Manuale d’uso / di manutenzione del prodotto 50A del fabbricante Fortinet
Vai alla pagina of 272
FortiGate 50A Installation and Configuration Guide INTERNAL EXTERNAL LINK 100 LINK 100 PWR STA TUS A FortiGate User Manual V olume 1 Ve r s i o n 2 . 5 0 29 February 2004.
© Copyright 2004 Fortine t Inc. All rights re served. No part of this publication incl uding text, examples , diagrams or illustrations may be reproduced, transmitted, or translated in any form or by an y means, electro nic, mechanical, manual, optical or otherwise, for any purpose, without prio r written pe rmission of F ortinet I nc.
Contents FortiGate-50A Installation and Configuration Gu ide 3 Table of Contents Introduction ............. ................................ .................................................. ........... 13 NAT/Route mode and Transparent mode ........
Contents 4 Fortinet Inc. Completing the configuration ................... ....... ......... ................. ................ ............. ........... 38 Setting the date and time ..... ................ ................ ................. ...........
Contents FortiGate-50A Installation and Configuration Gu ide 5 Shutting down the FortiGate unit ............................. ................. ................ ................ ........ 66 System status .................... ................ .........
Contents 6 Fortinet Inc. Network configuration .............. ................. ................................................. ......... 93 Configuring interfaces ........... ................ ................ ................ ................ .....
Contents FortiGate-50A Installation and Configuration Gu ide 7 Changing system options...... ................ ................ ................ ............. ................ ............. 122 Adding and editing admi nistrator accounts ........... ...
Contents 8 Fortinet Inc. Virtual IPs.... ................ ................ ................ ............. ................. ................ ............. ..... .... 157 Adding static NAT virtual IPs ............ ................ ................ ....
Contents FortiGate-50A Installation and Configuration Gu ide 9 AutoIKE IPSec VPN s .................. ................ ................. ............. ................ ................ ...... 182 General configuration steps for an AutoIKE VPN ........
Contents 10 Fortinet Inc. Logging attacks ..................... ................ ............. ................ ................ ................ ............. 222 Logging attack messages to t he attack log .... ............. ................ ........
Contents FortiGate-50A Installation and Configuration Gu ide 11 Email block list .. ................. ............. ................ ................ ................ ................ ............. .. . 2 4 8 Adding address patterns to t he email block list .
Contents 12 Fortinet Inc..
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 13 Introduction The FortiGate-50 A Antivirus Firewall is an easy-to-d eplo y and easy-to- administer solution that delivers exceptional value and perfor mance for small office and hom e office (SOHO) applications.
14 Fortinet Inc. Document co nventions Introduction Document conventions This guide uses the fo llowing conventio ns to descr ibe CLI comma nd syntax. • angle brac kets < > to indicate variable keywords For example: execute restore config <filename_str> Y ou enter restore config myfile.
Introduction Fortinet documentati on FortiGate-50A Installation and Configuration Gu ide 15 Fortinet document ation Information about FortiGate product s is av ailable from the follo wing FortiGate Us.
16 Fortinet Inc. Customer service and technical support Introduction Customer service and technical support For antiviru s and attack def inition up dates, firmware updates, updated product documentation , technical support informatio n, and other resources, p lease visit the Fortinet technical support we b site at http://support.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 17 Getting st arted This chapter describes unp acking, setting up, and powering on a FortiGate Antivir us Firewall unit.
18 Fortinet Inc. Package contents Getting started Package content s The FortiGate-50A p ackage contains the following items: • the FortiGate-50A Antivirus Firewall • one orange cross-over ethernet.
Getting started Powering on FortiGate-50A Installation and Configuration Gu ide 19 Environmental specifications • Operating temperature: 32 to 10 4°F (0 to 40°C) • S torage temperature: -13 to 1.
20 Fortinet Inc. Connecting to the command line interface (CLI) Getting started T o connect to the we b-based manager 1 Set the IP address of the computer with an ethernet connection to the st atic IP address 192.168.1.2 and a ne tmask of 255.255.255.
Getting started Connecting to the command line in terface (CLI) FortiGate-50A Installation and Configuration Gu ide 21 T o connect to the CLI 1 Connect the null modem cable to the communication s port of your computer and to the FortiGate Console p ort.
22 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Factory default FortiGate configuration settings The FortiGate unit is shipped with a fa ct ory defa ult configura tion. The default configuration allows you to connect to and use the FortiGa te web-based manager to configure th e FortiGate un it onto the netw ork.
Getting started Factory default FortiGate configurati on settings FortiGate-50A Installation and Configuration Gu ide 23 Factory default NAT/Route m ode network configuration When the FortiGate unit is first p owered on , it is running in NA T/Ro ute mode and has the basic ne twork config uration listed in Ta b l e 3 .
24 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Recurring Schedule Always The schedule is valid at all times. This means that the firewall policy is valid at all times. Firewall Policy Int -> Ext Firewall policy for connection s from the internal network to the external network.
Getting started Factory default FortiGate configurati on settings FortiGate-50A Installation and Configuration Gu ide 25 Factory default content profiles Y ou ca n use cont ent profiles to apply different protection s ettings for c ontent traffic that is controlled by fi rewall policies.
26 Fortinet Inc. Factory default FortiGate confi guration settings Getting started Scan content profile Use the scan content profile to apply antivirus scannin g to HTTP , FTP , IMAP , POP3, and SMTP content traf fic. Web content profile Use the web content profile to apply antiv irus scanning and web content blocking to HTTP content traffic.
Getting started Planning the FortiGate configura tion FortiGate-50A Installation and Configuration Gu ide 27 Unfiltered content profile Use the unfilte red conten t profile if you do not wan t to apply co ntent prot ection to traffic.
28 Fortinet Inc. Planning the FortiGa te configuration Getting started Y ou ty pically use NA T/Rout e mode whe n the Fo rtiGate unit is operating as a gateway between private and public networks.
Getting started Planning the FortiGate configura tion FortiGate-50A Installation and Configuration Gu ide 29 In NA T/Route mode you can also ch ange t he configuration of the FortiGate DHCP server to supply IP addresses for the computer s on your internal network.
30 Fortinet Inc. FortiGate model maximum valu es matrix Getting started FortiGate model maximum values matrix T able 10: FortiGate maximum va lues matrix FortiGate model 50A 60 100 200 300 400 500 800.
Getting started Next steps FortiGate-50A Installation and Configuration Gu ide 31 Next step s Now that your FortiGate unit is operating , y ou can proceed to configure it to connect to networks: • If you are goin g to operate the For t iGate unit in NA T/Route mode, go to “NA T/Route mode installation ” on page 33 .
32 Fortinet Inc. Next steps Getting started.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 33 NA T/Route mode inst allation This chapter describes ho w to install the FortiGate unit in NA T/Route mode. T o install the FortiGate unit in T ransparen t mode, see “T ransparent mode installatio n” on pag e 41 .
34 Fortinet Inc. Preparing to configure NAT/Route mode NAT/Route mode installa tion T o use the fa ctory default configuration, fo llow these step s to install the FortiGate unit: 1 Configure the TCP/IP setting s of the computers on your intern al network to obtain an IP address automatically using DHCP .
NAT/Route mode installati on Using the setup wizard FortiGate-50A Installation and Configuration Gu ide 35 Advanced NAT/Route mode settings Use Ta b l e 1 3 to gather the information that you need to custo mize advanced FortiGate N A T/Route m ode setting s.
36 Fortinet Inc. Using the command line interface NAT/Route mode installa tion Using the command line interface As an alternative to using the setup wizard, you ca n configure the FortiGate unit using the command line interface (CLI). T o connect to the CLI, see “Connecting to the command line interface (CLI)” on p age 20 .
NAT/Route mode installati on Connecting the FortiGa te unit to your networks FortiGate-50A Installation and Configuration Gu ide 37 6 Optionally , set the secondary DNS server IP addresses. Enter set system dns secondary <IP address> Example set system dns secondary 293.
38 Fortinet Inc. Configuring your networks NAT/Route mode installati on T o connect the FortiGate- 50A unit: 1 Connect the Internal interface to the h ub or switch connected to your internal network. 2 Connect the External interface to the Internet. Connect to the pu blic switch or router pro v ided by your Internet Servic e Provider .
NAT/Route mode installation Completing the configura tion FortiGate-50A Installation and Configuration Gu ide 39 Registering your FortiGate unit After pur chasing and installing a new FortiGat e unit, you can register the unit by go ing to System > Update > Support, or using a web browser to connect to http://support.
40 Fortinet Inc. Completing the configuration NAT/Route mode installation.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 41 T ransp arent mode inst allation This chapter describes ho w to install your F ortiGate un it in T ran sparent mode.
42 Fortinet Inc. Using the setu p wizard Transparen t mode installation Using the setup wizard From the web-based manager, you can use the setup wizar d to create the initial configuration of your FortiGate unit. T o connect to the web-based manag er, see “Connecting to th e web-based manager” on p age 19 .
Transparent mode installatio n Connecting the FortiGate un it to your networks FortiGate-50A Installation and Configuration Gu ide 43 Changing to Transparent mode 1 Log into the CLI if you ar e not alrea dy logged in. 2 Switch to T ransparent mo de. Enter: set system opmode transparent After a few seconds, the logi n prompt appears.
44 Fortinet Inc. Connecting the FortiGate unit to your networks Transparent mode installa tion T o connect the FortiGate unit: 1 Connect the Internal interface to the h ub or switch connected to your internal network. 2 Connect the External interface to the Internet.
Transparent mode installatio n Completing the configura tion FortiGate-50A Installation and Configuration Gu ide 45 Completing the configuration Use the information in this se ction to complete th e initial configuratio n of t he FortiGat e unit.
46 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation T ransparent mode configuration examples A FortiGate unit operating in T r ansparent mode still requir es a basic configuration to operate as a node on the IP networ k.
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 47 Example default route to an external network Figure 7 shows a FortiGate unit where all de stinations, including the mana gement computer , are located on the external net work.
48 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation Web-based manager exampl e configuration steps T o configure basic T ransparent mode settings and a de fault route using the web-based manager : 1 Go to System > St atus .
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 49 Figure 8: St atic route to an external destination General configuration steps 1 Set the FortiGate unit to operate in T ransparent mode.
50 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation Web-based manager exampl e configuration steps T o configure the basic FortiGate settings and a static route using the web-based manager: 1 Go to System > St atus .
Transparent mode installatio n Trans parent mo de configuration examples FortiGate-50A Installation and Configuration Gu ide 51 Example static route to an internal destination Figure 9 shows a FortiGate unit where the FDN is located on an extern al subnet and the management computer is located on a remote, internal subnet.
52 Fortinet Inc. Transparent mode con figuration exam ples Transpar ent mode installation 4 Configure the default route to the external networ k. Web-based manager exampl e configuration steps T o configure the FortiGate basic settings, a static route, and a d efault route using the web-based manager : 1 Go to System > St atus .
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 53 System st atus Y ou can connect to the web-based manager and view the current system status of the FortiGate unit.
54 Fortinet Inc. Changing the FortiGa te host name System status Changing the FortiGate host name The FortiGate host name ap pears on the S tatus p age and in the FortiGate CLI prompt. The host name is al so used as the SNMP system name. For information about the SNMP system name, see “Config uring SNMP” on page 125 .
System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 55 Upgrading to a new firmware version Use the following procedures to upgra de the FortiGate unit to a newer firmware version.
56 Fortinet Inc. Changing the FortiGa te firmware System status 4 Make sure the FortiGate uni t c an connect to the TFTP s erver . Y ou can use the following command to ping the computer running the TFTP ser v er . For example, if the IP address of the TFTP server is 192.
System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 57 If you are reverting to a previous FortiOS ve rsion (for example, r everting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the pr evious configuration from the backup configuration file.
58 Fortinet Inc. Changing the FortiGa te firmware System status T o use the following procedur e you must have a TFTP server that the FortiGate unit can connect to. T o revert to a previous firmwar e version using the CLI 1 Make sure that the TFTP server is running.
System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 59 12 T o confirm that the antivirus and att ack definitions have been updated, enter the following command to display the an tivirus engi ne, virus and at tack definitions version, contract ex piry , and last update attempt information.
60 Fortinet Inc. Changing the FortiGa te firmware System status 6 Enter the following co mmand to restart the FortiGate unit: execute reboot As the FortiGate units st arts, a series o f system startup messages is displayed. When one of the following messages appears: Press any key to enter configuration menu.
System status Changing the Forti Gate firmware FortiGate-50A Installation and Configuration Gu ide 61 Restoring the previ ous configuration Change the internal interface addr esses if required.
62 Fortinet Inc. Changing the FortiGa te firmware System status 5 Enter the following co mmand to restart the FortiGate unit: execute reboot 6 As the FortiGate unit reboot s, press any key to interrupt the system st artup. As the FortiGate units st arts, a series o f system startup messages are displayed.
System status Manual virus defin ition updates FortiGate-50A Installation and Configuration Gu ide 63 Manual virus definition up dates The S tatus page of the FortiGate web-base d manager displays the current insta lled versions of the FortiGate antivirus definitions.
64 Fortinet Inc. Displayi ng the FortiGate serial number System status Displaying the FortiGate serial number 1 Go to System > St atus . The serial number is displayed on the System St atus page of the web-based manager. The serial number is specific to th e F ortiGate unit and does not change with firmware upgr ades.
System status Restoring system settings to factory defaults FortiGate-50A Installation and Configuration Gu ide 65 Restoring system settings to factory default s Use the following procedur e to restore system se ttings to the values set at the factory .
66 Fortinet Inc. Changing to NAT/Route mode System status Changing to NA T/Route mode Use the follo wing proced ure to cha nge the Fort iGate unit fr om T r ansparent mode t o NA T/Route mod e. After you change the Fort iGate unit to NA T/R oute mode, most of the configura tion resets to NA T/Route mo de factory defaults.
System status System status FortiGate-50A Installation and Configuration Gu ide 67 System st atus Y ou can use the system status moni tor to di splay FortiGate system health information. The system health information includes memory usage, the numbe r of active communication sessions, and the am ount of network bandwidth currently in use.
68 Fortinet Inc. System status System status Figure 1: CPU and memo ry status monitor Viewing sessions and network status Use the session and network st atus display to track how many network sessions the FortiGate u nit is process ing and to see what effect the numb er of sessions h as on the available network bandwid th.
System status System status FortiGate-50A Installation and Configuration Gu ide 69 4 Select Refresh to ma nually update the information displayed. Figure 2: Sessions an d network st atus monitor Viewi.
70 Fortinet Inc. Session list System status Figure 3: Sessions an d network st atus monitor Session list The session list displays information abo ut the communications sessions cu rrently being processed by the FortiGate unit. Y ou can use the session list to view current sessions.
System status Session list FortiGate-50A Installation and Configuration Gu ide 71 Each line of the session list di splays the following information. Figure 4: Example sessio n list Protocol The service protocol of the connection, for example, udp, tcp, or icmp.
72 Fortinet Inc. Session list System status.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 73 V i rus and att a ck definitions up dates and registration Y ou can configure .
74 Fortinet Inc. Updating antivirus and atta ck definitions Virus and atta ck definitions updates and registration The Update p age on the web-based manage r displa ys the following antivirus and attack defin ition update information.
Virus and attack definitions upda tes and regist ration Updating antivirus and attack definitions FortiGate-50A Installation and Configuration Gu ide 75 Manually initiating antivirus and attack definitions updates Y ou can use the following procedure to update the antivirus and at tack definitions a t any time.
76 Fortinet Inc. Scheduling updates Virus and attack defi nitions updates and registra tion Configuring update logging Use the follo wing proced ure to configu re FortiGa te logging t o record log messages when the Fo rtiGate unit updates an tivirus and attack de finitions.
Virus and attack definitions upda tes and registration Scheduling updates FortiGate-50A Installation and Configuration Gu ide 77 4 Select Apply . The FortiGate unit star ts the next sche duled update according to the new upd ate schedule. Whenever the FortiGate unit runs a scheduled update, th e event is recorded in the FortiGate e vent log.
78 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Enabling scheduled updat es through a proxy server If your FortiGate unit must connect to the Inter net t.
Virus and attack definitions updates and registration Enabling push updates FortiGate-50A Installation and Configuration Gu ide 79 When the network configuratio n permits, c onfiguring push updates is recommend ed in addition to configuring scheduled updates.
80 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Example: push update s through a NAT device This examp le describes how to conf igure a FortiG ate NA T dev ice to forwar d push updates to a FortiGat e unit installed on its internal networ k.
Virus and attack definitions updates and registration Enabling push updates FortiGate-50A Installation and Configuration Gu ide 81 General procedure Use the following steps to config ure the Fo rtiGat.
82 Fortinet Inc. Enabling push updates Virus and attack defi nitions updates and registrati on Figure 3: Push update port forwarding virtua l IP Adding a firewall policy for the port forwarding virtual IP T o configure the FortiGate NA T device 1 Add a new external to internal firewall policy .
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-50A Installation and Configuration Gu ide 83 4 Set IP to the external IP address added to the virtual IP . For the examp le topology , ente r 64.230.12 3.149.
84 Fortinet Inc. Registering Forti Gate units Virus and attack defi nitions updates and registra tion All registration information is stored in the Fortinet Customer Support dat abase. This information is used to make sure that yo ur registered FortiGate units can be kept up to date.
Virus and attack definitions upda tes and registration Regist ering FortiGate units FortiGate-50A Installation and Configuration Gu ide 85 Registering the FortiGate unit Before registering a FortiGate.
86 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on 4 Select the model number of the Product Model to register . 5 Enter the Serial Number of the Fo rtiGate unit. 6 If you have purchased a FortiCare Support Co ntract for this Fort iGate unit, enter the support contract number .
Virus and attack definitions updates and registration Updating registration informati on FortiGate-50A Installation and Configuration Gu ide 87 T o recover a lost Fortinet support p assword 1 Go to System > Up date > Support . 2 Select Support Login.
88 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Figure 7: Sample list of registered Forti Gate units Registering a new FortiGate unit T o register a new FortiGate unit 1 Go to System > Up date > Support .
Virus and attack definitions updates and registration Updating registration informati on FortiGate-50A Installation and Configuration Gu ide 89 6 Select the Serial Nu mber of the F ortiGate unit for which to add or change a FortiCare Support Contract number .
90 Fortinet Inc. Updating registration information Virus and attack defi nitions updates and registrati on Downloading virus and attack definitions updates Use the followin g procedur e to manually download virus and attack definitio ns updates. This proce dure also describes how to install the att ack definitions updates on your FortiG ate unit.
Virus and attack definitions upda tes and registra tion Registering a Fort iGate unit after an RMA FortiGate-50A Installation and Configuration Gu ide 91 Registering a FortiGate unit af ter an RMA The Return Material Authoriz ation (RMA) process sta rts when a regi stered FortiGate unit does not work properly be cause of a hardware failure.
92 Fortinet Inc. Registering a FortiGate unit after an RMA Vi rus and attack defi nitions updates and registrati on.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 93 Network configuration Y ou can use the System Network page to change an y of t.
94 Fortinet Inc. Configuring interfac es Network configuration Viewing the interface list T o view the interface list 1 Go to System > Network > Interface .
Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 95 4 Change the IP address and Netmask as requ ired. The IP address of the interface must be o n the same subnet as the network the interface is connecting to .
96 Fortinet Inc. Configuring interfac es Network configuration Configuring an interface for PPPoE Use the follo wing proced ure to configu re any FortiGate interface to use PPPoE. If you configure the interface to use PPPoE, the FortiGate unit auto matically broadcasts a PPPoE request.
Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 97 Y ou can also configure management access and add a pi ng server to the secondary IP address.
98 Fortinet Inc. Configuring interfac es Network configuration 2 Choose an interface and select Modify . 3 Select the Administrative Ac cess methods for t he interface.
Network configuration Configuring interfaces FortiGate-50A Installation and Configuration Gu ide 99 Configuring the management interface in Transparent mode Configure the management int erface in Transparent mode to set the managem ent IP address of the FortiGat e unit.
100 Fortinet Inc. Adding DNS server IP addres ses Network configuration Adding DNS server IP addresses Several FortiGat e functions, incl uding se nding email alerts and URL blocking, use DNS. Use the following procedure to add the IP addresses of the DNS servers that your FortiGate unit can connect to.
Network configuration Configuring routing FortiGate-50A Installation and Configuration Guide 101 Adding destination-based r outes to the routing table Y ou can add destination-based routes to th e FortiGate routing t a ble to control the destination of traffic exiting the F ortiGat e unit.
102 Fortinet Inc. Configuring routing Network configuration 7 Set Device #2 to the FortiGate interface th r ough which to route traffic to co nnect to Gateway #2. Y ou can select the name of an interface or Au to (the default). If you select the na me of an interface , the traffic is routed to tha t in terface.
Network configuration Configuring routing FortiGate-50A Installation and Configuration Guide 103 T o configure the routing t able 1 Go to System > Network > Routing T able . 2 Choose the route that you want to move and select Move to to change its order in the routing table.
104 Fortinet Inc. Configuring DHCP servi ces Network configuration Policy routing command syntax Configure policy routing using th e following CLI command.
Network configuration Configuring DHCP services FortiGate-50A Installation and Configuration Gu ide 105 Configuring a DHCP server As a DHCP server , the FortiGate unit dyna mically assigns IP addresses to hosts located on connected subnet s. Y ou can configure a DHCP server for any FortiGa te interface.
106 Fortinet Inc. Configuring DHCP servi ces Network configuration 3 Select an interface. Y ou must configure the inte rface as a DHCP server before it can be sele cted. 4 Select New to add an address scope. 5 Configure the ad dress scope. 6 Select Advanced if you want to configure Adva nced Options.
Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 107 7 Select OK. Viewing a DHCP server dynamic IP list Y ou can view the list of IP addresses t hat the DHCP server has assigned, th eir corresponding MAC addr esses, and the expi ry time and date for these addresses.
108 Fortinet Inc. Configur ing the modem interfac e Network con figuration Connecting a modem to the FortiGate unit The FortiGa te unit can operate with most standard external ser ial interface modems that support st andard Hayes A T commands.
Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 109 4 Enter the following Dialup Acco unt 1 settings: 5 If you have multiple dia lup accounts, enter Ph one Number , User Name, and Password for Dialup Account 2 and Dialup Account 3.
11 0 Fortinet Inc. Configur ing the modem interfac e Network con figuration Viewing modem status T o view the statu s of the modem connection go to System > Network > Mo dem . Modem status is one of the following: A green check mark indicates the active dialup account.
Network configuration Confi guring the modem interface FortiGate-50A Installation and Configuration Gu ide 111 If the connection to the dialup account fails, the FortiGate unit re dials the modem. Th e modem redials the number of times specified by th e redi al limit, or until it conn ects to a dialup account.
11 2 Fortinet Inc. Configur ing the modem interfac e Network con figuration.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 11 3 RIP configuration The FortiGate implement ation of the Routing Information Pr otocol (RIP) supports both RIP version 1 as defined by RFC 1058, a nd RIP ver sion 2 as defined by RFC 2453.
11 4 Fortinet Inc. RIP settings RIP configuration 5 Change the following RIP time r settings, as re quired. RIP timer de faults are effective in most configurations. Y ou should only have to change these timers to tr oubleshoot netw ork routing problems.
RIP configuration Configuring RIP for FortiGate interfaces FortiGate-50A Installation and Configuration Gu ide 11 5 Figure 1: Configuring RIP settings Configuring RIP for FortiGate interfaces Y ou can customize a RIP configuration for each FortiGate in terface.
11 6 Fortinet Inc. Configuring RIP for Forti Gate interfaces RIP configuration 4 Select OK to save the R IP config uration for the selected interface. Figure 2: Example RIP configuration for an internal interface Password Enter the password to be used for RIP version 2 authentication.
RIP configuration Adding RIP filters FortiGate-50A Installation and Configuration Gu ide 11 7 Adding RIP filters Use the Filter pag e to create RIP filter lists and assign RIP filter list s to the neighbors filter , incoming r oute filter , o r outgoing route filter .
11 8 Fortinet Inc. Adding RIP filters RIP co nfiguration 3 For Filter Name, type a nam e for the RIP filter list. The name can be 15 characters long an d can contain upper and lower case letters, numbers, and special char acters. The name cannot contain sp aces.
RIP configuration Adding RIP filters FortiGate-50A Installation and Configuration Gu ide 11 9 Assigning a RIP fi lter list to the outgoing filter The outgoing filter allows or denies addi n g routes to outgoing RIP update packets . Y ou can assign a single RIP filter list to the outgoing filter .
120 Fortinet Inc. Adding RIP filters RIP co nfiguration.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 121 System configuration Use the System Config page to make any of the following .
122 Fortinet Inc. Changing system options System configuration 9 Select Apply . Figure 1: Example date and time setti ng Changing system options On the System Config Options page, you can: • Set the system idle timeout. • Set the authentication timeout.
System configuration Adding and editing administrator accounts FortiGate-50A Installation and Configuration Gu ide 123 3 Select Apply . Auth T imeout controls the amount of inacti ve time that the fi rewall waits before requiring users to authen ticate again.
124 Fortinet Inc. Adding and editing administrato r accounts System configuration Adding new administrator accounts From the admin accou nt, use the following proc edure to a dd new adm inistrator accounts and contro l their permission levels . T o add an administrator acc ount 1 Go to System > Config > Admin .
System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 125 T o edit an administrator acc ount 1 Go to System > Config > Admin . 2 T o change an administrator account password, select Change Password . 3 T ype the Old Password.
126 Fortinet Inc. Configuring SNMP System configuration This section describes: • Configuring the FortiGate unit fo r SNMP monitoring • Configuring FortiGate SNMP suppor t • FortiGate MI Bs • .
System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 127 T o configure SNMP community settin gs 1 Go to System > Config > SNMP v1/v2c . 2 Select the Enable SNMP check box. 3 Configure the following SNMP settings: 4 Select Apply .
128 Fortinet Inc. Configuring SNMP System configuration Figure 2: Sample SNMP configuration FortiGate MIBs The FortiGate SNMP agent suppo rts FortiGate propriet ary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. The FortiGate MIBs are listed in Ta b l e 1 .
System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 129 FortiGate traps The FortiGa te agent ca n send tra ps to up to three S NMP trap r eceivers on your network that are configur ed to receive tr aps from the FortiGate unit.
130 Fortinet Inc. Configuring SNMP System configuration VPN traps NIDS traps Antivirus traps Logging traps Fortinet MIB fields The Fortinet MIB contain s fields for co nfiguration settings and curren t status information for all parts of the FortiGate pr oduct.
System configuration Configuring SNMP FortiGate-50A Installation and Configuration Gu ide 131 System configuration and status Firewall configuration Users and authentication configuration T able 8: Sy.
132 Fortinet Inc. Configuring SNMP System configuration VPN configuration and status NIDS configuration Antivirus configur ation Web filter configuration Logging and reporting configuration T able 1 1: VPN MIB fields fnVpnIp s ec IPSec VPN configuration including the Phase 1 list, Phase 2 list, manual key list, and VPN concentrator list.
System configuration Replacement messa ges FortiGate-50A Installation and Configuration Gu ide 133 Replacement messages Replacement messages are adde d to content passing through the fir ewall to repl.
134 Fortinet Inc. Replacement messages System configuration 2 For the replacement message that you wan t to customize, select Modify . 3 In the Message setup dialog box, e dit the content of the message.
System configuration Replacement messa ges FortiGate-50A Installation and Configuration Gu ide 135 T able 17: Alert email message sections NIDS event Used for NIDS event alert email messages Section St art <**NIDS_EVENT**> Allowed T a gs %%NIDS_EVENT%% The NIDS attack message.
136 Fortinet Inc. Replacement messages System configuration Critical event Used for critical firewal l event alert emails. Section St art <**CRITICAL_EVENT**> Allowed T a gs %%CRITICAL_EVENT %% .
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 137 Firewall configuration Firewall policies control all traf fic passing through the FortiGate unit. Firewall policies are instructions tha t the FortiGate unit uses to decide what to do with a connection request.
138 Fortinet Inc. Default firewall configuration Firewall configuration This chapter describes: • Default firewall configuration • Adding firewall policies • Configuring policy lists • Address.
Firewall confi guration Default firewall configurati on FortiGate-50A Installation and Configuration Gu ide 139 The firewall uses these addresse s to match the source an d destination ad dresses of packets received by the f irewall. The defa ult policy matches all connections from the internal network because it includes the In ternal_All address.
140 Fortinet Inc. Adding firewall policies Firewall configuration Adding firewall policies Add Firewall policies to con trol connections and traffic between FortiGate interf aces. T o add a firewall policy 1 Go to Firewall > Polic y . 2 Select the policy list to whic h you want to add the policy .
Firewall confi guration Adding firewall policies FortiGate-50A Installation and Configuration Gu ide 141 Figure 5: Addi ng a NA T/Route po licy Action Select how you want the firewall to respond when the policy ma tches a connection attempt. ACCEPT Accept the connecti on.
142 Fortinet Inc. Adding firewall policies Firewall configuration NAT Configure the policy fo r NA T . NA T translates the source address and the source por t of packets accepted by the policy . If you select NA T , you can also select Dynamic IP Pool and Fixed Port .
Firewall confi guration Adding firewall policies FortiGate-50A Installation and Configuration Gu ide 143 Authentication Select Authentication and select a user gr oup to require users to enter a user name and password b efore the firewall accepts the connection.
144 Fortinet Inc. Configuring policy lists Firewall co nfiguration Figure 6: Adding a T ransparent mode pol icy Log Traffic Select Log Traf fic to write message s to the traffic log when ever the polic y processes a connection. For information abo ut logging, see “L ogging and reporting” on p age 251 .
Firewall confi guration Configuring policy lists FortiGate-50A Installation and Configuration Gu ide 145 For example, the default policy is a very general policy be cause it matches all connection attempt s. When you create exceptio ns to that policy , you must add them to the policy list above the defaul t policy .
146 Fortinet Inc. Addresses Firewall configurati on Enabling and disabling policies Y ou can enable and disable policies in the po licy list to control wh ether the policy is active or not. The FortiGate unit matc hes enabled policies bu t does not match disabled policies.
Firewall confi guration Addresses FortiGate-50A Installation and Configuration Gu ide 147 This section describes: • Adding addresses • Editing addresses • Deleting addresses • Organizing addresses into address gr oups Adding addresses T o add an address 1 Go to Firewall > Address .
148 Fortinet Inc. Addresses Firewall configurati on Editing addresses Edit an address to change it s IP address and netmask. Y ou cannot edit the address name. T o change the address name , you must delete the address en try and then add the address ag ain with a new name.
Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 149 5 T o remove addresses from the addr ess group, select an address fro m the Members list and select the left arrow to remove it from the group. 6 Select OK to add the address group .
150 Fortinet Inc. Services Firewall configuration GRE Generic Routing Encapsulation. A protocol that allows an arbitrary network p rotocol to be transmitte d over any other arbitrary netwo rk protocol, by encapsulating the packet s of the protocol within GRE packets.
Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 151 LDAP Lightweight Directory Access Protocol is a set of protocols used to access information directories. tcp 389 NetMeeting NetMeeting allows users to teleconference using the Internet as th e transmission medium.
152 Fortinet Inc. Services Firewall configuration Adding custom TC P and UDP services Add a custom TCP or UDP service if you need to create a policy fo r a service that is not in the predef ined service list. T o add a custom TCP or UDP service 1 Go to Firewall > Service > Cus tom .
Firewall confi guration Services FortiGate-50A Installation and Configuration Gu ide 153 Adding custom ICMP services Add a custom ICMP service if you need to cr eate a policy for a service that is not in the predefin ed service list . T o add a custom ICMP service 1 Go to Firewall > Service > Cus tom .
154 Fortinet Inc. Schedules Firewall configura tion 3 T ype a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service nam e. The name can cont ain numbers (0-9), uppercase and lowerca se letters (A-Z, a-z), and the special characters - and _.
Firewall confi guration Schedules FortiGate-50A Installation and Configuration Gu ide 155 Creating one-time schedules Y ou can create a one-time schedule that activates or deactivates a policy for a specified pe riod of time .
156 Fortinet Inc. Schedules Firewall configura tion If you create a recurring schedule with a stop time that occurs be fore the start time, the schedule st arts at the st art time and finishes at the stop time on the next day . Y ou can use this techniqu e to create recurring schedules that r un from one day to the next.
Firewall confi guration Virtual IPs FortiGate-50A Installation and Configuration Gu ide 157 T o add a schedule to a policy 1 Go to Firewa ll > Policy . 2 Create a new policy or edit a policy to change its schedule. 3 Configure the policy as req uired.
158 Fortinet Inc. Virtual IPs Firewall configuration Adding static NAT virtual IPs T o add a st atic NA T virtual IP 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP . 3 T ype a N ame for the virtual IP . The name can cont ain numbers (0-9), uppercase and lowerca se letters (A-Z, a-z), and the special characters - and _.
Firewall confi guration Virtual IPs FortiGate-50A Installation and Configuration Gu ide 159 Figure 12: Adding a st atic NA T virtual IP Adding port forwar ding virtual IPs T o add port forwarding virtual IPs 1 Go to Firewall > Virtual IP . 2 Select New to add a virtual IP .
160 Fortinet Inc. Virtual IPs Firewall configuration 7 Enter the External Service Port numbe r that you want to configure port forwarding for . The external se rvice port number must matc h th e destination port of the packet s to be forwarded.
Firewall confi guration IP pools FortiGate-50A Installation and Configuration Gu ide 161 Adding policies wi th virtual IPs Use the followin g procedur e to add a policy that use s a virtua l IP to forwar d packets. T o add a policy with a virtual IP 1 Go to Firewall > Polic y .
162 Fortinet Inc. IP pools Firewall configura tion Adding an IP pool T o add an IP pool 1 Go to Firewall > IP Pool . 2 Select the interface to which to add the IP pool. 3 Select New to add a new IP poo l to the select ed interf ace. 4 Enter the S tart IP and End IP addresses for the range o f addresses in the IP pool.
Firewall confi guration IP/MAC binding FortiGate-50A Installation and Configuration Gu ide 163 If you want connections to originate from a ll your Internet IP ad dresses, you can add this address range to an IP pool for th e external interface. T hen you ca n select Dynamic IP Pool for all policies with the exter nal interface as the de stination.
164 Fortinet Inc. IP/MAC binding Firewall configuration 4 Select New to add IP/MAC binding pairs to the IP/MAC binding list . All packet s that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP/MAC binding list.
Firewall confi guration IP/MAC binding FortiGate-50A Installation and Configuration Gu ide 165 Adding IP/MAC addresses T o add an IP/MAC address 1 Go to Firewall > IP/M AC Binding > St atic IP/MAC . 2 Select New to add an IP ad dress/MAC addre ss pair .
166 Fortinet Inc. Content profiles Firewall configuration Figure 15: IP/MAC settings Content profiles Use content profiles to app ly different prot ection settings for content traffic that is controlled by firewall policies.
Firewall confi guration Content profiles FortiGate-50A Installation and Configuration Gu ide 167 Default content profiles The FortiGate unit has the following four default content profiles that are displayed on the Firewall Cont ent Profile page. Y ou can use the default content profiles or cre ate your own.
168 Fortinet Inc. Content profiles Firewall configuration 6 Enable the email filter protec tion options that you want. 7 Enable the fragmented email and oversized file and email options that you want. 8 Select OK. Figure 16: Example cont ent profile Web Exempt List Exempt URLs from web filt ering and virus scanning.
Firewall confi guration Content profiles FortiGate-50A Installation and Configuration Gu ide 169 Adding content prof iles to policies Y ou can add content profiles to policies with actio n set to allow or encrypt and with service set to ANY , HTTP , FTP , IMAP , POP3, SMTP , or a se rvice group that includes these services.
170 Fortinet Inc. Content profiles Firewall configuration.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 171 Users and authentication FortiGate un its support user authe ntication to the FortiGate user database, a RADIUS server , and a n LDAP serv er .
172 Fortinet Inc. Setting authentication timeout Users and authenticati on This chapter describes: • Setting authentication timeout • Adding user names and co nfiguring authentication • Configur.
Users and authentication Adding user names and con figuring authentica tion FortiGate-50A Installation and Configuration Gu ide 173 5 Select the T ry ot her servers if connect t o selected server fail.
174 Fortinet Inc. Configuring RADIUS supp ort Users and authentication Configuring RADIUS support If you have configur ed RADIUS support and a user is required to authenticate using a RADIUS server , the FortiGate unit cont ac ts the RADIUS server for authentication.
Users and authentication Configuring LDAP suppo rt FortiGate-50A Installation and Configuration Gu ide 175 Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server , the FortiGate unit contact s the LDAP server for authentication.
176 Fortinet Inc. Configuri ng LDAP support Users and authentication 7 Enter the distinguished name used to look up entries on the LDAP server . Enter the base distinguishe d name for the server using the correct X.500 or LDAP format. The FortiGate u nit passes this distinguished name unchanged to the server .
Users and authentication Configuring user groups FortiGate-50A Installation and Configuration Gu ide 177 Configuring user group s T o enable authentication, yo u mu st add user names, RADIUS servers, and LDAP servers to one or more user gr oups. Y ou can then select a user group when you require authenticati on.
178 Fortinet Inc. Configuring user g roups Users and authentication Figure 20: Adding a user group 7 T o remove users, RADIUS servers, or LDAP servers from the user gr oup, select a user , RADIUS server , or LD AP server from the Members list and select the lef t arrow to remove the name , RADIUS server , or LDAP server from the group.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 179 IPSec VPN A Virtua l Private Network (VPN) is an extension of a private network that encompasses links across sh ared or public networks such as the Intern et.
180 Fortinet Inc. Key management IPSec VPN Key management There are three basic elem ents in any encryption system: • an algorithm that change s info rmation into code, • a cryptographic key that serves as a secret starting point for the algorithm, • a management system to control the ke y .
IPSec VPN Manual key IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 181 Manual key IPSec VPNs When using manual keys, comple mentary security p arameters must be entered at both ends of the tunn el. In addit ion to encryption and authentication algorithms and keys, the security pa rameter index (SPI) is re quired.
182 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 6 Enter the Remote Gateway . This is the external IP addr ess of the Fo rtiGate unit or other IPSec gateway at the opposite end of the tunnel. 7 Select an Encryption Algorithm from the list. Use the same algorithm at both e nds of the tunnel.
IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 183 General configuration steps for an Au toIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configu ration paramete rs, the source and destination addresses for both ends of the tunnel, a nd an encrypt policy to control access to the VPN tunnel.
184 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Select a Remote Gateway address type. • If the rem ote VPN peer ha s a static IP addre ss, select St atic IP Address.
IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 185 10 Configure the Local ID the that the FortiGate un it sends to the remote VPN peer . • Preshared key: If the FortiGate unit is fu nctioning as a client and uses its ID to authenticate it self to the remote VPN peer , enter an ID.
186 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN 4 Optionally , configure NA T Traver sal. 5 Optionally , configure De ad Peer Detection. Use these settings to monitor the st atus of the connection betw een VPN peers. DPD allows dead connections to be cleane d up and new VPN tunnels established.
IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 187 Figure 21: Adding a phase 1 configurat ion (St andard options ) Figure 22: Adding a phase 1 configurat ion (Advance.
188 Fortinet Inc. AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configurat ion for an AutoIKE VPN Add a phas e 2 configura tion to spec ify the parameters used to cre ate and main tain a VPN tunnel between the local VPN peer (the FortiGate unit) and the r emote VPN peer (the VPN gateway or client).
IPSec VPN AutoIKE IPSec VPNs FortiGate-50A Installation and Configuration Gu ide 189 10 Enable Autokey Kee p Alive if you want to kee p the VPN tunnel runn ing even if no data is being processed. 11 Select a concentra tor if you want the tunnel to be part of a hub and spoke VPN configuration.
190 Fortinet Inc. Managing digital certificates IPSec VPN Managing digit al certificates Use digital cer tificates to make sure that both participants in an IPSec communication session are trustworthy , prior to setting up an encrypted VPN tunnel between the particip ants.
IPSec VPN Managing digital certificates FortiGate-50A Installation and Configuration Gu ide 191 6 Configure the key . 7 Select OK to generate the private and pub lic key p air and the certificate request. The private/public key p air are generated and the certificate r equest is displayed on the Local Certificates list with a status of Pend ing.
192 Fortinet Inc. Managing digital certificates IPSec VPN Downloading the certificate request Use the followin g procedur e to downlo ad a ce rtificate request from the FortiGate unit to the management compute r . T o download the cer tificate request 1 Go to VPN > Certificates > Local Certificates .
IPSec VPN Co nfiguring encrypt policies FortiGate-50A Installation and Configuration Gu ide 193 The FortiGate unit obt ains the CA certificate to validate the digital certificate that it receives from the remote VPN peer . The remote VPN peer obt ains the CA certificate to validate the digital certificate that it receives from the Fo rtiGate unit.
194 Fortinet Inc. Configuring encrypt policies IPSec VPN In addition to defining membership in th e VPN by address, you can configure the encrypt policy for services such as DNS, FTP , and POP3, and to allow connectio ns according to a predefined schedule ( by the time of the day or the day of the week, month, or year).
IPSec VPN Co nfiguring encrypt policies FortiGate-50A Installation and Configuration Gu ide 195 4 Enter the Address Name, IP Address, and NetMask for a single co mputer or for an entire subn etwork on an internal inte rface of th e remote V PN peer . 5 Select OK to save the destination addres s.
196 Fortinet Inc. IPSec VPN concentrators IPSec VPN T o make sure that the encrypt policy is matched for VPN connection s, arrange the encrypt policy above other policies with similar source and destination addresse s and services in the policy list.
IPSec VPN IPSec VPN concen trators FortiGate-50A Installation and Configuration Gu ide 197 If the VPN peer is a FortiGate unit fu nctioning as the hub, or concen trator , it requires a VPN configura tion connecting it to ea ch spoke (AutoIKE ph ase 1 and 2 settings or manual key settings, plus encrypt policies).
198 Fortinet Inc. IPSec VPN concentrators IPSec VPN 4 Add an encrypt policy fo r each spoke. Encrypt policies control the directio n of traffic through the hub and allo w inbound and ou tbound VPN connections betwee n the hub and the spokes. The encrypt policy for ea ch spoke must include the tunnel name of the spoke.
IPSec VPN IPSec VPN concen trators FortiGate-50A Installation and Configuration Gu ide 199 Figure 26: Adding a VPN concentrato r VPN spoke general co nfiguration steps A remote VPN pe er that fu nctio.
200 Fortinet Inc. IPSec VPN concentrators IPSec VPN 4 Add a separate ou tbound encrypt policy for e ach remote VPN spoke. These policies control the encrypted connections initia ted by the local VPN spoke. The encrypt policy must include the ap propr iate source and destination addresse s and the tunnel added in step 1 .
IPSec VPN Monitoring and Troublesh ooting VPNs FortiGate-50A Installation and Configuration Gu ide 201 Monitoring and T roubleshooting VPNs • Viewin g VPN tunnel status • Viewing dialu p VPN conne.
202 Fortinet Inc. Monitoring and Troubleshooti ng VPNs IPSec VPN Figure 28: Dialup Monitor Testing a VPN T o confirm tha t a VPN between two netw orks has be en configured correctly , u se the ping command from one inter nal network to connect to a computer on the other internal network.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 203 PPTP and L2TP VPN Y ou can use PPTP and L2TP to crea te a virtual private network (VPN) between a remote client computer that is runn ing Wi ndows and your internal network.
204 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 2 Add and configure PPTP users. For information about adding and configuring users, see “Adding user names and configuring authentication” o n page 172 . 3 Go to User > User Group . 4 Add and configure PPTP user groups.
PPTP and L2TP VPN Configuring PPTP FortiGate-50A Installation and Configuration Gu ide 205 T o add a source address group Organize the source addresses in to an address group. 1 Go to Firewall > Address > Group . 2 Add a new address group to the interface to which PP TP clients connect.
206 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN Configuring a Windows 98 client for PPTP Use the following procedure to configure a client computer running Windows 98 so that it can connect to a F ortiGate PPTP VPN.
PPTP and L2TP VPN Configuring PPTP FortiGate-50A Installation and Configuration Gu ide 207 Configuring a Windows 2000 client for PPTP Use the following p rocedure to co nfigure a client computer ru nning Window s 2000 so that it can connect to a FortiGate PP TP VPN.
208 Fortinet Inc. Configuring PPTP PPTP and L2TP VPN 8 Select Finish. T o configure the VPN connectio n 1 Right-click the Connecti on icon that you created in the previous procedure. 2 Select Properties > Security . 3 Select T ypical to configure typical settings.
PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 209 Configuring L2TP Some implement ations of L2TP support elem ents of IPSec.
210 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN Figure 30: Sample L2TP addre ss range configuration T o add source address es Add a sour ce address for every addr ess in the L2TP address ran ge. 1 Go to Firewall > Address . 2 Select the interface to which L2T P clients connect.
PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 21 1 T o add a destination address Add an address to which L2TP users can conn ect. 1 Go to Firewall > Address . 2 Select the internal interface. 3 Select New to add an addr ess.
212 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 8 Select the Security tab. 9 Make sure th at Require d ata encryption is se lected. 10 Select the Networking tab. 11 Set VPN server type to Laye r-2 T unn eling Protocol ( L2TP). 12 Save the changes and continue with the following proc edure.
PPTP and L2TP VPN Configuring L2TP FortiGate-50A Installation and Configuration Gu ide 213 Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiGate L2TP VPN.
214 Fortinet Inc. Configuring L2TP PPTP and L2TP VPN 4 Go to the Options tab and select IP security properties. 5 Make sure that Do not use IPSEC is selected.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 215 Network Intrusion Detection System (NIDS) The FortiGat e NIDS is a re al-time.
216 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Selecting the interfaces to monitor T o select the interface s to monitor for attacks 1 Go to NIDS > Detection > General . 2 Select the interfaces to monitor for ne twork attacks.
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-50A Installation and Configuration Gu ide 217 Viewing the signature list Y ou can display the current list of NIDS signature groups and the members o f a signature group. T o view the signature list 1 Go to NIDS > Detection > Signature List .
218 Fortinet Inc. Detecting attacks Netw ork Intrusion Detection System ( NIDS) Figure 32: Example signature gro up members list Disabling NIDS attack signatures By default, all NIDS attack signatures ar e enabled . Y ou can use the NIDS signature list to disable detection of some atta cks.
Network Intrusion Detection S ystem (NIDS) Detecting attacks FortiGate-50A Installation and Configuration Gu ide 219 T o add user-defined sign atures 1 Go to NIDS > Detection > User Defined Signature List .
220 Fortinet Inc. Preventing attacks Network Intrusion Detection System (NIDS) Preventing att acks NIDS attack prev ention prot ects the FortiGat e unit and the networks connected t o it from common TCP , ICMP , UDP , and IP atta cks. Y ou can enable NIDS atta ck prevention to prevent a set of default att a cks with default threshold values.
Network Intrusion Detection S ystem (NIDS) Preventing attacks FortiGate-50A Installation and Configuration Gu ide 221 Setting signature threshold values Y ou can change the default threshold val ues for the NIDS Prevention signatures listed in Ta b l e 2 0 .
222 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS) T o set Prevent ion signature threshold values 1 Go to NIDS > Prevention . 2 Select Modify beside the signature for which you want to set the Threshold value. Signatures that do not ha ve threshol d values do not have Modify icons.
Network Intrusion Detection System (NIDS) Logging attacks FortiGate-50A Installation and Configuration Gu ide 223 The FortiGate unit uses an alert email queu e in which each new message is compared with the p revious messages. If the new message is not a duplicate, the FortiGate unit sends it immedia tely and puts a copy in the qu eue.
224 Fortinet Inc. Logging attacks Network Intrusion Detection System (NIDS).
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 225 Antivirus protection Y ou can enable antivirus protection in fire wall policies. Y ou can select a content profile that controls how the antivir us protection behaves.
226 Fortinet Inc. Antivirus scanning Antivirus protection Antivirus scanning Virus scan ning intercepts most files (including files compressed with up to 12 layers of compression using zip, rar , gzip, tar , upx, and OLE) in the content streams for which you enable antiviru s protection.
Antivirus protection File blocking FortiGate-50A Installation and Configuration Gu ide 227 File blocking Enable file b locking to re move all files th at are a po tential thre at and to pro vide the best protection fr om active computer virus atta cks.
228 Fortinet Inc. Blocking oversized files and emails Antivirus protection 3 T ype the new pattern in the File Pattern field. Y ou can use an asterisk (*) to represent an y characters and a questio n mark (?) to represent any single character . For exampl e, *.
Antivirus protection Viewing the virus list FortiGate-50A Installation and Configuration Gu ide 229 V iewing the virus list Y ou can view the names of the viruses and worms in the current virus definition list. T o view the virus list 1 Go to Anti-Virus > Config > Virus List .
230 Fortinet Inc. Viewing the virus list Antivirus protect ion.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 231 W e b filtering When you enable Anti-V irus & Web filter in a firewall policy , you select a content profile that controls how web filterin g behave s for HTTP traffic.
232 Fortinet Inc. Content blocking Web filtering 4 Configure the messages that users rec eive when the FortiGate unit blocks unwanted content or unwanted URLs. See “Replacement messages” on pag e 133 . 5 Configure the FortiGate unit to record log messages when it blo cks unwanted content or unwanted URLs.
Web filtering Content blocking FortiGate-50A Installation and Configuration Gu ide 233 Figure 35: Exam ple banned word li st Clearing the Banned Word list 1 Go to Web Filter > Cont ent Block . 2 Select Clear List to remove all banned words and phrases from th e banned word list.
234 Fortinet Inc. Content blocking Web filtering Figure 36: Example Banned Word List text file T o restore the banned wor d list 1 Go to Web Filter > Cont ent Block . 2 Select Restore Banned W ord List . 3 T ype the path and filename of the banned wo rd list text file, or select Browse and locate the file.
Web filtering URL blocking FortiGate-50A Installation and Configuration Gu ide 235 URL blocking Y ou can block the unwanted web URLs usi ng FortiGate Web URL blocking, FortiGate Web p attern blocking, and Cerberian web filtering.
236 Fortinet Inc. URL blocking Web filtering 5 Select OK to add the URL to the Web URL block list. Y ou can enter multiple URLs and the n select Check All to enable all items in the Web URL block list. Y ou can disable all of the URLs on the list by selecting Uncheck All .
Web filtering URL blocking FortiGate-50A Installation and Configuration Gu ide 237 Figure 38: Example URL block list text file Y ou can either create the URL block list or add a URL list created by a third-party URL block or blacklist service. For example, yo u can do wnload the squidGuard blacklist s available at http://www .
238 Fortinet Inc. Configuring Cerberian URL filtering Web filtering 4 Select Enable to block the pattern. 5 Select OK to add the pattern to the W eb pattern block list. Configuring Cerberian URL filtering The FortiGate unit support s Cerberian URL filtering.
Web filtering Configuring Cerberian URL filtering FortiGate-50A Installation and Configuration Gu ide 239 4 Enter the IP address and netmask of the user comp uters. Y ou can enter the IP address of a sing le user . For example, 192.168.100.19 255.255.
240 Fortinet Inc. Script filtering Web filtering 3 Go to Firewall > Content Profile . 4 Create a new or select an existing c o ntent profile and enable W eb URL Block. 5 Go to Firewall > Polic y . 6 Create a new or select an existing policy . 7 Select Anti-Virus & W eb filter .
Web filtering Exempt URL list FortiGate-50A Installation and Configuration Gu ide 241 Exempt URL list Add URLs to the exempt URL list to allow legitimate traf fic that might otherwise be blocked by content or URL blocking.
242 Fortinet Inc. Exempt URL list Web filtering Figure 40: Example URL Exempt list Downloading the URL Exempt List Y ou can back up the URL Exempt List by downloading it to a text file on the management compu ter . 1 Go to Web Filter > URL Exempt .
Web filtering Exempt URL list FortiGate-50A Installation and Configuration Gu ide 243 3 Select Upload URL Exempt List . 4 T ype the path and filename of your URL Exem pt List text file, or select Browse and locate the file. 5 Select OK to upload the f ile to the FortiGate unit.
244 Fortinet Inc. Exempt URL list Web filtering.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 245 Email filter Email filtering is enabled in firewall policies.
246 Fortinet Inc. Email banned word list Email filter Email banned word list When the FortiGate unit detect s an email that contains a word or phrase in the banned word list, the FortiGate unit adds a t ag to the subject line of the email and writes a message to the event log.
Email filter Email banned word list FortiGate-50A Installation and Configuration Gu ide 247 Downloading the email banned word list Y ou can back up the banned word list by downloading it to a text file on the management compu ter: T o download the banned wo rd list 1 Go to Email Filter > Content Block .
248 Fortinet Inc. Email block list Email filter Email block list Y ou can configure the FortiGate unit to ta g all IMAP and POP3 protocol tra ffic sent from unwanted email addresse s.
Email filter Email exempt li st FortiGate-50A Installation and Configuration Gu ide 249 Uploading an email block list Y ou can create a email block list in a text ed itor and then upload the text file to the FortiGate unit. Add one p attern to each line of the text file.
250 Fortinet Inc. Adding a subject tag Email filter Adding address patterns to the email exempt list T o add an address p attern to the email exempt list 1 Go to Email Filter > Exempt List . 2 Select New . 3 T ype the address pattern th at you want to exemp t.
FortiGate-50A Inst all ation and Configuration Guide V ersion 2.50 FortiGate-50A Installation and Configuration Gu ide 251 Logging and reporting Y ou can configure the FortiGate unit to log network activity from routine configuration changes and traf fic sessions to emergency events.
252 Fortinet Inc. Recording logs Logging and reporting 4 T y pe the port num ber of the syslog server . 5 Select the severity leve l for which you want to record log messages. The FortiGate unit logs all le vels of severity down to, bu t not lower than, the level you choose.
Logging and repo rting Filtering log me ssages FortiGate-50A Installation and Configuration Gu ide 253 Log message levels Ta b l e 2 3 lists and describes Fo rt iGate log messa ge levels. Filtering log messages Y ou can configure the logs t hat you want to record and the message categorie s that you want to record in each log.
254 Fortinet Inc. Configuring traffic loggi ng Logging and reporting 4 Select the message categories that you wa nt the FortiGa t e unit to record if you selected Event Log, V irus Log, W eb Filter ing Log, Att ack Log, Email Filter Log, or Update in step 3 .
Logging and repo rting Configuring traffic loggi ng FortiGate-50A Installation and Configuration Guide 255 This section describes: • Enabling traffic logging • Configuring traffic filter settings • Adding traf fic filter entries Enabling traf fic logging Y ou can enable logging on any interface and firewall policy .
256 Fortinet Inc. Configuring traffic loggi ng Logging and reporting 3 Select Apply . Figure 45: Example traffic filter list Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traf fic log.
Logging and repo rting Configu ring alert email FortiGate-50A Installation and Configuration Gu ide 257 Figure 46: Example new traffic address entry Configuring alert email Y ou can configure the Fort.
258 Fortinet Inc. Configu ring alert email Logging and reporting 3 In the SMTP Server field, type the name of the SMTP server where you want the FortiGate unit to send email, in the forma t smtp.domain.com . The SMTP server can be located on any networ k connected to the FortiGate unit.
FortiGate-50A Installation and Configuration Gu ide 259 FortiGate-50A Inst allation and Co nfiguration Guide V ersion 2.50 Glossary Connection : A link between machines, applications, processes, and so on t hat can be lo gical, physical, or both.
260 Fortinet Inc. Glossary LAN, Local Area Network : A computer n etwork that spans a relatively small area. Most LA Ns connect worksta tions and personal computers. Each computer on a LAN is able to ac cess data and devices a nywhere on the LAN. This means that many users can shar e data as well as physical re sources such as printers.
Glossary FortiGate-50A Installation and Configuration Gu ide 261 SSH , Secure shell : A secure T elnet replacement that you can use to log into another computer over a network and run commands. SSH provides str ong secure authentication and secure communications over insecure channels.
262 Fortinet Inc. Glossary.
FortiGate-50A Installation and Configuration Gu ide 263 FortiGate-50A Inst allation and Configuration Guide V ersion 2.50 Index A accept policy 141 action policy option 141 ActiveX 240 removing from w.
264 Fortinet Inc. Index AutoIKE 180 certificates 18 0 introduction 180 pre-shared keys 180 automatic antivirus and attack definition updates configuring 77 B backing up system settings 64 backup mode .
Index FortiGate-50A Installation and Configuration Gu ide 265 dialup VPN viewing connection statu s 201 disabling NIDS 216 DMZ interface definition 259 DNS server addresses 100 domain DHCP 106 downloa.
266 Fortinet Inc. Index H hard disk full alert email 258 HTTP enabling web filtering 231, 245 HTTPS 150, 259 I ICMP 151, 259 configuring checksum verification 216 ICMP service custom 153 idle timeout .
Index FortiGate-50A Installation and Configuration Gu ide 267 loggin g 251 attack log 253 configuring traffic settings 255 connections to an interface 98 email filter log 253 enabling alert email 258 .
268 Fortinet Inc. Index P password adding 172 changing administrator account 125 Fortinet support 8 9 recovering a lost Fortinet support 86 PAT 159 pattern web pattern blocking 237 permission administ.
Index FortiGate-50A Installation and Configuration Gu ide 269 restarting 66 restoring system settings 64 restoring system settings to factory default 65 reverting firmware to an olde r version 59 RIP .
270 Fortinet Inc. Index status CPU 67 interface 94 intrusions 69 IPSec VPN tunnel 201 memory 67 network 68 sessions 68 viewing dialup con nection status 201 viewing VPN tunnel status 201 virus 69 subn.
Index FortiGate-50A Installation and Configuration Gu ide 271 URL blocking 235 exempt URL list 241, 249 web pattern blocking 237 URL exempt list see also exempt URL list 241, 249 use selectors from po.
272 Fortinet Inc. Index.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il Fortinet 50A è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del Fortinet 50A - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso Fortinet 50A imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul Fortinet 50A ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il Fortinet 50A, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del Fortinet 50A.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il Fortinet 50A. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo Fortinet 50A insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.