Administration Guide FortiGate 60 INTERNAL PWR STATUS 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 FortiGate-60 Administration Guide Version 2.80 MR8 4 February 2005 01-28008-0002-20050204 © Copyright 2005 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-60 Administration Guide Version 2.80 MR8 4 February 2005 01-28008-0002-20050204 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders. Regulatory Compliance FCC Class A Part 15 CSA/CUS CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to [email protected]. Contents Table of Contents Introduction.......................................................................................................... 13 About FortiGate Antivirus Firewalls................................................................................... 13 Antivirus protection....................................................................................................... 14 Web content filtering..................................................................................................... 14 Spam filtering................................................................................................................ 15 Firewall.......................................................................................................................... 15 VLANs and virtual domains........................................................................................... 16 Intrusion Prevention System (IPS)................................................................................ 17 VPN............................................................................................................................... 17 High availability............................................................................................................. 18 Secure installation, configuration, and management.................................................... 18 Document conventions..................................................................................................... 20 FortiGate documentation.................................................................................................. 21 Fortinet Knowledge Center........................................................................................... 21 Comments on Fortinet technical documentation........................................................... 22 Related documentation..................................................................................................... 22 FortiManager documentation........................................................................................ 22 FortiClient documentation............................................................................................. 22 FortiMail documentation................................................................................................ 22 FortiLog documentation................................................................................................ 23 Customer service and technical support........................................................................... 23 Web-based manager............................................................................................ 25 Button bar features........................................................................................................... 26 Contact Customer Support........................................................................................... 26 Online Help................................................................................................................... 27 Easy Setup Wizard....................................................................................................... 27 Console Access............................................................................................................ 28 Logout........................................................................................................................... 28 Web-based manager pages.............................................................................................. 29 Web-based manager menu.......................................................................................... 29 Lists............................................................................................................................... 30 Icons............................................................................................................................. 30 Status bar...................................................................................................................... 31 Organization of this manual.............................................................................................. 32 System Status...................................................................................................... 33 Status................................................................................................................................ 33 Viewing system status.................................................................................................. 34 Changing unit information............................................................................................. 37 Session list........................................................................................................................ 39 FortiGate-60 Administration Guide 01-28008-0002-20050204 3 Contents Changing the FortiGate firmware...................................................................................... 40 Upgrading to a new firmware version........................................................................... 41 Reverting to a previous firmware version...................................................................... 43 Installing firmware images from a system reboot using the CLI................................... 45 Testing a new firmware image before installing it......................................................... 48 System Network................................................................................................... 51 Interface............................................................................................................................ 51 Interface settings........................................................................................................... 53 Configuring interfaces................................................................................................... 58 Zone.................................................................................................................................. 62 Zone settings................................................................................................................ 63 Management..................................................................................................................... 64 DNS.................................................................................................................................. 65 Routing table (Transparent Mode).................................................................................... 66 Routing table list........................................................................................................... 66 Transparent mode route settings.................................................................................. 66 Configuring the modem interface...................................................................................... 68 Connecting a modem to the FortiGate unit................................................................... 68 Configuring modem settings......................................................................................... 69 Redundant mode configuration..................................................................................... 70 Standalone mode configuration.................................................................................... 71 Adding firewall policies for modem connections........................................................... 71 Connecting and disconnecting the modem................................................................... 72 Checking modem status............................................................................................... 72 VLAN overview................................................................................................................. 73 FortiGate units and VLANs........................................................................................... 74 VLANs in NAT/Route mode.............................................................................................. 74 Rules for VLAN IDs....................................................................................................... 74 Rules for VLAN IP addresses....................................................................................... 74 Adding VLAN subinterfaces.......................................................................................... 75 VLANs in Transparent mode............................................................................................. 76 Rules for VLAN IDs....................................................................................................... 78 Transparent mode virtual domains and VLANs............................................................ 78 Transparent mode VLAN list......................................................................................... 79 Transparent mode VLAN settings................................................................................. 79 FortiGate IPv6 support...................................................................................................... 81 System DHCP....................................................................................................... 83 Service.............................................................................................................................. 83 DHCP service settings.................................................................................................. 84 Server............................................................................................................................... 85 DHCP server settings................................................................................................... 86 4 01-28008-0002-20050204 Fortinet Inc. Contents Exclude range................................................................................................................... 87 DHCP exclude range settings....................................................................................... 88 IP/MAC binding................................................................................................................. 88 DHCP IP/MAC binding settings.................................................................................... 89 Dynamic IP........................................................................................................................ 89 System Config...................................................................................................... 91 System time...................................................................................................................... 91 Options.............................................................................................................................. 92 HA..................................................................................................................................... 94 HA overview.................................................................................................................. 94 HA configuration........................................................................................................... 96 Configuring an HA cluster........................................................................................... 102 Managing an HA cluster.............................................................................................. 106 SNMP.............................................................................................................................. 109 Configuring SNMP...................................................................................................... 110 SNMP community....................................................................................................... 111 FortiGate MIBs............................................................................................................ 113 FortiGate traps............................................................................................................ 114 Fortinet MIB fields....................................................................................................... 116 Replacement messages................................................................................................. 118 Replacement messages list........................................................................................ 118 Changing replacement messages.............................................................................. 119 FortiManager................................................................................................................... 120 System Admin.................................................................................................... 121 Administrators................................................................................................................. 123 Administrators list........................................................................................................ 123 Administrators options................................................................................................ 123 Access profiles................................................................................................................ 125 Access profile list........................................................................................................ 125 Access profile options................................................................................................. 126 System Maintenance......................................................................................... 127 Backup and restore......................................................................................................... 127 Backing up and Restoring........................................................................................... 128 Update center................................................................................................................. 130 Updating antivirus and attack definitions.................................................................... 132 Enabling push updates............................................................................................... 135 Support........................................................................................................................... 138 Sending a bug report.................................................................................................. 138 Registering a FortiGate unit........................................................................................ 139 Shutdown........................................................................................................................ 141 FortiGate-60 Administration Guide 01-28008-0002-20050204 5 Contents System Virtual Domain...................................................................................... 143 Virtual domain properties................................................................................................ 144 Exclusive virtual domain properties............................................................................ 144 Shared configuration settings..................................................................................... 145 Administration and management................................................................................ 146 Virtual domains............................................................................................................... 146 Adding a virtual domain.............................................................................................. 147 Selecting a virtual domain........................................................................................... 147 Selecting a management virtual domain..................................................................... 147 Configuring virtual domains............................................................................................ 148 Adding interfaces, VLAN subinterfaces, and zones to a virtual domain..................... 148 Configuring routing for a virtual domain...................................................................... 150 Configuring firewall policies for a virtual domain......................................................... 150 Configuring IPSec VPN for a virtual domain............................................................... 152 Router ................................................................................................................. 153 Static............................................................................................................................... 153 Static route list............................................................................................................ 155 Static route options..................................................................................................... 156 Policy.............................................................................................................................. 157 Policy route list............................................................................................................ 157 Policy route options..................................................................................................... 158 RIP.................................................................................................................................. 159 General....................................................................................................................... 159 Networks list................................................................................................................ 161 Networks options........................................................................................................ 161 Interface list................................................................................................................. 161 Interface options......................................................................................................... 162 Distribute list............................................................................................................... 163 Distribute list options................................................................................................... 164 Offset list..................................................................................................................... 165 Offset list options........................................................................................................ 165 6 01-28008-0002-20050204 Fortinet Inc. Contents Router objects................................................................................................................. 166 Access list................................................................................................................... 166 New access list........................................................................................................... 167 New access list entry.................................................................................................. 167 Prefix list..................................................................................................................... 168 New Prefix list............................................................................................................. 168 New prefix list entry..................................................................................................... 169 Route-map list............................................................................................................. 170 New Route-map.......................................................................................................... 170 Route-map list entry.................................................................................................... 171 Key chain list............................................................................................................... 172 New key chain............................................................................................................. 172 Key chain list entry...................................................................................................... 173 Monitor............................................................................................................................ 174 Routing monitor list..................................................................................................... 174 CLI configuration............................................................................................................. 175 get router info ospf...................................................................................................... 175 get router info protocols.............................................................................................. 175 get router info rip......................................................................................................... 176 config router ospf ....................................................................................................... 176 config router static6..................................................................................................... 199 Firewall................................................................................................................ 201 Policy.............................................................................................................................. 202 How policy matching works......................................................................................... 202 Policy list..................................................................................................................... 203 Policy options.............................................................................................................. 204 Advanced policy options............................................................................................. 207 Configuring firewall policies........................................................................................ 209 Policy CLI configuration.............................................................................................. 210 Address........................................................................................................................... 211 Address list................................................................................................................. 212 Address options.......................................................................................................... 212 Configuring addresses................................................................................................ 213 Address group list....................................................................................................... 214 Address group options................................................................................................ 215 Configuring address groups........................................................................................ 215 FortiGate-60 Administration Guide 01-28008-0002-20050204 7 Contents Service............................................................................................................................ 216 Predefined service list................................................................................................. 216 Custom service list...................................................................................................... 219 Custom service options............................................................................................... 220 Configuring custom services....................................................................................... 221 Service group list........................................................................................................ 222 Service group options................................................................................................. 223 Configuring service groups......................................................................................... 223 Schedule......................................................................................................................... 224 One-time schedule list................................................................................................ 224 One-time schedule options......................................................................................... 225 Configuring one-time schedules................................................................................. 225 Recurring schedule list................................................................................................ 226 Recurring schedule options........................................................................................ 226 Configuring recurring schedules................................................................................. 227 Virtual IP......................................................................................................................... 227 Virtual IP list................................................................................................................ 228 Virtual IP options......................................................................................................... 229 Configuring virtual IPs................................................................................................. 230 IP pool............................................................................................................................. 232 IP pool list................................................................................................................... 233 IP pool options............................................................................................................ 233 Configuring IP pools.................................................................................................... 233 IP Pools for firewall policies that use fixed ports......................................................... 234 IP pools and dynamic NAT......................................................................................... 234 Protection profile............................................................................................................. 235 Protection profile list.................................................................................................... 235 Default protection profiles........................................................................................... 236 Protection profile options............................................................................................ 236 Configuring protection profiles.................................................................................... 241 Profile CLI configuration.............................................................................................. 242 User..................................................................................................................... 245 Setting authentication timeout......................................................................................... 246 Local............................................................................................................................... 246 Local user list.............................................................................................................. 246 Local user options....................................................................................................... 246 RADIUS.......................................................................................................................... 247 RADIUS server list...................................................................................................... 247 RADIUS server options............................................................................................... 248 LDAP............................................................................................................................... 248 LDAP server list.......................................................................................................... 249 LDAP server options................................................................................................... 249 8 01-28008-0002-20050204 Fortinet Inc. Contents User group...................................................................................................................... 251 User group list............................................................................................................. 251 User group options...................................................................................................... 252 CLI configuration............................................................................................................. 253 peer............................................................................................................................. 253 peergrp........................................................................................................................ 254 VPN...................................................................................................................... 257 Phase 1........................................................................................................................... 258 Phase 1 list................................................................................................................. 258 Phase 1 basic settings................................................................................................ 259 Phase 1 advanced settings......................................................................................... 261 Phase 2........................................................................................................................... 263 Phase 2 list................................................................................................................. 263 Phase 2 basic settings................................................................................................ 264 Phase 2 advanced options.......................................................................................... 265 Manual key...................................................................................................................... 266 Manual key list............................................................................................................ 267 Manual key options..................................................................................................... 267 Concentrator................................................................................................................... 269 Concentrator list.......................................................................................................... 269 Concentrator options................................................................................................... 270 Ping Generator................................................................................................................ 270 Ping generator options................................................................................................ 271 Monitor............................................................................................................................ 271 Dialup monitor............................................................................................................. 272 Static IP and dynamic DNS monitor............................................................................ 273 PPTP............................................................................................................................... 273 PPTP range................................................................................................................ 274 L2TP .............................................................................................................................. 274 L2TP range................................................................................................................. 275 Certificates...................................................................................................................... 275 Local certificate list...................................................................................................... 276 Certificate request....................................................................................................... 276 Importing signed certificates ...................................................................................... 278 CA certificate list......................................................................................................... 278 Importing CA certificates............................................................................................. 278 VPN configuration procedures........................................................................................ 279 IPSec configuration procedures.................................................................................. 279 PPTP configuration procedures.................................................................................. 281 L2TP configuration procedures................................................................................... 281 FortiGate-60 Administration Guide 01-28008-0002-20050204 9 Contents CLI configuration............................................................................................................. 282 ipsec phase1............................................................................................................... 282 ipsec phase2............................................................................................................... 284 ipsec vip...................................................................................................................... 285 IPS....................................................................................................................... 289 Signature......................................................................................................................... 290 Predefined................................................................................................................... 290 Custom........................................................................................................................ 294 Anomaly.......................................................................................................................... 296 Anomaly CLI configuration.......................................................................................... 299 Configuring IPS logging and alert email.......................................................................... 300 Default fail open setting.................................................................................................. 300 Antivirus............................................................................................................. 301 File block......................................................................................................................... 302 File block list............................................................................................................... 303 Configuring the file block list....................................................................................... 304 Quarantine...................................................................................................................... 304 Quarantined files list................................................................................................... 304 Quarantined files list options....................................................................................... 305 AutoSubmit list............................................................................................................ 306 AutoSubmit list options............................................................................................... 306 Configuring the AutoSubmit list................................................................................... 306 Config.......................................................................................................................... 307 Config.............................................................................................................................. 308 Virus list...................................................................................................................... 308 Config.......................................................................................................................... 308 Grayware.................................................................................................................... 309 Grayware options........................................................................................................ 309 CLI configuration............................................................................................................. 311 config antivirus heuristic.............................................................................................. 311 config antivirus quarantine.......................................................................................... 312 config antivirus service http......................................................................................... 312 config antivirus service ftp........................................................................................... 314 config antivirus service pop3....................................................................................... 316 config antivirus service imap....................................................................................... 317 config antivirus service smtp....................................................................................... 319 Web filter............................................................................................................. 321 Content block.................................................................................................................. 323 Web content block list................................................................................................. 323 Web content block options.......................................................................................... 323 Configuring the web content block list........................................................................ 324 10 01-28008-0002-20050204 Fortinet Inc.
Description: