ebook img

FortiGate Install and System Administration Guide - Fortinet PDF

248 Pages·2016·5.89 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview FortiGate Install and System Administration Guide - Fortinet

FortiOS™ Handbook Install and System Administration for FortiOS 5.0 Install and System Administration for FortiOS 5.0 January 04, 2016 01-502-142188-20130423 Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Technical Documentation docs.fortinet.com Knowledge Base kb.fortinet.com Customer Service & Support support.fortinet.com Training Services training.fortinet.com FortiGuard fortiguard.com Document Feedback Table of Contents Change Log..................................................................................................... 12 .......................................................................................................................... 13 Differences between Models and Firmware ................................................ 14 Differences between Models ................................................................................. 14 Differences between Firmware Versions ............................................................... 14 Using the web-based manager ..................................................................... 15 Web-based manager overview.............................................................................. 15 Web-based manager menus and pages ............................................................... 15 Using information tables .................................................................................. 16 Using column settings ..................................................................................... 17 Entering text strings............................................................................................... 17 Entering text strings (names) ........................................................................... 17 Entering numeric values................................................................................... 18 Enabling or disabling options........................................................................... 18 Dashboard ............................................................................................................. 18 Adding dashboards and widgets ..................................................................... 19 System Information widget .............................................................................. 19 License Information widget.............................................................................. 25 FortiGate unit Operation widget....................................................................... 27 System Resources widget ............................................................................... 27 Alert Message Console widget ........................................................................ 27 CLI Console widget.......................................................................................... 27 Session History widget .................................................................................... 28 Top Sessions widget........................................................................................ 28 USB Modem widget......................................................................................... 28 Advanced Threat Protection Statistics widget................................................. 28 Features widget ............................................................................................... 28 RAID monitor widget........................................................................................ 29 Basic configurations .............................................................................................. 30 Changing your administrator password........................................................... 30 Changing the web-based manager language.................................................. 31 Changing administrative access ...................................................................... 31 Changing the web-based manager idle timeout.............................................. 31 Switching VDOMs............................................................................................ 31 Connecting to the CLI from the web-based manager ..................................... 31 Logging out ...................................................................................................... 32 Using the CLI .................................................................................................. 33 Connecting to the CLI............................................................................................ 33 Connecting to the CLI using a local console ................................................... 33 Page 3 Enabling access to the CLI through the network (SSH or Telnet) ................... 34 Connecting to the CLI using SSH.................................................................... 35 Connecting to the CLI using Telnet ................................................................. 36 Command syntax................................................................................................... 37 Terminology ..................................................................................................... 37 Indentation ....................................................................................................... 38 Notation ........................................................................................................... 38 Sub-commands ..................................................................................................... 40 Example of table commands ........................................................................... 42 Permissions ........................................................................................................... 43 Tips ........................................................................................................................ 44 Help.................................................................................................................. 44 Shortcuts and key commands......................................................................... 44 Command abbreviation ................................................................................... 45 Adding and removing options from lists .......................................................... 45 Environment variables...................................................................................... 46 Special characters ........................................................................................... 46 Using grep to filter get and show command output ........................................ 47 Language support and regular expressions .................................................... 48 Screen paging.................................................................................................. 50 Baud rate ......................................................................................................... 51 Editing the configuration file on an external host............................................. 51 Using Perl regular expressions ........................................................................ 51 Basic Administration ...................................................................................... 54 Connecting to the FortiGate unit ........................................................................... 54 Connecting to the web-based manager .......................................................... 54 Connecting to the CLI...................................................................................... 55 System configuration ............................................................................................. 55 Setting the time and date................................................................................. 55 Configuring FortiGuard .................................................................................... 56 Passwords ............................................................................................................. 57 Password considerations................................................................................. 57 Password policy............................................................................................... 58 Lost Passwords .............................................................................................. 59 Administrators........................................................................................................ 59 Adding administrators...................................................................................... 59 LDAP Admin Access and Authorization........................................................... 60 Monitoring administrators ................................................................................ 61 Administrator profiles....................................................................................... 62 Regular (password) authentication for administrators ..................................... 63 Management access........................................................................................ 63 Security Precautions ........................................................................................ 64 General Settings .................................................................................................... 69 Administrative port settings ............................................................................. 69 Table of Contents Page 4 Install and System Administration for FortiOS 5.0 Password policies ............................................................................................ 69 Feature Select .................................................................................................. 69 Configuration backups........................................................................................... 70 Backup and restore a configuration file using SCP ......................................... 71 Restoring a configuration................................................................................. 73 Configuration revisions .................................................................................... 74 Restore factory defaults................................................................................... 74 Firmware ................................................................................................................ 74 Downloading firmware ..................................................................................... 75 Testing new firmware before installing ............................................................ 75 Upgrading the firmware - web-based manager............................................... 77 Upgrading the firmware - CLI .......................................................................... 77 Installing firmware from a system reboot using the CLI .................................. 78 Reverting to a previous firmware version - web-based manager.................... 80 Reverting to a previous firmware version - CLI................................................ 80 Configuration Revision..................................................................................... 81 Backup and Restore from a USB key .............................................................. 81 Backup and Restore an encrypted config file from a USB key ....................... 82 Controlled upgrade .......................................................................................... 82 Best practices................................................................................................. 84 Hardware ............................................................................................................... 84 Environmental specifications ........................................................................... 84 Grounding ........................................................................................................ 85 Rack mount instructions .................................................................................. 85 Shutting down........................................................................................................ 86 Performance .......................................................................................................... 86 Firewall................................................................................................................... 86 Intrusion protection................................................................................................ 87 Antivirus ................................................................................................................. 87 Web filtering........................................................................................................... 88 Antispam................................................................................................................ 88 Security .................................................................................................................. 88 FortiGuard ....................................................................................................... 89 FortiGuard Services ............................................................................................... 89 Next Generation Firewall............................................................................... 89 Advanced Threat Protection ............................................................................ 90 Other Services ................................................................................................. 90 Support Contract and FortiGuard Subscription Services................................ 91 FortiCloud ........................................................................................................ 91 Antivirus and IPS.................................................................................................... 91 Detection during update .................................................................................. 91 Antivirus and IPS Options ................................................................................ 92 Manual updates ............................................................................................... 92 Table of Contents Page 5 Install and System Administration for FortiOS 5.0 Automatic updates........................................................................................... 93 Push updates ................................................................................................... 93 Push IP override............................................................................................... 94 Web filtering........................................................................................................... 95 Web Filtering and Email Filtering Options........................................................ 96 URL verification................................................................................................ 96 Email filtering ......................................................................................................... 97 Security tools ......................................................................................................... 97 URL lookup ...................................................................................................... 97 IP and signature lookup ................................................................................... 97 Online virus scanner......................................................................................... 98 Malware removal tools..................................................................................... 98 FortiSandbox ................................................................................................... 98 Troubleshooting ..................................................................................................... 98 Web-based manager verification..................................................................... 98 CLI verification ............................................................................................... 100 Port assignment ............................................................................................. 100 FortiCloud...................................................................................................... 102 FortiCloud Features ............................................................................................. 102 Simplified central management for your FortiGate network .......................... 102 Hosted log retention with large default storage allocated ............................. 102 Monitoring and alerting in real time ............................................................... 102 Customized or pre-configured reporting and analysis tools.......................... 102 Maintain important configuration information uniformly ................................ 102 Service security.............................................................................................. 102 Registration and Activation.................................................................................. 103 Registering with Support ............................................................................... 103 Registering and Activating your FortiCloud account ..................................... 103 Enabling logging to FortiCloud ...................................................................... 104 Logging into the FortiCloud portal ................................................................. 105 Upgrading to a 200Gb subscription .............................................................. 105 The FortiCloud Portal........................................................................................... 105 Using FortiCloud.................................................................................................. 106 Cloud Sandboxing ............................................................................................... 107 Interfaces ...................................................................................................... 108 Physical................................................................................................................ 108 Interface settings ................................................................................................. 110 Interface configuration and settings .............................................................. 111 Software switch ................................................................................................... 114 Soft switch example....................................................................................... 115 Virtual Switch ....................................................................................................... 116 Loopback interfaces ............................................................................................ 117 Redundant interfaces........................................................................................... 117 Table of Contents Page 6 Install and System Administration for FortiOS 5.0 One-armed sniffer ................................................................................................ 118 Aggregate Interfaces............................................................................................ 119 DHCP addressing mode on an interface ............................................................. 120 PPPoE addressing mode on an interface............................................................ 121 Administrative access.......................................................................................... 123 Wireless ............................................................................................................... 123 Interface MTU packet size ................................................................................... 124 Secondary IP addresses to an interface.............................................................. 125 Virtual domains .................................................................................................... 125 Virtual LANs ......................................................................................................... 126 Zones ................................................................................................................... 127 Probing Interfaces................................................................................................ 128 Central management.................................................................................... 130 Adding a FortiGate to FortiManager .................................................................... 130 FortiGate configuration .................................................................................. 130 FortiManager configuration............................................................................ 131 Configuration through FortiManager ................................................................... 131 Global objects ................................................................................................ 132 Locking the FortiGate web-based manager .................................................. 132 Firmware updates ................................................................................................ 132 FortiGuard............................................................................................................ 132 Backup and restore configurations...................................................................... 133 Administrative domains ....................................................................................... 133 Monitoring..................................................................................................... 134 Dashboard ........................................................................................................... 134 Widgets .......................................................................................................... 134 FortiClient software........................................................................................ 135 sFlow.................................................................................................................... 135 Configuration ................................................................................................. 136 Monitor menus..................................................................................................... 136 Logging ................................................................................................................ 136 FortiCloud ...................................................................................................... 137 FortiGate memory .......................................................................................... 137 FortiGate hard disk ........................................................................................ 137 Syslog server ................................................................................................. 138 FortiAnalyzer .................................................................................................. 138 Sending logs using a secure connection ....................................................... 139 Packet Capture .................................................................................................... 140 Alert email ............................................................................................................ 141 SNMP................................................................................................................... 142 SNMP configuration settings ......................................................................... 143 Gigabit interfaces........................................................................................... 145 Table of Contents Page 7 Install and System Administration for FortiOS 5.0 SNMP agent................................................................................................... 145 SNMP community .......................................................................................... 146 Enabling on the interface ............................................................................... 147 Fortinet MIBs.................................................................................................. 148 SNMP get command syntax................................................................................ 149 VLANs ............................................................................................................ 151 VLAN ID rules....................................................................................................... 152 VLAN switching and routing ................................................................................ 152 VLAN layer-2 switching.................................................................................. 152 VLAN layer-3 routing...................................................................................... 155 VLANs in NAT mode ............................................................................................ 158 Adding VLAN subinterfaces ........................................................................... 158 Configuring security policies and routing ...................................................... 160 Example VLAN configuration in NAT mode ......................................................... 161 General configuration steps........................................................................... 162 Configure the FortiGate unit .......................................................................... 163 Configure the VLAN switch............................................................................ 168 Test the configuration .................................................................................... 169 VLANs in transparent mode................................................................................. 169 VLANs and transparent mode........................................................................ 169 Example of VLANs in transparent mode........................................................ 172 General configuration steps........................................................................... 172 Configure the FortiGate unit .......................................................................... 173 Configure the Cisco switch and router .......................................................... 176 Test the configuration .................................................................................... 178 Troubleshooting VLAN issues.............................................................................. 178 Asymmetric routing........................................................................................ 178 Layer-2 and Arp traffic ................................................................................... 179 Forward-domain solution............................................................................... 180 NetBIOS ......................................................................................................... 181 STP forwarding .............................................................................................. 181 Too many VLAN interfaces ............................................................................ 182 PPTP and L2TP ............................................................................................. 183 How PPTP VPNs work......................................................................................... 183 FortiGate unit as a PPTP server........................................................................... 185 Configuring user authentication for PPTP clients .......................................... 185 Enabling PPTP and specifying the PPTP IP address range ......................... 186 Adding the security policy ............................................................................. 187 Configuring the FortiGate unit for PPTP VPN...................................................... 188 Configuring the FortiGate unit for PPTP pass through........................................ 188 Configuring a virtual IP address..................................................................... 188 Configuring a port-forwarding security policy ............................................... 189 Testing PPTP VPN connections .......................................................................... 190 Table of Contents Page 8 Install and System Administration for FortiOS 5.0 Logging VPN events ............................................................................................ 190 Configuring L2TP VPNs ....................................................................................... 190 Network topology .......................................................................................... 192 L2TP infrastructure requirements ................................................................. 192 L2TP configuration overview .............................................................................. 192 Authenticating L2TP clients .......................................................................... 193 Enabling L2TP and specifying an address range ......................................... 193 Defining firewall source and destination addresses ..................................... 193 Adding the security policy ................................................................................... 194 Configuring a Linux client ............................................................................. 194 Monitoring L2TP sessions.............................................................................. 195 Testing L2TP VPN connections ..................................................................... 195 Logging L2TP VPN events ............................................................................. 195 Advanced concepts...................................................................................... 196 Dual internet connections (redundant Internet connections)............................... 196 Redundant interfaces..................................................................................... 196 Load sharing .................................................................................................. 199 Link redundancy and load sharing................................................................. 199 Single firewall vs. multiple virtual domains .......................................................... 199 Single firewall vs. vdoms................................................................................ 200 Modem................................................................................................................. 202 USB modem port ........................................................................................... 202 Modes ............................................................................................................ 202 Additional modem configuration.................................................................... 204 Modem interface routing................................................................................ 204 DHCP servers and relays..................................................................................... 205 DHCP Server configuration............................................................................ 205 DHCP in IPv6 ................................................................................................. 206 Service ........................................................................................................... 206 Lease time...................................................................................................... 206 DHCP options ................................................................................................ 207 Exclude addresses in DHCP a range............................................................. 207 DHCP Monitor................................................................................................ 207 Breaking a address lease............................................................................... 208 Assigning IP address by MAC address ............................................................... 208 DNS services ....................................................................................................... 208 DNS settings .................................................................................................. 208 Additional DNS CLI configuration .................................................................. 209 DNS server..................................................................................................... 209 Recursive DNS............................................................................................... 210 Dynamic DNS....................................................................................................... 211 FortiClient discovery and registration .................................................................. 211 FortiClient discovery ...................................................................................... 212 FortiClient Registration .................................................................................. 212 Table of Contents Page 9 Install and System Administration for FortiOS 5.0 IP addresses for self-originated traffic................................................................. 212 Administration for schools ................................................................................... 213 Security policies............................................................................................. 213 DNS................................................................................................................ 214 Encrypted traffic (HTTPS) .............................................................................. 214 FTP................................................................................................................. 214 Example security policies .............................................................................. 214 UTM security profiles ..................................................................................... 215 Logging .......................................................................................................... 216 Tag management ................................................................................................. 217 Adding and removing tags............................................................................. 217 Reviewing tags............................................................................................... 218 Tagging guidelines ......................................................................................... 218 Replacement messages list ................................................................................. 219 Replacement message images...................................................................... 219 Adding images to replacement messages..................................................... 219 Modifying replacement messages ................................................................. 220 Replacement message tags .......................................................................... 220 Administration replacement message ........................................................... 222 Alert Mail replacement messages.................................................................. 223 Authentication replacement messages.......................................................... 223 Captive Portal Default replacement messages.............................................. 224 Device Detection Portal replacement message............................................. 224 Email replacement messages ........................................................................ 224 Endpoint Control replacement message ....................................................... 224 FTP replacement messages .......................................................................... 224 FortiGuard Web Filtering replacement messages ......................................... 224 HTTP replacement messages........................................................................ 224 IM replacement messages............................................................................. 225 NNTP replacement messages ....................................................................... 225 Spam replacement messages ....................................................................... 225 NAC quarantine replacement messages ....................................................... 225 SSL VPN replacement message.................................................................... 225 Web Proxy replacement messages ............................................................... 225 Traffic quota control replacement messages ................................................ 226 MM1 replacement messages......................................................................... 226 MM3 replacement messages......................................................................... 226 MM4 replacement messages......................................................................... 226 MM7 replacement messages......................................................................... 226 MMS replacement messages ........................................................................ 226 Replacement message groups ...................................................................... 226 Disk ...................................................................................................................... 227 Formatting the disk ........................................................................................ 227 Setting space quotas ..................................................................................... 227 CLI Scripts ........................................................................................................... 227 Table of Contents Page 10 Install and System Administration for FortiOS 5.0

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.