (*.bat, *.com, and *.exe)  
compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip)  
dynamic link libraries (*.dll)  
HTML application (*.hta)  
Microsoft Office files (*.doc, *.ppt, *.xl?)  
Microsoft Works files (*.wps)  
Visual Basic files (*.vb?)  
screen saver files (*.scr)  
Blocking files in firewall traffic  
Use content profiles to apply file blocking to HTTP, FTP, POP3, IMAP, and SMTP  
traffic controlled by firewall policies.  
To block files in firewall traffic  
1
2
Select file blocking in a content profile.  
Add this content profile to firewall policies to apply content blocking to the traffic  
controlled by the firewall policy.  
Adding file patterns to block  
To add file patterns to block  
1
2
3
Go to Anti-Virus > File Block.  
Select New.  
Type the new pattern in the File Pattern field.  
You can use an asterisk (*) to represent any characters and a question mark (?) to  
represent any single character. For example, *.dot blocks Microsoft Word template  
files and *.do? blocks both Microsoft Word template files and document files.  
4
5
Select the check box beside the traffic protocols for which you want to enable blocking  
of this file pattern.  
Select OK.  
282  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Antivirus protection  
Quarantine  
Quarantine  
FortiGate units with a hard disk can quarantine blocked or infected files. The  
quarantined files are removed from the content stream and stored on the FortiGate  
hard disk. Users receive a message that the removed files have been quarantined.  
On the FortiGate, the names of quarantined files are displayed on the quarantine list.  
The list displays status, duplication, and age information for each quarantined file. You  
can sort and filter this list based on these criteria. From the list you can also delete or  
download files.  
Quarantining infected files  
Use content profiles to quarantine infected files found in HTTP, FTP, POP3, IMAP, and  
SMTP traffic controlled by firewall policies.  
To quarantine infected files  
1
2
3
Go to Anti-Virus > Quarantine > Quarantine Config.  
Select the Content protocols for which you want quarantine infected files.  
Select antivirus scanning in a content profile.  
4
5
Select Quarantine to save to the quarantine any files that are found to be infected with  
a virus.  
Add this content profile to firewall policies to quarantine infected files found in the  
traffic controlled by the firewall policy.  
Quarantining blocked files  
Use content profiles to quarantine blocked files found in POP3, IMAP, and SMTP  
traffic controlled by firewall policies.  
To quarantine blocked files  
1
2
3
Go to Anti-Virus > Quarantine > Quarantine Config.  
Select the Content protocols for which to quarantine blocked files.  
To quarantine blocked files, select file block in a content profile.  
4
Select Quarantine to save to the quarantine any files that are blocked.  
FortiGate-800 Installation and Configuration Guide  
283  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Quarantine  
Antivirus protection  
5
Add this content profile to firewall policies.  
Viewing the quarantine list  
To view the quarantine list  
1
Go to Anti-Virus > Quarantine.  
The quarantine list displays the following information:  
File Name  
The processed filename of the file that was quarantined. The processed  
filename has all white space removed. As a file is quarantined, it is 32-bit  
checksummed and stored on the FortiGate hard disk with the following  
naming convention: <32bit CRC>.<processed filename>  
For example, a file named Over Size.exe is stored as  
3fc155d2.oversize.exe.  
Date Quarantined The date and time that the file was quarantined, in the format dd/mm/yyyy  
hh:mm. This value indicates the time that the first file was quarantined if the  
duplicate count increases.  
Service  
The service from which the file was quarantined (HTTP, FTP, IMAP, POP3,  
SMTP).  
Status  
Indicates if the file is infected by a virus, caught by heuristics, blocked by a  
block pattern, or oversized.  
Status  
Description  
Specific information related to the status, for example, “File is infected with  
“W32/Klez.h”” or “File was stopped by file block pattern.”  
DC  
Duplicate count. A count of how many duplicate files were discovered  
during quarantine. A rapidly increasing number can indicate a virus  
outbreak.  
TTL  
Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit  
labels the file as EXP under the TTL heading. In the case of duplicate files,  
each duplicate found refreshes the TTL.  
Actions  
You can delete or download the file. When you download a file, it is  
downloaded in its original format.  
Note: In the case of duplicate files, all fields relate to the originally quarantined file except TTL,  
which is refreshed with every new instance of a specific file. Duplicate files (based on  
checksum) are never stored, but an internal counter for each file records the number of  
duplicates.  
Sorting the quarantine list  
You can sort the quarantine list according to status (infected or blocked), service  
(IMAP, POP3, SMTP, FTP, or HTTP), date quarantined, time to live (TTL), duplicate  
count, or alphabetically by filename,.  
To sort the Quarantine list  
Go to Anti-Virus > Quarantine.  
Select a column heading in the Sort by list.  
Select Apply.  
1
2
3
284  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Antivirus protection  
Quarantine  
Filtering the quarantine list  
You can filter the quarantine list to:  
Display only blocked files  
Display only infected files  
Display blocked and infected files found only in IMAP, POP3, SMTP, FTP, or HTTP  
traffic  
To filter the Quarantine list to display blocked or infected files  
Go to Anti-Virus > Quarantine.  
For FiIlter, select Status.  
1
2
3
4
Select either infected or blocked.  
Select Apply.  
To filter the Quarantine list to display blocked or infected files for a service  
Go to Anti-Virus > Quarantine.  
1
2
3
4
For FiIlter, select Service.  
Select IMAP, POP3, SMTP, FTP, or HTTP.  
Select Apply.  
Deleting files from the quarantine list  
To delete a file from the quarantine list  
Go to Anti-Virus > Quarantine.  
Select Delete to remove a quarantined file from the list.  
1
2
Downloading quarantined files  
To download quarantined files  
Go to Anti-Virus > Quarantine.  
Select Download to download a quarantined file in its original format.  
1
2
Configuring quarantine options  
You can specify whether the FortiGate unit quarantines infected files, blocked files, or  
both in web, FTP, and email traffic. You can also set the file age limit, the maximum file  
size, and the method for handling additional files when the FortiGate hard disk is  
running out of disk space.  
To configure quarantine options  
1
2
Go to Anti-Virus > Quarantine > Quarantine Config.  
For each traffic protocol, select the applicable Quarantine Infected Files and  
Quarantine Blocked Files check boxes.  
The FortiGate unit quarantines infected and blocked files for the selected traffic.  
FortiGate-800 Installation and Configuration Guide  
285  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Blocking oversized files and emails  
Antivirus protection  
Note: The Quarantine Blocked Files option is not available for HTTP or FTP because a  
filename is blocked at request time and the file is not downloaded to the FortiGate unit.  
3
4
Type the Age Limit (TTL) in hours to specify how long files are left in quarantine.  
The maximum number of hours is 480. The FortiGate unit automatically deletes a file  
when the TTL reaches 00:00.  
Type the maximum file size in MB to quarantine. The FortiGate unit keeps the existing  
quarantined files that are larger than the file size limit. The FortiGate unit does not  
quarantine new files that are larger than the file size limit. The file size range is 1-499  
MBytes.  
Enter 0 for unlimited file size.  
5
6
Select a Low Disk Space option to specify the method for handling additional files  
when the FortiGate hard disk is running out of disk space.  
You can select overwrite oldest file or drop new quarantine files.  
Select Apply.  
Blocking oversized files and emails  
You can configure the FortiGate unit to buffer 1 to 15 percent of available memory to  
store oversized files and email. The FortiGate unit then blocks a file or email that  
exceeds this limit instead of bypassing antivirus scanning and sending the file or email  
directly to the server or receiver. The FortiGate unit sends a replacement message for  
an oversized file or email attachment to the HTTP or email proxy client.  
Configuring limits for oversized files and email  
To configure limits for oversized files and email  
Go to Anti-Virus > Config > Config.  
Type the size limit, in MB.  
1
2
3
Select Apply.  
286  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Antivirus protection  
Exempting fragmented email from blocking  
Exempting fragmented email from blocking  
A fragmented email is a large email message that has been split into smaller  
messages that are sent individually and recombined when they are received. By  
default, when antivirus protection is enabled, the FortiGate unit blocks fragmented  
emails and replaces them with an email block message that is forwarded to the  
receiver. It is recommended that you disable the fragmenting of email messages in the  
client email software.  
To exempt fragmented emails from automatic antivirus blocking  
Caution: The FortiGate unit cannot scan fragmented emails for viruses or use file pattern  
!
blocking to remove files from these email messages.  
1
Enable Pass Fragmented Emails for IMAP, POP3, and SMTP traffic in a content  
profile.  
2
3
Select Anti-Virus & Web filter in a firewall policy. For example, to pass fragmented  
emails that internal users send to the external network, select an internal to external  
policy.  
Select a content profile that has Pass Fragmented Emails enabled for the traffic that  
you want the FortiGate unit to scan.  
Viewing the virus list  
You can view the names of the viruses and worms in the current virus definition list.  
To view the virus list  
1
2
Go to Anti-Virus > Config > Virus List.  
Scroll through the virus and worm list to view the names of all viruses and worms in  
the list.  
FortiGate-800 Installation and Configuration Guide  
287  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Viewing the virus list  
Antivirus protection  
288  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Web filtering  
When you enable Anti-Virus & Web filter in a firewall policy, you select a content  
profile that controls how web filtering behaves for HTTP traffic. Content profiles control  
the following types of content filtering:  
blocking unwanted URLs,  
blocking unwanted content,  
removing scripts from web pages,  
exempting URLs from blocking.  
You can also use the Cerberian URL filtering to block unwanted URLs. For more  
This chapter describes:  
General configuration steps  
Configuring web filtering involves the following general steps:  
1
2
Select web filtering options in a new or existing content profile. See “Adding content  
Select the Anti-Virus & Web filter option in firewall policies that allow HTTP  
connections through the FortiGate unit.  
Select a content profile that provides the web filtering options that you want to  
FortiGate-800 Installation and Configuration Guide  
289  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Content blocking  
Web filtering  
3
Configure web filtering settings to control how the FortiGate unit applies web filtering  
to the HTTP traffic allowed by policies. See:  
4
5
6
Configure the messages that users receive when the FortiGate unit blocks unwanted  
content or unwanted URLs. See “Replacement messages” on page 181.  
Configure the FortiGate unit to record log messages when it blocks unwanted content  
or unwanted URLs. See “Recording logs” on page 309.  
Configure the FortiGate unit to send an alert email when it blocks unwanted content or  
Content blocking  
When the FortiGate unit blocks a web page, the user who requested the blocked page  
receives a block message and the FortiGate unit writes a message to the web filtering  
log.  
You can add banned words to the list in many languages using Western, Simplified  
Chinese, Traditional Chinese, Japanese, or Korean character sets.  
Adding words and phrases to the Banned Word list  
1
2
3
Go to Web Filter > Content Block.  
Select New to add a word or phrase to the Banned Word list.  
Choose a language or character set for the banned word or phrase.  
You can choose Western, Chinese Simplified, Chinese Traditional, Japanese, or  
Korean.  
Your computer and web browser must be configured to enter characters in the  
character set that you choose.  
290  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Web filtering  
Content blocking  
4
Type a banned word or phrase.  
If you type a single word (for example, banned), the FortiGate unit blocks all web  
pages that contain that word.  
If you type a phrase (for example, banned phrase), the FortiGate unit blocks web  
pages that contain both words. When this phrase appears on the banned word list, the  
FortiGate unit inserts plus signs (+) in place of spaces (for example,  
banned+phrase).  
If you type a phrase in quotes (for example, “banned word”), the FortiGate unit  
blocks all web pages in which the words are found together as a phrase.  
Content filtering is not case-sensitive. You cannot include special characters in  
banned words.  
5
6
To enable the banned word, ensure that the Enable checkbox is selected.  
Select OK.  
The word or phrase is added to the Banned Word list.  
You can enable all the words on the banned word list by selecting Check All  
You can disable all the words on the banned word list by selecting Uncheck All  
.
.
Note: Banned Word must be selected in the content profile for web pages containing banned  
words to be blocked.  
Figure 70: Example banned word list  
Clearing the Banned Word list  
1
2
Go to Web Filter > Content Block.  
Select Clear List  
list.  
to remove all banned words and phrases from the banned word  
FortiGate-800 Installation and Configuration Guide  
291  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Content blocking  
Web filtering  
Backing up the Banned Word list  
You can back up the banned word list by downloading it to a text file on the  
management computer.  
To back up the banned word list  
Go to Web Filter > Content Block.  
Select Backup Banned Word List  
1
2
.
The FortiGate unit downloads the list to a text file on the management computer. You  
can specify a location to which to download the text file as well as a name for the text  
file.  
Restoring the Banned Word list  
You can create a Banned Word list in a text editor and then upload the text file to the  
FortiGate unit. Add one banned word or phrase to each line of the text file. The word  
or phrase should be followed by two parameters separated by spaces. The first  
parameter specifies the status of the entry. The second parameter specifies the  
language of the entry.  
Table 41: Banned Word list configuration parameters  
Parameter Setting  
Description  
Disabled  
Status  
0
1
0
1
2
3
4
Enabled  
Language  
ASCII  
Simplfied Chinese  
Traditional Chinese  
Japanese  
Korean  
Figure 71: Example Banned Word List text file  
banned 1 0  
banned+phrase+1 1 3  
"banned+phrase+2" 1 1  
Note: All changes made to the banned word list using the web-based manager are lost when  
you upload a new list. However, you can download your current banned word list, add more  
items to it using a text editor, and then upload the edited list to the FortiGate unit.  
To restore the banned word list  
1
2
3
Go to Web Filter > Content Block.  
Select Restore Banned Word List  
.
Type the path and filename of the banned word list text file, or select Browse and  
locate the file.  
4
Select OK to upload the file to the FortiGate unit.  
292  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Web filtering  
URL blocking  
5
6
Select Return to display the updated Banned Word List.  
You can continue to maintain the Banned Word List by making changes to the text file  
and uploading it again as necessary.  
.
Note: Banned Word must be selected in the content profile for web pages containing banned  
words to be blocked.  
URL blocking  
You can block the unwanted web URLs using FortiGate Web URL blocking, FortiGate  
Web pattern blocking, and Cerberian web filtering.  
Configuring FortiGate Web URL blocking  
You can configure FortiGate Web URL blocking to block all pages on a website by  
adding the top-level URL or IP address. You can also block individual pages on a  
website by including the full path and filename of the web page to block.  
Adding URLs to the Web URL block list  
Go to Web Filter > Web URL Block.  
1
2
3
Select New to add a URL to the Web URL block list.  
Type the URL the you want to block.  
Type a top-level URL or IP address to block access to all pages on a website. For  
example, www.badsite.comor 122.133.144.155blocks access to all pages at  
this website.  
Type a top-level URL followed by the path and filename to block access to a single  
page on a website. For example, www.badsite.com/news.htmlor  
122.133.144.155/news.htmlblocks the news page on this website.  
To block all pages with a URL that ends with badsite.com, add badsite.comto  
the block list. For example, adding badsite.comblocks access to  
www.badsite.com, mail.badsite.com, www.finance.badsite.com, and so  
on.  
Note: Do not include http://in the URL that you want to block.  
FortiGate-800 Installation and Configuration Guide  
293  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
URL blocking  
Web filtering  
Note: Do not use regular expressions in the Web URL block list. You can use regular  
expressions in the Web Pattern Block list to create URL patterns to block. See “Configuring  
Note: You can type a top-level domain suffix (for example, “com” without the leading period) to  
block access to all URLs with this suffix.  
Note: URL blocking does not block access to other services that users can access with a web  
browser. For example, URL blocking does not block access to ftp://ftp.badsite.com.  
Instead, you can use firewall policies to deny FTP connections.  
4
5
Ensure that the Enable checkbox has been selected and then select OK.  
Select OK to add the URL to the Web URL block list.  
You can enter multiple URLs and then select Check All  
Web URL block list.  
to enable all items in the  
You can disable all of the URLs on the list by selecting Uncheck All  
Each page of the Web URL block list displays 100 URLs.  
.
6
Use Page Up  
and Page Down  
to navigate through the Web URL block list.  
Note: You must select the Web URL Block option in the content profile to enable the URL  
blocking.  
Figure 72: Example URL block list  
Clearing the Web URL block list  
1
2
Go to Web Filter > Web URL Block.  
Select Clear URL Block List  
block list.  
to remove all URLs and patterns from the Web URL  
294  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Web filtering  
URL blocking  
Downloading the Web URL block list  
You can back up the Web URL block list by downloading it to a text file on the  
management computer.  
To download a Web URL block list  
1
2
Go to Web Filter > Web URL Block.  
Select Download URL Block List  
.
The FortiGate unit downloads the list to a text file on the management computer. You  
can specify a location to which to download the text file as well as a name for the text  
file.  
Uploading a URL block list  
You can create a URL block list in a text editor and then upload the text file to the  
FortiGate unit. Add one URL or pattern to each line of the text file. You can follow the  
item with a space and then a 1 to enable or a zero (0) to disable the URL. If you do not  
add this information to the text file, the FortiGate unit automatically enables all URLs  
and patterns that are followed by a 1 or no number when you upload the text file.  
Figure 73: Example URL block list text file  
www.badsite.com/index 1  
www.badsite.com/products 1  
182.63.44.67/index 1  
You can either create the URL block list or add a URL list created by a third-party URL  
block or blacklist service. For example, you can download the squidGuard blacklists  
available at http://www.squidguard.org/blacklist/ as a starting point for creating a URL  
block list. Three times per week, the squidGuard robot searches the web for new  
URLs to add to the blacklists. You can upload the squidGuard blacklists to the  
FortiGate unit as a text file, with only minimal editing to remove comments at the top of  
each list and to combine the lists that you want into a single file.  
Note: All changes made to the URL block list using the web-based manager are lost when you  
upload a new list. However, you can download your current URL block list, add more items to it  
using a text editor, and then upload the edited list to the FortiGate unit.  
To upload a URL block list  
1
2
3
4
In a text editor, create the list of URLs and patterns that you want to block.  
Using the web-based manager, go to Web Filter > Web URL Block.  
Select Upload URL Block List  
.
Type the path and filename of the URL block list text file, or select Browse and locate  
the file.  
5
6
Select OK to upload the file to the FortiGate unit.  
Select Return to display the updated Web URL block list.  
Each page of the Web URL block list displays 100 URLs.  
7
Use Page Down  
and Page Up  
to navigate through the Web URL block list.  
FortiGate-800 Installation and Configuration Guide  
295  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Configuring Cerberian URL filtering  
Web filtering  
8
You can continue to maintain the Web URL block list by making changes to the text  
file and uploading it again.  
Configuring FortiGate Web pattern blocking  
You can configure FortiGate web pattern blocking to block web pages that match a  
URL pattern. Create URL patterns using regular expressions (for example,  
badsite.*matches badsite.com, badsite.org, badsite.netand so on).  
FortiGate web pattern blocking supports standard regular expressions. You can add  
up to 20 patterns to the web pattern block list.  
To add patterns to the Web pattern block list  
1
2
3
Go to Web Filter > URL Block > Web Pattern Block.  
Select New to add an item to the Web pattern block list.  
Type the web pattern that you want to block.  
You can use standard regular expressions for web patterns.  
Note: URL blocking does not block access to other services that users can access with a web  
browser. For example, URL blocking does not block access to ftp://ftp.badsite.com.  
Instead, you can use firewall policies to deny FTP connections.  
4
5
Select Enable to block the pattern.  
Select OK to add the pattern to the Web pattern block list.  
Note: You must select the Web URL Block option in the content profile to enable the URL  
blocking.  
Configuring Cerberian URL filtering  
The FortiGate unit supports Cerberian URL filtering. For information about Cerberian  
URL filtering, see www.cerberian.com.  
Note: If you are operating FortiGate units in active-passive HA mode, each FortiGate unit in the  
cluster must have its own Cerberian license. Cerberian web filtering is not supported for  
active-active HA. For information about HA, see “High availability” on page 73.  
If you have purchased the Cerberian web filtering functionality with your FortiGate  
unit, use the following configuration procedures to configure FortiGate support for  
Cerberian web filtering.  
296  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Web filtering  
Configuring Cerberian URL filtering  
Installing a Cerberian license key  
Before you can use the Cerberian web filter, you must install a license key. The  
license key determines the number of end users allowed to use Cerberian web  
filtering through the FortiGate unit.  
To install a Cerberian licence key  
Go to Web Filter > URL Block.  
Select Cerberian URL Filtering.  
Enter the license number.  
Select Apply.  
1
2
3
4
Adding a Cerberian user  
The Cerberian web policies can be applied only to user groups. You can add users on  
the FortiGate unit and then add the users to user groups on the Cerberian  
administration web site.  
When the end user tries to access a URL, the FortiGate unit checks whether the  
user’s IP address is in the IP address list on the FortiGate unit. If the user’s IP address  
is in the list, the request is sent to the Cerberian server. Otherwise, an error message  
is sent to the user saying that the user does not have authorized access to the  
Cerberian web filter.  
To add a Cerberian user  
1
2
3
4
Go to Web Filter > URL Block.  
Select Cerberian URL Filtering.  
Select New.  
Enter the IP address and netmask of the user computers.  
You can enter the IP address of a single user. For example, 192.168.100.19  
255.255.255.255. You can also enter a subnet of a group of users. For example,  
192.168.100.0 255.255.255.0.  
5
6
Enter an alias for the user.  
The alias is used as the user name when you add the user to a user group on the  
Cerberian server. If you do not enter an alias, the user’s IP is used and added to the  
default group on the Cerberian server.  
Select OK.  
Configuring Cerberian web filter  
After you add the Cerberian web filter users on the FortiGate unit, you can add these  
users to the user groups on the Cerberian web filter server. Then you can create  
policies and apply these policies to the user groups.  
About the default group and policy  
There is a default user group, which is associated with a default policy, that exists on  
the Cerberian web filter server.  
FortiGate-800 Installation and Configuration Guide  
297  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Configuring Cerberian URL filtering  
Web filtering  
You can add users to the default group and apply any policies to the group.  
Use the default group to add:  
All the users who are not assigned alias names on the FortiGate unit.  
All the users who are not assigned to other user groups.  
The Cerberian web filter groups URLs into 53 categories. The default policy blocks the  
URLs of 12 categories. You can modify the default policy and apply it to any user  
groups.  
To configure Cerberian web filtering  
1
Add the user name, which is the alias you added on the FortiGate unit, to a user group  
on the Cerberian server.  
Web policies can be applied only to user groups. If you did not enter an alias for a  
user’s IP address on the FortiGate unit, the user’s IP address is automatically added  
to the default Cerberian group.  
2
3
Create policies by selecting the web categories that you want to block.  
Apply the policy to a user group that contains the user.  
For detailed procedures, see the online help on the Cerberian Web Filter web page.  
Enabling Cerberian URL filtering  
After you add the Cerberian users and groups and configure the Cerberian web filter,  
you can enable Cerberian URL filtering.  
To enable cerberian URL filtering  
1
2
3
4
5
6
7
8
9
Go to Web Filter > URL Block > Cerberian URL Filtering.  
Select the Cerberian URL Filtering option.  
Go to Firewall > Content Profile.  
Create a new or select an existing content profile and enable Web URL Block.  
Go to Firewall > Policy.  
Create a new or select an existing policy.  
Select Anti-Virus & Web filter.  
Select the content profile from the Content Profile list.  
Select OK.  
298  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Web filtering  
Script filtering  
Script filtering  
You can configure the FortiGate unit to remove Java applets, cookies, and ActiveX  
scripts from the HTML web pages.  
Note: Blocking any of these items might prevent some web pages from working properly.  
Enabling script filtering  
1
2
3
4
Go to Firewall > Content Profile.  
Select the content profile for which you want to enable script filtering.  
Select Script Filter.  
Select OK.  
Selecting script filter options  
1
2
Go to Web Filter > Script Filter.  
Select the script filter options that you want to enable.  
You can block Java applets, cookies, and ActiveX.  
3
Select Apply.  
Figure 74: Example script filter settings to block Java applets and ActiveX  
FortiGate-800 Installation and Configuration Guide  
299  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                     
Exempt URL list  
Web filtering  
Exempt URL list  
Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be  
blocked by content or URL blocking. For example, if content blocking is set to block  
pornography-related words and a reputable website runs a story on pornography, web  
pages from the reputable website are blocked. Adding the address of the reputable  
website to the exempt URL list allows the content of the website to bypass content  
blocking.  
Note: Content downloaded from exempt web pages is not blocked or scanned by antivirus  
protection.  
Adding URLs to the URL Exempt list  
1
2
3
Go to Web Filter > URLExempt.  
Select New to add an item to the URL Exempt list.  
Type the URL to exempt.  
Type a complete URL, including path and filename, to exempt access to a page on a  
website. For example, www.goodsite.com/index.htmlexempts access to the  
main page of this example website. You can also add IP addresses; for example,  
122.63.44.67/index.htmlexempts access to the main web page at this  
address. Do not include http://in the URL to exempt.  
Exempting a top-level URL, such as www.goodsite.com,exempts all requested  
subpages (for example, www.goodsite.com/badpage) from all content and URL  
filtering rules.  
Note: Exempting a top-level URL does not exempt pages such as mail.goodsite.comfrom  
all content and URL filtering rules unless goodsite.com(without the www) is added to the  
exempt URL list.  
4
5
Ensure that the Enable checkbox has been selected.  
Select OK to add the URL to the exempt URL list.  
You can enter multiple URLs and then select Check All  
exempt URL list.  
to activate all items in the  
You can disable all the URLs in the list by selecting Uncheck All  
Each page of the exempt URL list displays 100 URLs.  
.
6
Use Page Down  
and Page Up  
to navigate the exempt URL list.  
300  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Web filtering  
Exempt URL list  
Figure 75: Example URL Exempt list  
Downloading the URL Exempt List  
You can back up the URL Exempt List by downloading it to a text file on the  
management computer.  
1
2
Go to Web Filter > URL Exempt.  
Select Download URL Exempt List  
.
The FortiGate unit downloads the list to a text file on the management computer. You  
can specify a location to which to download the text file as well as a name for the text  
file.  
Uploading a URL Exempt List  
You can create a URL Exempt list in a text editor and then upload the text file to the  
FortiGate unit. Add one URL or pattern to each line of the text file. The word or phrase  
should be followed by a parameter specifying the status of the entry. If you do not add  
this information to the text file, the FortiGate unit automatically enables all URLs and  
patterns that are followed with a 1 or no number when you upload the text file.  
Table 42: URL Exempt list configuration parameters  
Parameter Setting  
Description  
Disabled  
Status  
0
1
Enabled  
Figure 76: Example URL Emempt list text file  
www.goodsite.com 1  
www.goodsite.com/index 1  
127.33.44.55 1  
.
Note: All changes made to the URL block list using the web-based manager are lost when you  
upload a new list. However, you can download your current URL block list, add more items to it  
using a text editor, and then upload the edited list to the FortiGate unit.  
1
2
In a text editor, create the list of URLs to exempt.  
Using the web-based manager, go to Web Filter > URL Exempt.  
FortiGate-800 Installation and Configuration Guide  
301  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Exempt URL list  
Web filtering  
3
4
Select Upload URL Exempt List  
.
Type the path and filename of your URL Exempt List text file, or select Browse and  
locate the file.  
5
6
7
Select OK to upload the file to the FortiGate unit.  
Select Return to display the updated URL Exempt List.  
You can continue to maintain the URL Exempt List by making changes to the text file  
and uploading it again as necessary.  
302  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Email filter  
Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter  
in a firewall policy, you select a content profile that controls how email filtering  
behaves for email (IMAP and POP3) traffic. Content profiles control the following  
types of protection to identify unwanted email:  
filtering unwanted sender address patterns,  
filtering unwanted content,  
exempting sender address patterns from blocking.  
This chapter describes:  
General configuration steps  
Configuring email filtering involves the following general steps:  
1
2
Select email filter options in a new or existing content profile. See “Adding content  
Select the Anti-Virus & Web filter option in firewall policies that allow IMAP and POP3  
connections through the FortiGate unit. Select a content profile that provides the email  
filtering options that you want to apply to a policy. See “Adding content profiles to  
3
Add a subject tag to the unwanted email so that receivers can use their mail client  
software to filter messages based on the tag. See “Adding a subject tag” on page 308.  
Note: For information about receiving email filter log messages, see “Configuring logging” in the  
Logging Configuration and Reference Guide. For information about email filter log message  
categories and formats, see “Log messages” in the FortiGate Logging Configuration and  
Reference Guide.  
FortiGate-800 Installation and Configuration Guide  
303  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Email banned word list  
Email filter  
Email banned word list  
When the FortiGate unit detects an email that contains a word or phrase in the banned  
word list, the FortiGate unit adds a tag to the subject line of the email and writes a  
message to the event log. Receivers can then use their mail client software to filter  
messages based on the subject tag.  
You can add banned words to the list in many languages using Western, Simplified  
Chinese, Traditional Chinese, Japanese, or Korean character sets.  
Adding words and phrases to the email banned word list  
To add a word or phrase to the banned word list  
1
2
3
Go to Email Filter > Content Block.  
Select New.  
Type a banned word or phrase.  
If you type a single word (for example, banned), the FortiGate unit tags all IMAP  
and POP3 email that contains that word.  
If you type a phrase (for example, banned phrase), the FortiGate unit tags email  
that contains both words. When this phrase appears on the banned word list, the  
FortiGate unit inserts plus signs (+) in place of spaces (for example,  
banned+phrase).  
If you type a phrase in quotes (for example, “banned word”), the FortiGate unit  
tags all email in which the words are found together as a phrase.  
Content filtering is not case-sensitive. You cannot include special characters in  
banned words.  
1
2
Select the Language for the banned word or phrase.  
You can choose Western, Chinese Simplified, Chinese Traditional, Japanese, or  
Korean.  
Your computer and web browser must be configured to enter characters in the  
language that you select.  
Select OK.  
The word or phrase is added to the banned word list.  
Note: Email Content Block must be selected in the content profile for IMAP or POP3 email  
containing banned words to be tagged.  
304  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Email filter  
Email banned word list  
Downloading the email banned word list  
You can back up the banned word list by downloading it to a text file on the  
management computer:  
To download the banned word list  
Go to Email Filter > Content Block.  
Select Download.  
1
2
The FortiGate unit downloads the banned word list to a text file on the management  
computer. You can specify a location to which to download the text file as well as a  
name for the text file.  
Uploading the email banned word list  
You can create or edit a banned word list in a text file and upload it from your  
management computer to the FortiGate unit.  
Each banned word or phrase must appear on a separate line in the text file. Use  
ASCII, Western, Chinese Simplified, Chinese Traditional, Japanese, or Korean  
characters. Your computer and web browser must be configured to enter characters in  
the character set that you use.  
All words are enabled by default. Optionally, you can enter a space and a 1 after the  
word to enable it, and another space and a number to indicate the language.  
0
1
2
3
4
Western  
Chinese Simplified  
Chinese Traditional  
Japanese  
Korean  
If you do not add this information to all items in the text file, the FortiGate unit  
automatically enables all banned words and phrases that are followed with a 1 or no  
number in the Western language when you upload the text file.  
Figure 77: Example Western email banned word list text file  
banned 1 0  
banned+phrase+1 1 0  
“banned phrase 2” 1 0  
To upload the banned word list  
Go to Email Filter > Content Block.  
Select Upload.  
1
2
3
Type the path and filename of the banned word list text file or select Browse and  
locate the file.  
4
Select OK to upload the banned word list text file.  
Select Return to display the banned word list.  
FortiGate-800 Installation and Configuration Guide  
305  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Email block list  
Email filter  
Email block list  
You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent  
from unwanted email addresses. When the FortiGate unit detects an email sent from  
an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the  
email and writes a message to the email filter log. Receivers can then use their mail  
client software to filter messages based on the subject tag.  
You can tag email from a specific sender address or from all address subdomains by  
adding the top-level domain name. Alternatively, you can tag email sent from  
individual subdomains by including the subdomain to block.  
Adding address patterns to the email block list  
To add an address pattern to the email block list  
1
2
3
Go to Email Filter > Block List.  
Select New.  
Type a Block Pattern.  
To tag email from a specific email address, type the email address. For example,  
To tag email from a specific domain, type the domain name. For example,  
abccompany.com.  
To tag email from a specific subdomain, type the subdomain name. For example,  
mail.abccompany.com.  
To tag email from an entire organization category, type the top-level domain name.  
For example, type comto tag email sent from all organizations that use .com as the  
top-level domain.  
The pattern can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z),  
and the special characters - (hyphen),_ (underscore), and @. Spaces and other  
special characters are not allowed.  
4
Select OK to add the address pattern to the Email Block list.  
Downloading the email block list  
You can back up the email block list by downloading it to a text file on the  
management computer.  
To download the email block list  
Go to Email Filter > Block List.  
Select Download.  
1
2
The FortiGate unit downloads the list to a text file on the management computer. You  
can specify a location to which to download the text file as well as a name for the text  
file.  
306  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Email filter  
Email exempt list  
Uploading an email block list  
You can create a email block list in a text editor and then upload the text file to the  
FortiGate unit. Add one pattern to each line of the text file. You can follow the pattern  
with a space and then a 1 to enable or a zero (0) to disable the pattern. If you do not  
add this information to the text file, the FortiGate unit automatically enables all  
patterns that are followed with a 1 or no number when you upload the text file.  
Figure 78: Example email block list text file  
mail.badsite.com 1  
suredeal.org 1  
You can either create the email block list yourself, or add a block list created by a  
third-party email blacklist service. For example, you can subscribe to the Realtime  
Blackhole List service available at http://mail-abuse.org/rbl/ as a starting point for  
creating your own email block list. You can upload blacklists to the FortiGate unit as  
text files, with only minimal editing to remove comments at the top of each list and to  
combine the lists that you want into a single file.  
Note: All changes made to the email block list using the web-based manager are lost when you  
upload a new list. However, you can download your current email block list, add more patterns  
to it using a text editor, and then upload the edited list to the FortiGate unit.  
To upload the email block list  
1
2
3
4
In a text editor, create the list of patterns to block.  
Using the web-based manager, go to Email Filter > Block List.  
Select Upload.  
Type the path and filename of your email block list text file, or select Browse and  
locate the file.  
5
6
7
Select OK to upload the file to the FortiGate unit.  
Select Return to display the updated email block list.  
You can continue to maintain the email block list by making changes to the text file  
and uploading it again.  
Email exempt list  
Add address patterns to the exempt list to allow legitimate IMAP and POP3 traffic that  
might otherwise be tagged by email or content blocking. For example, if the email  
banned word list is set to block email that contains pornography-related words and a  
reputable company sends email that contains these words, the FortiGate unit would  
normally add a subject tag to the email. Adding the domain name of the reputable  
company to the exempt list allows IMAP and POP3 traffic from the company to bypass  
email and content blocking.  
FortiGate-800 Installation and Configuration Guide  
307  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Adding a subject tag  
Email filter  
Adding address patterns to the email exempt list  
To add an address pattern to the email exempt list  
Go to Email Filter > Exempt List.  
Select New.  
1
2
3
Type the address pattern that you want to exempt.  
To exempt email sent from a specific email address, type the email address. For  
example, [email protected].  
To exempt email sent from a specific domain, type the domain name. For example,  
abccompany.com.  
To exempt email sent from a specific subdomain, type the subdomain name. For  
example, mail.abccompany.com.  
To exempt email sent from an entire organization category, type the top-level  
domain name. For example, type netto exempt email sent from all organizations  
that use .net as the top-level domain.  
The pattern can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z),  
and the special characters - (hyphen),_ (underscore), and @. Spaces and other  
special characters are not allowed.  
4
Select OK to add the address pattern to the email exempt list.  
Adding a subject tag  
When the FortiGate unit receives email from an unwanted address or email that  
contains an item in the email banned word list, the FortiGate unit adds a tag to the  
subject line and sends the message to the destination email address. Email users can  
use their mail client software to filter the messages based on the subject tag.  
To add a subject tag  
1
2
Go to Email Filter > Config.  
Type the Subject Tag that you want to display in the subject line of email received from  
unwanted addresses or that contains banned words. For example, type Unwanted  
Mail.  
Note: Do not use quotation marks in the subject tags.  
3
Select Apply.  
The FortiGate unit adds the tag to the subject line of all unwanted email.  
308  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
FortiGate-800 Installation and Configuration Guide Version 2.50  
Logging and reporting  
You can configure the FortiGate unit to log network activity from routine configuration  
changes and traffic sessions to emergency events. You can also configure the  
FortiGate unit to send alert email messages to inform system administrators about  
events such as network attacks, virus incidents, and firewall and VPN events.  
This chapter describes:  
Recording logs  
You can configure logging to record logs to one or more of:  
a computer running a syslog server,  
a computer running a WebTrends firewall reporting server,  
the FortiGate hard disk (if your FortiGate unit contains a hard disk),  
the console.  
For information about filtering the log types and activities that the FortiGate unit  
records, see “Filtering log messages” on page 313. For information about traffic logs,  
This section describes:  
FortiGate-800 Installation and Configuration Guide  
309  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Recording logs  
Logging and reporting  
Recording logs on a remote computer  
You can configure the FortiGate unit to record log messages on a remote computer.  
The remote computer must be configured with a syslog server.  
To record logs on a remote computer  
1
2
3
4
5
Go to Log&Report > Log Setting.  
Select the Log to Remote Host check box to send the logs to a syslog server.  
Type the IP address of the remote computer running syslog server software.  
Type the port number of the syslog server.  
Select the severity level for which you want to record log messages.  
The FortiGate unit logs all levels of severity down to, but not lower than, the level you  
choose. For example, if you want to record emergency, alert, critical, and error  
messages, select Error.  
6
Select Config Policy.  
Select the Log type for which you want the FortiGate unit to record logs.  
For each Log type, select the activities for which you want the FortiGate unit to  
record log messages.  
For information about log types and activities, see “Filtering log messages” on  
7
8
Select OK.  
Select Apply.  
Recording logs on a NetIQ WebTrends server  
Use the following procedure to configure the FortiGate unit to record logs on a remote  
NetIQ WebTrends firewall reporting server for storage and analysis. FortiGate log  
formats comply with WebTrends Enhanced Log Format (WELF) and are compatible  
with WebTrends NetIQ Security Reporting Center 2.0 and Firewall Suite 4.1. For more  
information, see the Security Reporting Center and Firewall Suite documentation.  
Note: FortiGate traffic log messages include sent and received fields, which are optional but  
required for drawing a WebTrends graph.  
To record logs on a NetIQ WebTrends server  
1
2
3
4
Go to Log&Report > Log Setting.  
Select the Log in WebTrends Enhanced Log Format check box.  
Type the IP address of the NetIQ WebTrends firewall reporting server.  
Select the severity level for which you want to record log messages.  
The FortiGate logs all levels of severity down to, but not lower than, the level you  
choose. For example, if you want to record emergency, alert, critical, and error  
messages, select Error.  
310  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Logging and reporting  
Recording logs  
5
Select Config Policy.  
To configure the FortiGate unit to filter the types of logs and events to record, use the  
6
7
Select OK.  
Select Apply.  
Recording logs on the FortiGate hard disk  
You can record log files on the FortiGate hard disk if a hard disk is installed on your  
FortiGate unit.  
To record logs on the FortiGate hard disk  
Go to Log&Report > Log Setting.  
1
2
3
Select the Log to Local Disk check box.  
Type a maximum log file size (in MB).  
When the log file reaches the maximum log file size, the current log file is closed and  
saved and a new active log file is started. The default maximum log file size is 10 MB  
and the maximum allowed is 1 GB.  
4
5
Type a log time interval (in days).  
After the specified time interval, the current log file is closed and saved and a new one  
is started. The default log time interval is 10 days.  
Select the severity level for which you want to record log messages.  
The FortiGate logs all levels of severity down to, but not lower than, the level you  
choose. For example, if you want to record emergency, alert, critical, and error  
messages, select Error.  
6
7
Select Config Policy.  
To configure the FortiGate to filter the types of logs and events to record, use the  
Set Log options for when the disk is full to one of the following:  
Overwrite  
Delete the oldest log file when the hard disk is full. Overwrite is the default  
option.  
Block traffic  
Do not log  
Block all network traffic when the hard disk is full.  
Stop logging messages when the hard disk is full.  
8
Select Apply.  
FortiGate-800 Installation and Configuration Guide  
311  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Recording logs  
Logging and reporting  
Recording logs in system memory  
If your FortiGate unit does not contain a hard disk, you can configure the FortiGate  
unit to reserve some system memory for storing current event, attack, antivirus, web  
filter, and email filter log messages. Logging to memory allows quick access to only  
the most recent log entries. The FortiGate unit can store a limited number of  
messages in system memory. After all available memory is used, the FortiGate unit  
deletes the oldest messages. If the FortiGate unit restarts, the log entries are lost.  
Note: The FortiGate unit can record only the event and attack log messages in system memory.  
To record logs in system memory  
1
2
3
Go to Log&Report > Log Setting.  
Select the Log to memory check box.  
Select the severity level for which you want to record log messages.  
The FortiGate logs all levels of severity down to, but not lower than, the level you  
choose. For example, if you want to record emergency, alert, critical, and error  
messages, select Error.  
4
5
Select Config Policy.  
To configure the FortiGate to filter the types of logs and events to record, use the  
Select Apply.  
Log message levels  
Table 43 lists and describes FortiGate log message levels.  
Table 43: FortiGate log message levels  
Levels Description  
0 - Emergency The system has become unstable.  
Generated by  
Emergency messages not  
available.  
1 - Alert  
Immediate action is required.  
Functionality is affected.  
NIDS attack log messages.  
DHCP  
2 - Critical  
3 - Error  
An error condition exists and  
functionality could be affected.  
Error messages not available.  
4 - Warning  
5 - Notice  
Functionality could be affected.  
Antivirus, Web filter, email filter, and  
system event log messages.  
Information about normal events.  
Antivirus, Web filter, and email filter  
log messages.  
6 - Information General information about system  
operations.  
Antivirus, Web filter, email filter log  
messages, and other event log  
messages.  
312  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Logging and reporting  
Filtering log messages  
Filtering log messages  
You can configure the logs that you want to record and the message categories that  
you want to record in each log.  
To filter log entries  
1
2
Go to Log&Report > Log Setting.  
Select Config Policy for the log location that you selected in “Recording logs” on  
3
Select the log types that you want the FortiGate unit to record.  
Traffic Log  
Event Log  
Record all connections to and through the interface.  
To configure traffic filtering, see “Adding traffic filter entries” on page 316.  
Record management and activity events in the event log.  
Management events include changes to the system configuration as well  
as administrator and user logins and logouts. Activity events include  
system activities, such as VPN tunnel establishment and HA failover  
events.  
Virus Log  
Record virus intrusion events, such as when the FortiGate unit detects a  
virus, blocks a file type, or blocks an oversized file or email.  
Web Filtering Log Record activity events, such as URL and content blocking, and exemption  
of URLs from blocking.  
Attack Log  
Email Filter Log  
Update  
Record attacks detected by the NIDS and prevented by the NIDS  
Prevention module.  
Record activity events, such as detection of email that contains unwanted  
content and email from unwanted senders.  
Record log messages when the FortiGate connects to the FDN to  
download antivirus and attack updates.  
4
5
Select the message categories that you want the FortiGate unit to record if you  
selected Event Log, Virus Log, Web Filtering Log, Attack Log, Email Filter Log, or  
Update in step 3.  
Select OK.  
FortiGate-800 Installation and Configuration Guide  
313  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                   
Configuring traffic logging  
Logging and reporting  
Figure 79: Example log filter configuration  
Configuring traffic logging  
You can configure the FortiGate unit to record traffic log messages for connections to:  
An interface  
A VLAN subinterface  
A firewall policy  
The FortiGate unit can filter traffic logs for a source and destination address and  
service. You can also enable the following global settings:  
resolve IP addresses to host names,  
display the port number or service.  
The traffic filter list displays the name, source address and destination address, and  
the protocol type of the traffic to be filtered.  
This section describes:  
314  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Logging and reporting  
Configuring traffic logging  
Enabling traffic logging  
You can enable logging on any interface, VLAN subinterface, and firewall policy.  
Enabling traffic logging for an interface  
If you enable traffic logging for an interface, all connections to and through the  
interface are recorded in the traffic log.  
To enable traffic logging for an interface  
1
2
Go to System > Network > Interface.  
Select Edit  
in the Modify column beside the interface for which you want to  
enable logging.  
3
4
5
For Log, select Enable.  
Select OK.  
Repeat this procedure for each interface for which you want to enable logging.  
Enabling traffic logging for a VLAN subinterface  
If you enable traffic logging for a VLAN subinterface, all connections to and through  
the VLAN subinterface are recorded in the traffic log.  
To enable traffic logging for a VLAN subinterface  
1
2
Go to System > Network > Interface.  
Select Edit  
in the Modify column beside the VLAN subinterface for which you  
want to enable logging.  
For Log, select Enable.  
Select OK.  
3
4
5
Repeat this procedure for each VLAN subinterface for which you want to enable  
logging.  
Enabling traffic logging for a firewall policy  
If you enable traffic logging for a firewall policy, all connections accepted by the  
firewall policy are recorded in the traffic log.  
To enable traffic logging for a firewall policy  
Go to Firewall > Policy.  
Select a policy tab.  
1
2
3
4
Select Log Traffic.  
Select OK.  
FortiGate-800 Installation and Configuration Guide  
315  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Configuring traffic logging  
Logging and reporting  
Configuring traffic filter settings  
You can configure the information recorded in all traffic log messages.  
To configure traffic filter settings  
1
2
Go to Log&Report > Log Setting > Traffic Filter.  
Select the settings that you want to apply to all traffic log messages.  
Resolve IP  
Select Resolve IP if you want traffic log messages to list the IP address  
and domain name stored on the DNS server. If the primary and secondary  
DNS server addresses provided to you by your ISP have not already been  
added, go to System > Network > DNS and add the addresses.  
Display  
Select Port Number if you want traffic log messages to list the port  
number, for example, 80/tcp. Select Service Name if you want traffic log  
messages to list the name of the service, for example, TCP.  
3
Select Apply.  
Figure 80: Example traffic filter list  
Adding traffic filter entries  
Add entries to the traffic filter list to filter the messages that are recorded in the traffic  
log. If you do not add any entries to the traffic filter list, the FortiGate unit records all  
traffic log messages. You can add entries to the traffic filter list to limit the traffic logs  
that are recorded. You can log traffic with a specified source IP address and netmask,  
to a destination IP address and netmask, and for a specified service. A traffic filter  
entry can include any combination of source and destination addresses and services.  
To add an entry to the traffic filter list  
1
2
3
Go to Log&Report > Log Setting > Traffic Filter.  
Select New.  
Configure the traffic filter for the type of traffic that you want to record on the traffic log.  
Name  
Type a name to identify the traffic filter entry.  
The name can contain numbers (0-9), uppercase and lowercase  
letters (A-Z, a-z), and the special characters - and _. Spaces and  
other special characters are not allowed.  
Source IP Address  
Source Netmask  
Type the source IP address and netmask for which you want the  
FortiGate unit to log traffic messages. The address can be an  
individual computer, subnetwork, or network.  
316  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                     
Logging and reporting  
Viewing logs saved to memory  
Destination IP Address Type the destination IP address and netmask for which you want the  
FortiGate unit to log traffic messages. The address can be an  
individual computer, subnetwork, or network.  
Destination Netmask  
Service  
Select the service group or individual service for which you want the  
FortiGate unit to log traffic messages.  
4
Select OK.  
The traffic filter list displays the new traffic address entry with the settings that you  
Figure 81: Example new traffic address entry  
Viewing logs saved to memory  
If the FortiGate unit is configured to save log messages in system memory, you can  
use the web-based manager to view, search, and clear the log messages. This  
section describes:  
Viewing logs  
Log messages are listed with the most recent message at the top.  
To view log messages saved in system memory  
1
2
Go to Log&Report > Logging.  
Select Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter Log.  
The web-based manager lists the log messages saved in system memory.  
3
Scroll through the log messages to view them.  
FortiGate-800 Installation and Configuration Guide  
317  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Viewing and managing logs saved to the hard disk  
Logging and reporting  
4
5
To view a specific line in the log, type a line number in the Go to line field and select  
.
To navigate through the log message pages, select Go to next page  
previous page  
or Go to  
.
Searching logs  
To search log messages saved in system memory  
1
2
3
4
5
Go to Log&Report > Logging.  
Select Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter Log.  
Select to search the messages in the selected log.  
Select AND to search for messages that match all the specified search criteria.  
Select OR to search for messages that match one or more of the specified search  
criteria.  
6
Select either of the following search criteria:  
Keyword  
Time  
To search for any text in a log message. Keyword searching is  
case-sensitive.  
To search log messages created during the selected year, month, day, and  
hour.  
7
Select OK to run the search.  
The web-based manager displays the messages that match the search criteria. You  
can scroll through the messages or run another search.  
Note: After you run a search, if you want to display all log messages again, run another search  
but leave all the search fields blank.  
Viewing and managing logs saved to the hard disk  
If your FortiGate unit contains a hard disk for recording logs, you can use the following  
procedures to view, search, and maintain logs:  
318  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
Logging and reporting  
Viewing and managing logs saved to the hard disk  
Viewing logs  
Log messages are listed with the most recent message at the top.  
To view the active or saved logs  
1
2
Go to Log&Report > Logging.  
Select Traffic Log, Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter  
Log.  
The web-based manager lists all saved logs of the selected type, with the active log at  
the top of the list. For each log, the list shows the date and time at which an entry was  
last added to the log, the size of the log file, and its name.  
3
4
5
To view a log file, select View  
.
The web-based manager displays the messages in the selected log.  
You can set the number of log messages to view on a single page to 30, 50 or 1000.  
You can scroll through the log entries.  
6
7
8
To view a specific line in the log file, type a line number in the Go to line field and  
select  
To navigate through the log message pages, select Go to next page  
previous page  
To search the messages in the log file that you are viewing, select  
.
or Go to  
.
.
Searching logs  
To search the active log or the saved log files  
Go to Log&Report > Logging.  
1
2
Select Traffic Log, Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter  
Log.  
3
4
5
6
To view a log file, select View  
.
Select to search the messages in the log file that you are viewing.  
Select AND to search for messages that match all the specified search criteria.  
Select OR to search for messages that match one or more of the specified search  
criteria.  
7
Select one or more of the following search criteria:  
Keyword  
To search for any text in a log message. Keyword searching is  
case-sensitive.  
Source  
Destination  
Time  
To search for any source IP address.  
To search for any destination IP address.  
To search log messages created during the selected year, month, day, and  
hour.  
8
Select OK to run the search.  
The web-based manager displays the messages that match the search criteria. You  
can scroll through the messages or run another search.  
FortiGate-800 Installation and Configuration Guide  
319  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Viewing and managing logs saved to the hard disk  
Logging and reporting  
Note: After you run a search, if you want to display all log messages again, run another search  
but leave all the search fields blank.  
Downloading a log file to the management computer  
You can download log files to the management computer as plain text files or comma-  
separated value (CSV) files. After downloading, you can view the text file with a text  
editor or the CSV file using a spreadsheet program.  
To download log files  
1
2
Go to Log&Report > Logging.  
Select Traffic Log, Event Log, Attack log, Antivirus Log, Web Filter Log, or Email Filter  
Log.  
3
4
Select Download  
for the log file to the management computer  
Select a format for the log file:  
Select Download file in the normal format to download the log messages to a text  
file. Each line of the text file consists of a log message. The messages are  
formatted the same way as they appear on the web-based manager.  
Select Download file in CSV format to download the log messages to a text file in  
CSV format. In this format, a comma is added between each field in each  
message. If you open this file in a spreadsheet, each message field appears in a  
separate column.  
5
Select Save.  
Deleting all messages from an active log  
To delete all messages from an active log  
1
2
Go to Log&Report > Logging.  
Select Traffic Log, Event Log, Attack log, Antivirus Log, Web Filter Log, or Email Filter  
Log.  
3
4
Select Empty Log  
.
Select OK to delete the messages.  
Deleting a saved log file  
To delete a saved log file  
1
2
Go to Log&Report > Logging.  
Select Traffic Log, Event Log, Attack log, Antivirus Log, Web Filter Log, or Email Filter  
Log.  
The web-based manager lists all saved logs of the selected type, with the active log at  
the top of the list. For each log, the list shows the date and time at which an entry was  
last added to the log, the size of the log file, and its name.  
3
4
To delete a saved log file, select Delete  
Select OK to delete the log file.  
.
320  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Logging and reporting  
Configuring alert email  
Configuring alert email  
You can configure the FortiGate unit to send alert email to up to three email addresses  
when there are virus incidents, block incidents, network intrusions, and other firewall  
or VPN events or violations. After you set up the email addresses, you can test the  
settings by sending test email.  
Adding alert email addresses  
Because the FortiGate unit uses the SMTP server name to connect to the mail server,  
the FortiGate unit must look up this name on your DNS server. Before you configure  
alert email, make sure that you configure at least one DNS server.  
To add a DNS server  
1
2
Go to System > Network > DNS.  
If they are not already there, type the primary and secondary DNS server addresses  
provided by your ISP.  
3
Select Apply.  
To add alert email addresses  
1
2
3
Go to Log&Report > Alert Mail > Configuration.  
Select the Authentication check box if your email server requires an SMTP password.  
In the SMTP Server field, type the name of the SMTP server where you want the  
FortiGate unit to send email, in the format smtp.domain.com.  
The SMTP server can be located on any network connected to the FortiGate unit.  
4
5
In the SMTP User field, type a valid email address in the format [email protected].  
This address appears in the From header of the alert email.  
In the Password field, type the password that the SMTP user needs to access the  
SMTP server.  
A password is required if you select Authentication.  
6
7
Type up to three destination email addresses in the Email To fields.  
These are the email addresses to which the FortiGate unit sends alert email.  
Select Apply.  
Testing alert email  
You can test the alert email settings by sending a test email.  
To send a test email  
1
2
Go to Log&Report > Alert Mail > Configuration.  
Select Test to send test email messages from the FortiGate unit to the Email To  
addresses.  
FortiGate-800 Installation and Configuration Guide  
321  
Download from Www.Somanuals.com. All Manuals Search And Download.  
             
Configuring alert email  
Logging and reporting  
Enabling alert email  
You can configure the FortiGate unit to send alert email in response to virus incidents,  
intrusion attempts, and critical firewall or VPN events or violations. If you have  
configured logging to a local disk, you can enable sending an alert email when the  
hard disk is almost full.  
To enable alert email  
1
2
Go to Log&Report > Alert Mail > Categories.  
Select Enable alert email for virus incidents.  
Alert email is not sent when antivirus file blocking deletes a file.  
3
4
5
Select Enable alert email for block incidents to have the FortiGate unit send an alert  
email when it blocks files affected by viruses.  
Select Enable alert email for intrusions to have the FortiGate unit send an alert email  
to notify the system administrator of attacks detected by the NIDS.  
Select Enable alert email for critical firewall/VPN events or violations to have the  
FortiGate unit send an alert email when a critical firewall or VPN event occurs.  
Critical firewall events include failed authentication attempts.  
Critical VPN events include when replay detection detects a replay packet. Replay  
detection can be configured for both manual key and AutoIKE Key VPN tunnels.  
6
7
Select Send alert email when disk is full to have the FortiGate unit send an alert email  
when the hard disk is almost full.  
Select Apply.  
322  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
           
FortiGate-800 Installation and Configuration Guide Version 2.50  
Glossary  
Connection: A link between machines, applications,  
processes, and so on that can be logical, physical, or  
both.  
Internal interface: The FortiGate interface that is  
connected to an internal (private) network.  
Internet: A collection of networks connected together  
that span the entire globe using the NFSNET as their  
backbone. As a generic term, it refers to any collection  
of interdependent networks.  
DMZ, Demilitarized Zone: Used to host Internet  
services without allowing unauthorized access to an  
internal (private) network. Typically, the DMZ contains  
servers accessible to Internet traffic, such as Web  
(HTTP) servers, FTP servers, SMTP (email) servers  
and DNS servers.  
ICMP, Internet Control Message Protocol: Part of the  
Internet Protocol (IP) that allows for the generation of  
error messages, test packets, and information  
messages relating to IP. This is the protocol used by  
the ping function when sending ICMP Echo Requests  
to a network host.  
DMZ interface: The FortiGate interface that is  
connected to a DMZ network.  
DNS, Domain Name Service: A service that converts  
symbolic node names to IP addresses.  
IKE, Internet Key Exchange: A method of  
automatically exchanging authentication and  
encryption keys between two secure servers.  
Ethernet: A local-area network (LAN) architecture that  
uses a bus or star topology and supports data transfer  
rates of 10 Mbps. Ethernet is one of the most widely  
implemented LAN standards. A newer version of  
Ethernet, called 100 Base-T (or Fast Ethernet),  
supports data transfer rates of 100 Mbps. And the  
newest version, Gigabit Ethernet, supports data rates  
of 1 gigabit (1,000 megabits) per second.  
IMAP, Internet Message Access Protocol: An  
Internet email protocol that allows access to your email  
from any IMAP compatible browser. With IMAP, your  
mail resides on the server.  
IP, Internet Protocol: The component of TCP/IP that  
handles routing.  
External interface: The FortiGate interface that is  
connected to the Internet. For the FortiGate-60 the  
external interface is WAN1 or WAN2.  
IP Address: An identifier for a computer or device on a  
TCP/IP network. An IP address is a 32-bit numeric  
address written as four numbers separated by periods.  
Each number can be zero to 255.  
FTP, File transfer Protocol: An application and TCP/  
IP protocol used to upload or download files.  
Gateway: A combination of hardware and software that  
links different networks. Gateways between TCP/IP  
networks, for example, can link different subnetworks.  
L2TP, Layer Two (2) Tunneling Protocol: An  
extension to the PPTP protocol that enables ISPs to  
operate Virtual Private Networks (VPNs). L2TP merges  
PPTP from Microsoft and L2F from Cisco Systems. To  
create an L2TP VPN, your ISP’s routers must support  
L2TP.  
HTTP, Hyper Text Transfer Protocol: The protocol  
used by the World Wide Web. HTTP defines how  
messages are formatted and transmitted, and what  
actions Web servers and browsers should take in  
response to various commands.  
IPSec, Internet Protocol Security: A set of protocols  
that support secure exchange of packets at the IP  
layer. IPSec is most often used to support VPNs.  
HTTPS: The SSL protocol for transmitting private  
documents over the Internet using a Web browser.  
FortiGate-800 Installation and Configuration Guide  
323  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                   
Glossary  
LAN, Local Area Network: A computer network that  
spans a relatively small area. Most LANs connect  
workstations and personal computers. Each computer  
on a LAN is able to access data and devices anywhere  
on the LAN. This means that many users can share  
data as well as physical resources such as printers.  
PPP, Point-to-Point Protocol: A TCP/IP protocol that  
provides host-to-network and router-to-router  
connections.  
PPTP, Point-to-Point Tunneling Protocol: A  
Windows-based technology for creating VPNs. PPTP  
is supported by Windows 98, 2000, and XP. To create a  
PPTP VPN, your ISP's routers must support PPTP.  
MAC address, Media Access Control address: A  
hardware address that uniquely identifies each node of  
a network.  
Port: In TCP/IP and UDP networks, a port is an  
endpoint to a logical connection. The port number  
identifies what type of port it is. For example, port 80 is  
used for HTTP traffic.  
MIB, Management Information Base: A database of  
objects that can be monitored by an SNMP network  
manager.  
Protocol: An agreed-upon format for transmitting data  
between two devices. The protocol determines the type  
of error checking to be used, the data compression  
method (if any), how the sending device indicates that  
it has finished sending a message, and how the  
receiving device indicates that it has received a  
message.  
Modem: A device that converts digital signals into  
analog signals and back again for transmission over  
telephone lines.  
MTU, Maximum Transmission Unit: The largest  
physical packet size, measured in bytes, that a network  
can transmit. Any packets larger than the MTU are  
divided into smaller packets before being sent. Ideally,  
you want the MTU your network produces to be the  
same as the smallest MTU of all the networks between  
your machine and a message's final destination. If your  
messages are larger than one of the intervening MTUs,  
they get broken up (fragmented), which slows down  
transmission speeds.  
RADIUS, Remote Authentication Dial-In User  
Service: An authentication and accounting system  
used by many Internet Service Providers (ISPs). When  
users dial into an ISP they enter a user name and  
password. This information is passed to a RADIUS  
server, which checks that the information is correct,  
and then authorizes access to the ISP system.  
Netmask: Also called subnet mask. A set of rules for  
omitting parts of a complete IP address to reach a  
target destination without using a broadcast message.  
It can indicate a subnetwork portion of a larger network  
in TCP/IP. Sometimes referred to as an Address Mask.  
Router: A device that connects LANs into an internal  
network and routes traffic between them.  
Routing: The process of determining a path to use to  
send data to its destination.  
Routing table: A list of valid paths through which data  
can be transmitted.  
NTP, Network Time Protocol: Used to synchronize  
the time of a computer to an NTP server. NTP provides  
accuracies to within tens of milliseconds across the  
Internet relative to Coordinated Universal Time (UTC).  
Server: An application that answers requests from  
other devices (clients). Used as a generic term for any  
device that provides services to the rest of the network  
such as printing, high capacity storage, and network  
access.  
Packet: A piece of a message transmitted over a  
packet-switching network. One of the key features of a  
packet is that it contains the destination address in  
addition to the data. In IP networks, packets are often  
called datagrams.  
SMTP, Simple Mail Transfer Protocol: In TCP/IP  
networks, this is an application for providing mail  
delivery services.  
Ping, Packet Internet Grouper: A utility used to  
determine whether a specific IP address is accessible.  
It works by sending a packet to the specified address  
and waiting for a reply.  
SNMP, Simple Network Management Protocol: A set  
of protocols for managing networks. SNMP works by  
sending messages to different parts of a network.  
SNMP-compliant devices, called agents, store data  
about themselves in Management Information Bases  
(MIBs) and return this data to the SNMP requesters.  
POP3, Post Office Protocol: A protocol used to  
transfer e-mail from a mail server to a mail client across  
the Internet. Most e-mail clients use POP.  
324  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
                   
Glossary  
SSH, Secure shell: A secure Telnet replacement that  
you can use to log into another computer over a  
network and run commands. SSH provides strong  
secure authentication and secure communications  
over insecure channels.  
UDP, User Datagram Protocol: A connectionless  
protocol that, like TCP, runs on top of IP networks.  
Unlike TCP, UDP provides very few error recovery  
services, offering instead a direct way to send and  
receive datagrams over an IP network. It is used  
primarily for broadcasting messages over a network.  
Subnet: A portion of a network that shares a common  
address component. On TCP/IP networks, subnets are  
defined as all devices whose IP addresses have the  
same prefix. For example, all devices with IP  
addresses that start with 100.100.100. would be part of  
the same subnet. Dividing a network into subnets is  
useful for both security and performance reasons.  
IP networks are divided using a subnet mask.  
VPN, Virtual Private Network: A network that links  
private networks over the Internet. VPNs use  
encryption and other security mechanisms to ensure  
that only authorized users can access the network and  
that data cannot be intercepted.  
Virus: A computer program that attaches itself to other  
programs, spreading itself through computers or  
networks by this mechanism usually with harmful  
intent.  
Subnet Address: The part of the IP address that  
identifies the subnetwork.  
Worm: A program or algorithm that replicates itself  
over a computer network, usually through email, and  
performs malicious actions, such as using up the  
computer's resources and possibly shutting the system  
down.  
TCP, Transmission Control Protocol: One of the  
main protocols in TCP/IP networks. TCP guarantees  
delivery of data and also guarantees that packets will  
be delivered in the same order in which they were sent.  
FortiGate-800 Installation and Configuration Guide  
325  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Glossary  
326  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
FortiGate-800 Installation and Configuration Guide Version 2.50  
Index  
alert email  
A
accept  
action  
active log  
allow inbound  
allow outbound  
allow traffic  
Anti-Virus & Web filter  
antivirus definition updates  
antivirus definitions  
attack definition updates  
addressing mode  
attack definitions  
attack detection  
attack prevention  
admin access level  
administrative access  
administrative status  
administrator account  
FortiGate-800 Installation and Configuration Guide  
327  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Index  
attack updates  
Comments  
connecting  
contact information  
auto  
automatic antivirus and attack definition updates  
content blocking  
content profiles  
B
cookies  
backing up  
critical firewall events  
bandwidth  
critical VPN events  
banned word list  
blacklist  
block traffic  
blocking  
D
date and time setting  
default gateway  
deny  
C
certificates  
checksum verification  
clearing  
destination  
destination route  
detection  
device  
328  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
DHCP  
expire  
F
factory default  
dialup L2TP  
FDN  
dialup PPTP  
FDS  
filename pattern  
dialup VPN  
DMZ interface  
filter  
DNS  
firewall  
do not log  
domain  
firewall address  
downloading  
dynamic IP list  
firewall events  
firewall policy  
dynamic IP pool  
E
email alert  
firmware  
encrypt  
first trap receiver IP address  
FortiCare  
Fortinet support  
encrypt policy  
ending IP address  
FortiGate-800 Installation and Configuration Guide  
329  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
interface  
from IP  
from port  
front keypad and LCD  
G
get community  
groups  
internal address  
internal address group  
H
internal network  
Internet  
hard disk  
intrusion attempts  
IP  
IP address  
IP addresses  
IP pool  
hard disk full  
HTTP  
I
ICMP service  
IP service  
idle timeout  
IDS log  
Inbound NAT  
330  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
IPSec VPN  
Log Traffic  
IPSec VPN tunnel  
J
K
keyword  
L
L2TP gateway  
language  
LCD and keypad  
LDAP  
logs  
LDAP server  
M
malicious scripts  
management access  
management IP address  
manual IP address  
lease duration  
log file  
log hard disk  
log message  
log options  
manual keys  
log setting  
matching  
log to local  
messages  
log to memory  
MIB  
FortiGate-800 Installation and Configuration Guide  
331  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
mode  
override serve  
oversized files and email  
monitor  
monitoring  
overwrite  
P
password  
N
NAT  
pattern  
permission  
ping server  
NAT mode  
NAT/Route mode  
policy  
netmask  
network address translation  
policy list  
port number  
O
PPPoE  
operating mode  
options  
Outbound NAT  
332  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
PPTP dialup connection  
PPTP gateway  
registered FortiGate units  
registering  
registration  
pre-shared keys  
relay  
prevention  
protocol  
replacement messages  
reserved IP  
push update  
reverting  
RIP  
Q
quarantine list  
quarantining  
quick mode identifier  
RMA  
route  
R
RADIUS  
router  
RADIUS server  
read & write access level  
read only access level  
recovering  
S
scanning  
FortiGate-800 Installation and Configuration Guide  
333  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
SNMP  
scheduled updates  
scope  
source  
scripts  
secondary IP  
security question  
starting IP  
serial number  
static route  
status  
server  
service contracts  
service group  
service name  
session  
subnet  
subnet address  
support contract number  
support password  
system date and time  
system location  
system name  
system options  
334  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
system settings  
U
UDP  
unwanted content  
T
updated  
updating  
upgrade  
upgrading  
TCP  
testing  
time  
URL  
URL block list  
timeout  
to IP  
to port  
traffic  
URL exempt list  
use selectors from policy  
use wildcard selectors  
user groups  
traffic filter  
trap community  
user name and password  
user-defined interface  
user-defined signature  
traps  
trusted host  
V
FortiGate-800 Installation and Configuration Guide  
335  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Index  
viewing  
W
web content filtering  
web filtering  
virtual domain  
web page  
virus definition updates  
virus definitions  
virus incidents  
WebTrends  
Windows 2000  
Windows 98  
virus list  
Windows XP  
virus protection  
wizard  
VLAN  
VPN  
worm list  
VPN events  
Z
zone  
VPN tunnel  
336  
Fortinet Inc.  
Download from Www.Somanuals.com. All Manuals Search And Download.  

Euro Pro Iron G6118 User Manual
FMI Electric Heater VFN18R User Manual
FujiFilm Camera Lens 1359 User Manual
Fujitsu Network Card LQFP 64P User Manual
Fusion Speaker NVSW12 User Manual
Garland Convection Oven MST45R User Manual
Garland Oven ECO G 10 E User Manual
GE Tool Storage JDP39WW User Manual
GE Washer Dryer WNCD2050 User Manual
GE Washer Dryer WSM2480T User Manual