FortiGate Administration Guide - Adines

Apr 24, 2009 - telecommunications carriers, while providing a flexible, scalable path for ...... For a complete list of shared configuration settings, see âGlobal configuration ...... Public Key Infrastructure (PKI) authentication uses a certificate ...

Télécharger le PDF

12MB taille 2 téléchargements 290 vues

commentaire

Report

FortiGate ™ Version 4.0 Administration Guide

Visit http://support.fortinet.com to register your FortiGate product. By registering you can receive product updates, technical support, and FortiGuard services.

FortiGate Administration Guide Version 4.0 24 April 2009 01-400-89802-20090424 © Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents Introduction ............................................................................................ 21 Fortinet products .......................................................................................................... 21 About this document .................................................................................................... 21 Document conventions ................................................................................................ 24 IP addresses............................................................................................................. CLI constraints.......................................................................................................... Cautions, Notes and Tips ......................................................................................... Typographical conventions .......................................................................................

24 24 24 25

Registering your Fortinet product............................................................................... 25 Customer service and technical support.................................................................... 25 Training .......................................................................................................................... 26 Fortinet documentation ............................................................................................... 26 Tools and Documentation CD................................................................................... 26 Fortinet Knowledge Center ...................................................................................... 26 Comments on Fortinet technical documentation ..................................................... 26

What’s new in FortiOS 4.0 ..................................................................... 27 FortiOS 4.0 FortiGate models and features supported ............................................. 28 UTM features grouped under new UTM menu............................................................ 29 Data Leak Prevention.................................................................................................... 29 Application Control....................................................................................................... 29 SSL content scanning and inspection ........................................................................ 29 WAN Optimization......................................................................................................... 30 Endpoint control ........................................................................................................... 30 Network Access Control (NAC) quarantine ................................................................ 30 IPS extensions............................................................................................................... 31 DoS policies for applying IPS sensors...................................................................... NAC quarantine in DoS Sensors .............................................................................. Adding IPS sensors to a DoS policy from the CLI .................................................... One-arm IDS (sniffer mode) ..................................................................................... IPS interface policies for IPv6 ............................................................................... IPS Packet Logging ..................................................................................................

31 31 32 32 33 33

Enhanced Antispam Engine (ASE).............................................................................. 33 WCCP v2 support.......................................................................................................... 33 “Any” interface for firewall policies ............................................................................ 35 Global view of firewall policies .................................................................................... 35 Identity-based firewall policies .................................................................................... 35 Web filtering HTTP upload enhancements ................................................................. 36

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

3

Contents

Traffic shaping enhancements .................................................................................... 36 Firewall load balancing virtual IP changes................................................................. 36 User session persistence.......................................................................................... 36 Health Check Monitor ............................................................................................... 36 Load balancing server monitor ................................................................................. 36 Per-firewall policy session TTL ................................................................................... 37 Gratuitous ARP for virtual IPs ..................................................................................... 37 Changes to protection profiles .................................................................................... 37 Changes to content archiving...................................................................................... 37 Customizable web-based manager pages.................................................................. 37 Administration over modem ........................................................................................ 38 Auto-bypass and recovery for AMC bridge module .................................................. 38 Rogue Wireless Access Point detection..................................................................... 38 Configurable VDOM and global resource limits......................................................... 38 User authentication monitor ........................................................................................ 39 OCSP and SCEP certificate over HTTPS .................................................................... 39 Adding non-standard ports for firewall authentication ............................................. 39 Dynamically assigning VPN client IP addresses from a RADIUS record ................ 40 DHCP over route-based IPSec VPNs........................................................................... 40 SNMP upgraded to v3.0 ................................................................................................ 40 File Quarantine .............................................................................................................. 41 Customizable SSL VPN web portals ........................................................................... 41 Logging improvements ................................................................................................ 41 Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) .......................................................................................................... 41

Web-based manager .............................................................................. 43 Common web-based manager tasks........................................................................... 44 Connecting to the web-based manager.................................................................... Changing your FortiGate administrator password .................................................... Changing the web-based manager language........................................................... Changing administrative access to your FortiGate unit ............................................ Changing the web-based manager idle timeout ....................................................... Connecting to the FortiGate CLI from the web-based manager ...............................

44 45 46 46 47 47

Button bar features ....................................................................................................... 47 Contacting Customer Support..................................................................................... 48 Backing up your FortiGate configuration ................................................................... 48 Using FortiGate Online Help ........................................................................................ 49 Searching the online help ......................................................................................... 50

4

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Logging out ................................................................................................................... 52 Web-based manager pages.......................................................................................... 52 Using the web-based manager menu....................................................................... Using web-based manager lists................................................................................ Adding filters to web-based manager lists ................................................................ Using page controls on web-based manager lists .................................................... Using column settings to control the columns displayed .......................................... Using filters with column settings..............................................................................

52 53 53 57 58 59

Web-based manager icons........................................................................................... 60

System Status ........................................................................................ 63 Status page.................................................................................................................... 63 Viewing system status .............................................................................................. 63 Changing system information ..................................................................................... 78 Configuring system time ........................................................................................... 78 Changing the FortiGate unit host name.................................................................... 78 Changing the FortiGate firmware ................................................................................ 79 Upgrading to a new firmware version ....................................................................... 80 Reverting to a previous firmware version ................................................................. 80 Viewing operational history ......................................................................................... 81 Manually updating FortiGuard definitions.................................................................. 82 Viewing Statistics.......................................................................................................... 83 Viewing the session list............................................................................................. 83 Viewing Content Archive information on the Statistics widget .................................. 84 Viewing the Attack Log ............................................................................................. 85 Topology ........................................................................................................................ 87 Adding a subnet object ............................................................................................. 89 Customizing the topology diagram ........................................................................... 90

Managing firmware versions................................................................. 91 Backing up your configuration .................................................................................... 92 Backing up your configuration through the web-based manager ............................. 92 Backing up your configuration through the CLI......................................................... 92 Backing up your configuration to a USB key ............................................................ 93 Testing firmware before upgrading............................................................................. 94 Upgrading your FortiGate unit..................................................................................... 95 Upgrading to FortiOS 4.0 through the web-based manager..................................... 95 Upgrading to FortiOS 4.0 through the CLI ................................................................ 96 Verifying the upgrade................................................................................................ 97 Reverting to a previous firmware image..................................................................... 98 Downgrading to a previous firmware through the web-based manager ................... 98 Verifying the downgrade ........................................................................................... 99 Downgrading to a previous firmware through the CLI .............................................. 99 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

5

Contents

Restoring your configuration..................................................................................... 101 Restoring your configuration settings in the web-based manager.......................... 101 Restoring your configuration settings in the CLI ..................................................... 101

Using virtual domains.......................................................................... 103 Virtual domains ........................................................................................................... 103 Benefits of VDOMs ................................................................................................. 103 VDOM configuration settings .................................................................................. 104 Global configuration settings .................................................................................. 107 Enabling VDOMs ......................................................................................................... 108 Configuring VDOMs and global settings .................................................................. 109 VDOM licenses ....................................................................................................... Creating a new VDOM............................................................................................ Working with VDOMs and global settings............................................................... Adding interfaces to a VDOM ................................................................................. Inter-VDOM links .................................................................................................... Assigning an interface to a VDOM.......................................................................... Assigning an administrator to a VDOM................................................................... Changing the management VDOM.........................................................................

109 110 111 113 113 114 115 116

Configuring global and VDOM resource limits ........................................................ 116 VDOM resource limits............................................................................................. 117 Global resource limits ............................................................................................. 118

System Network ................................................................................... 119 Interfaces ..................................................................................................................... 119 Switch Mode ........................................................................................................... Interface settings .................................................................................................... Creating an 802.3ad aggregate interface ............................................................... Creating a redundant interface ............................................................................... Configuring DHCP on an interface ......................................................................... Configuring an interface for PPPoE........................................................................ Configuring Dynamic DNS on an interface ............................................................. Configuring a virtual IPSec interface ...................................................................... Configuring interfaces with CLI commands ............................................................ Administrative access to an interface ..................................................................... Interface MTU packet size ...................................................................................... Secondary IP Addresses ........................................................................................

122 123 127 128 130 131 132 133 134 135 135 136

Configuring zones....................................................................................................... 138 Configuring the modem interface.............................................................................. 139 Configuring modem settings ................................................................................... Redundant mode configuration............................................................................... Standalone mode configuration .............................................................................. Adding firewall policies for modem connections ..................................................... Connecting and disconnecting the modem............................................................. Checking modem status .........................................................................................

6

140 142 143 144 144 144

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Configuring Networking Options............................................................................... 145 DNS Servers........................................................................................................... 146 Dead gateway detection ......................................................................................... 146 Web Proxy.................................................................................................................... 147 Routing table (Transparent Mode)............................................................................. 149 Transparent mode route settings............................................................................ 149 VLAN overview ............................................................................................................ 150 FortiGate units and VLANs ..................................................................................... 151 VLANs in NAT/Route mode ........................................................................................ 151 Rules for VLAN IDs................................................................................................. 152 Rules for VLAN IP addresses ................................................................................. 152 Adding VLAN subinterfaces.................................................................................... 153 VLANs in Transparent mode...................................................................................... 154 Rules for VLAN IDs................................................................................................. 156 Transparent mode virtual domains and VLANs ...................................................... 156 Troubleshooting ARP Issues .................................................................................. 157

System Wireless................................................................................... 159 FortiWiFi wireless interfaces ..................................................................................... 159 Channel assignments ................................................................................................. 160 IEEE 802.11a channel numbers ............................................................................. 160 IEEE 802.11b channel numbers ............................................................................. 160 IEEE 802.11g channel numbers ............................................................................. 161 Wireless settings......................................................................................................... 162 Adding a wireless interface..................................................................................... 163 Wireless MAC Filter .................................................................................................... 165 Managing the MAC Filter list................................................................................... 166 Wireless Monitor ......................................................................................................... 167 Rogue AP detection .................................................................................................... 168 Viewing wireless access points .............................................................................. 168

System DHCP ....................................................................................... 171 FortiGate DHCP servers and relays .......................................................................... 171 Configuring DHCP services ....................................................................................... 172 Configuring an interface as a DHCP relay agent.................................................... 173 Configuring a DHCP server .................................................................................... 173 Viewing address leases.............................................................................................. 175 Reserving IP addresses for specific clients ............................................................ 175

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

7

Contents

System Config ...................................................................................... 177 HA ................................................................................................................................. 177 HA options .............................................................................................................. Cluster members list ............................................................................................... Viewing HA statistics .............................................................................................. Changing subordinate unit host name and device priority...................................... Disconnecting a cluster unit from a cluster .............................................................

177 180 182 183 184

SNMP............................................................................................................................ 185 Configuring SNMP .................................................................................................. Configuring an SNMP community........................................................................... Fortinet MIBs .......................................................................................................... Fortinet and FortiGate traps.................................................................................... Fortinet and FortiGate MIB fields............................................................................

186 186 188 189 192

Replacement messages ............................................................................................. 194 Replacement messages list.................................................................................... Changing replacement messages .......................................................................... Mail replacement messages ................................................................................... HTTP replacement messages ................................................................................ FTP replacement messages................................................................................... NNTP replacement messages................................................................................ Alert Mail replacement messages........................................................................... Spam replacement messages ................................................................................ Administration replacement message..................................................................... Authentication replacement messages................................................................... FortiGuard Web Filtering replacement messages .................................................. IM and P2P replacement messages....................................................................... Endpoint control replacement message ................................................................. NAC quarantine replacement messages ................................................................ SSL VPN replacement message ............................................................................ Replacement message tags ...................................................................................

195 196 197 197 198 199 199 200 200 201 202 203 204 204 205 205

Operation mode and VDOM management access ................................................... 206 Changing operation mode ...................................................................................... 206 Management access............................................................................................... 207

System Admin ...................................................................................... 209 Administrators............................................................................................................. 209 Viewing the administrators list ................................................................................ Configuring an administrator account ..................................................................... Configuring regular (password) authentication for administrators .......................... Configuring remote authentication for administrators ............................................. Configuring PKI certificate authentication for administrators ..................................

211 212 214 214 220

Admin profiles ............................................................................................................. 222 Viewing the admin profiles list ................................................................................ 224 Configuring an admin profile................................................................................... 225

8

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Central Management................................................................................................... 226 Settings ........................................................................................................................ 228 Monitoring administrators.......................................................................................... 229 FortiGate IPv6 support ............................................................................................... 230 Customizable web-based manager ........................................................................... 231

System Certificates.............................................................................. 243 Local Certificates ....................................................................................................... 244 Generating a certificate request.............................................................................. Downloading and submitting a certificate request .................................................. Importing a signed server certificate....................................................................... Importing an exported server certificate and private key ........................................ Importing separate server certificate and private key files......................................

245 246 247 247 248

Remote Certificates .................................................................................................... 248 Importing Remote (OCSP) certificates ................................................................... 249 CA Certificates ............................................................................................................ 249 Importing CA certificates......................................................................................... 250 CRL............................................................................................................................... 251 Importing a certificate revocation list ...................................................................... 251

System Maintenance............................................................................ 253 About the Maintenance menu .................................................................................... 253 Backing up and restoring........................................................................................... 254 Basic backup and restore options........................................................................... Upgrading and downgrading firmware.................................................................... Upgrading and downgrading firmware through FortiGuard .................................... Configuring advanced options ................................................................................

255 259 259 260

Managing configuration revisions............................................................................. 261 Using script files ......................................................................................................... 262 Creating script files ................................................................................................. 263 Uploading script files............................................................................................... 264 Configuring FortiGuard Services .............................................................................. 264 FortiGuard Distribution Network ............................................................................. 264 FortiGuard services ................................................................................................ 265 Configuring the FortiGate unit for FDN and FortiGuard subscription services .............................................................................................. 266 Troubleshooting FDN connectivity ........................................................................... 271 Updating antivirus and attack definitions................................................................. 271 Enabling push updates............................................................................................... 273 Enabling push updates when a FortiGate unit IP address changes ....................... 273 Enabling push updates through a NAT device ....................................................... 274 Adding VDOM Licenses.............................................................................................. 276 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

9

Contents

Router Static ........................................................................................ 277 Routing concepts ....................................................................................................... 277 How the routing table is built .................................................................................. How routing decisions are made ........................................................................... Multipath routing and determining the best route ................................................... Route priority ......................................................................................................... Blackhole Route......................................................................................................

278 278 278 279 279

Static Route ................................................................................................................ 280 Working with static routes ...................................................................................... 280 Default route and default gateway ......................................................................... 281 Adding a static route to the routing table ............................................................... 284 Policy Route ............................................................................................................... 285 Adding a policy route .............................................................................................. 286 Moving a policy route.............................................................................................. 287

Router Dynamic.................................................................................... 289 RIP ................................................................................................................................ 289 Viewing and editing basic RIP settings................................................................... 290 Selecting advanced RIP options............................................................................. 292 Configuring a RIP-enabled interface....................................................................... 293 OSPF ............................................................................................................................ 294 Defining an OSPF AS—Overview .......................................................................... Configuring basic OSPF settings............................................................................ Selecting advanced OSPF options ......................................................................... Defining OSPF areas.............................................................................................. Specifying OSPF networks ..................................................................................... Selecting operating parameters for an OSPF interface ..........................................

295 296 298 299 300 301

BGP .............................................................................................................................. 302 Viewing and editing BGP settings........................................................................... 303 Multicast....................................................................................................................... 304 Viewing and editing multicast settings .................................................................... 305 Overriding the multicast settings on an interface.................................................... 306 Multicast destination NAT ....................................................................................... 306 Bi-directional Forwarding Detection (BFD) .............................................................. 307 Configuring BFD ..................................................................................................... 307 Customizable routing widgets ................................................................................... 309 Access List.............................................................................................................. Distribute List .......................................................................................................... Key Chain ............................................................................................................... Offset List................................................................................................................ Prefix List ................................................................................................................ Route Map ..............................................................................................................

10

309 310 310 311 312 312

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Router Monitor ..................................................................................... 315 Viewing routing information ...................................................................................... 315 Searching the FortiGate routing table....................................................................... 317

Firewall Policy ...................................................................................... 319 How list order affects policy matching ..................................................................... 319 Moving a policy to a different position in the policy list ........................................... 320 Multicast policies ........................................................................................................ 321 Viewing the firewall policy list ................................................................................... 321 Configuring firewall policies ...................................................................................... 323 Adding authentication to firewall policies ................................................................ Identity-based firewall policy options (non-SSL-VPN) ............................................ IPSec firewall policy options ................................................................................... Configuring SSL VPN identity-based firewall policies............................................. Endpoint Compliance Check options......................................................................

327 328 330 331 336

DoS policies................................................................................................................. 337 Viewing the DoS policy list...................................................................................... 337 Configuring DoS policies ........................................................................................ 338 Firewall policy examples ............................................................................................ 339 Scenario one: SOHO-sized business ..................................................................... 339 Scenario two: enterprise-sized business ................................................................ 342

Firewall Address .................................................................................. 345 About firewall addresses............................................................................................ 345 Viewing the firewall address list................................................................................ 346 Configuring addresses ............................................................................................... 347 Viewing the address group list .................................................................................. 348 Configuring address groups...................................................................................... 348

Firewall Service .................................................................................... 351 Viewing the predefined service list ........................................................................... 351 Viewing the custom service list................................................................................. 356 Configuring custom services..................................................................................... 357 Viewing the service group list ................................................................................... 359 Configuring service groups ....................................................................................... 359

Firewall Schedule................................................................................. 361 Viewing the recurring schedule list........................................................................... 361 Configuring recurring schedules .............................................................................. 362 Viewing the one-time schedule list ........................................................................... 362 Configuring one-time schedules ............................................................................... 363

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

11

Contents

Firewall Virtual IP ................................................................................. 365 How virtual IPs map connections through FortiGate units..................................... 365 Inbound connections............................................................................................... 365 Outbound connections............................................................................................ 368 VIP requirements .................................................................................................... 369 Viewing the virtual IP list............................................................................................ 369 Configuring virtual IPs................................................................................................ 370 Adding a static NAT virtual IP for a single IP address ............................................ Adding a static NAT virtual IP for an IP address range .......................................... Adding static NAT port forwarding for a single IP address and a single port ..................................................................................................... Adding static NAT port forwarding for an IP address range and a port range ..................................................................................................... Adding dynamic virtual IPs ..................................................................................... Adding a virtual IP with port translation only...........................................................

372 373 375 377 378 379

Virtual IP Groups......................................................................................................... 380 Viewing the VIP group list .......................................................................................... 380 Configuring VIP groups.............................................................................................. 380 IP pools ........................................................................................................................ 381 IP pools and dynamic NAT ..................................................................................... 382 IP Pools for firewall policies that use fixed ports..................................................... 382 Source IP address and IP pool address matching.................................................. 382 Viewing the IP pool list ............................................................................................... 383 Configuring IP Pools................................................................................................... 383 Double NAT: combining IP pool with virtual IP........................................................ 384 Adding NAT firewall policies in transparent mode .................................................. 386

Firewall Load Balance ......................................................................... 389 How load balancer works ........................................................................................... 389 Configuring virtual servers ........................................................................................ 390 Configuring real servers............................................................................................. 392 Configuring health check monitors........................................................................... 393 Monitoring the servers ............................................................................................... 395

Firewall Protection Profile................................................................... 397 What is a protection profile?...................................................................................... 397 Adding a protection profile to a firewall policy ........................................................ 398 Default protection profiles ......................................................................................... 398 Viewing the protection profile list ............................................................................. 399

12

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

SSL content scanning and inspection ...................................................................... 399 Supported FortiGate models................................................................................... 400 Setting up certificates to avoid client warnings ....................................................... 400 Configuring SSL content scanning and inspection ................................................. 402 Configuring a protection profile ................................................................................ 404 Protocol recognition options ................................................................................... Anti-Virus options.................................................................................................... IPS options ............................................................................................................. Web Filtering options .............................................................................................. FortiGuard Web Filtering options............................................................................ Spam Filtering options ............................................................................................ Data Leak Prevention Sensor options .................................................................... Application Control options ..................................................................................... Logging options ......................................................................................................

405 407 411 411 413 416 419 420 421

Traffic Shaping ..................................................................................... 423 Guaranteed bandwidth and maximum bandwidth ................................................... 423 Traffic priority.............................................................................................................. 424 Traffic shaping considerations.................................................................................. 424 Configuring traffic shaping ........................................................................................ 425

SIP support ........................................................................................... 427 VoIP and SIP ................................................................................................................ 427 The FortiGate unit and VoIP security ........................................................................ 429 SIP NAT.................................................................................................................. 429 How SIP support works .............................................................................................. 431 Configuring SIP ........................................................................................................... 432 Enabling SIP support and setting rate limiting from the web-based manager ........ Enabling SIP support from the CLI ......................................................................... Enabling SIP logging .............................................................................................. Enabling advanced SIP features in an application list ............................................

432 433 434 434

AntiVirus ............................................................................................... 439 Order of operations..................................................................................................... 439 Antivirus tasks ............................................................................................................ 440 FortiGuard antivirus ................................................................................................ 441 Antivirus settings and controls ................................................................................. 441 File Filter ...................................................................................................................... 443 Built-in patterns and supported file types................................................................ Viewing the file filter list catalog.............................................................................. Creating a new file filter list..................................................................................... Viewing the file filter list .......................................................................................... Configuring the file filter list.....................................................................................

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

443 444 444 445 445

13

Contents

File Quarantine ............................................................................................................ 446 Viewing the File Quarantine list .............................................................................. Viewing the AutoSubmit list .................................................................................... Configuring the AutoSubmit list .............................................................................. Configuring quarantine options...............................................................................

447 448 449 449

Viewing the virus database information ................................................................... 451 Viewing and configuring the grayware list ............................................................... 452 Antivirus CLI configuration........................................................................................ 453

Intrusion Protection ............................................................................. 455 About intrusion protection......................................................................................... 455 Intrusion Protection settings and controls............................................................... 456 When to use Intrusion Protection............................................................................ 456 Signatures.................................................................................................................... 456 Viewing the predefined signature list ...................................................................... 457 Using display filters................................................................................................. 458 Custom signatures...................................................................................................... 459 Viewing the custom signature list ........................................................................... 459 Creating custom signatures .................................................................................... 459 Protocol decoders....................................................................................................... 460 Viewing the protocol decoder list ............................................................................ 460 Upgrading the IPS protocol decoder list ................................................................. 461 IPS sensors.................................................................................................................. 461 Viewing the IPS sensor list ..................................................................................... Adding an IPS sensor ............................................................................................. Configuring IPS sensors ......................................................................................... Configuring filters.................................................................................................... Configuring pre-defined and custom overrides....................................................... Packet logging ........................................................................................................

461 462 462 464 465 467

DoS sensors ................................................................................................................ 469 Viewing the DoS sensor list .................................................................................... 470 Configuring DoS sensors........................................................................................ 470 Understanding the anomalies ................................................................................. 472 Intrusion protection CLI configuration ..................................................................... 472

Web Filter.............................................................................................. 475 Order of web filtering.................................................................................................. 475 How web filtering works ............................................................................................. 475 Web filter controls....................................................................................................... 476

14

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

Web content block ...................................................................................................... 478 Viewing the web content block list catalog ............................................................. Creating a new web content block list .................................................................... Viewing the web content block list .......................................................................... Configuring the web content block list .................................................................... Viewing the web content exempt list catalog .......................................................... Creating a new web content exempt list ................................................................. Viewing the web content exempt list....................................................................... Configuring the web content exempt list.................................................................

479 479 479 480 481 482 482 483

URL filter ...................................................................................................................... 483 Viewing the URL filter list catalog ........................................................................... Creating a new URL filter list .................................................................................. Viewing the URL filter list........................................................................................ Configuring the URL filter list .................................................................................. URL formats............................................................................................................ Moving URLs in the URL filter list ...........................................................................

484 484 485 485 486 487

FortiGuard - Web Filter ............................................................................................... 487 Configuring FortiGuard Web Filtering ..................................................................... Viewing the override list.......................................................................................... Configuring administrative override rules ............................................................... Creating local categories ........................................................................................ Viewing the local ratings list.................................................................................... Configuring local ratings ......................................................................................... Category block CLI configuration............................................................................

488 488 489 491 491 492 493

Antispam............................................................................................... 495 Antispam...................................................................................................................... 495 Order of spam filtering ............................................................................................ 495 Anti-spam filter controls .......................................................................................... 496 Banned word ............................................................................................................... 498 Viewing the banned word list catalog ..................................................................... Creating a new banned word list ............................................................................ Viewing the antispam banned word list .................................................................. Adding words to the banned word list.....................................................................

498 499 499 500

IP address and email address black/white lists ....................................................... 501 Viewing the antispam IP address list catalog ......................................................... Creating a new antispam IP address list ................................................................ Viewing the antispam IP address list ...................................................................... Adding an antispam IP address.............................................................................. Viewing the antispam email address list catalog .................................................... Creating a new antispam email address list ........................................................... Viewing the antispam email address list................................................................. Configuring the antispam email address list ...........................................................

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

501 501 502 503 503 504 504 505

15

Contents

Advanced antispam configuration ............................................................................ 505 config spamfilter mheader ...................................................................................... 505 config spamfilter dnsbl ............................................................................................ 506 Using wildcards and Perl regular expressions ........................................................ 506 Perl regular expression formats.............................................................................. 507 Example regular expressions ................................................................................. 508

Data Leak Prevention........................................................................... 511 DLP Sensors................................................................................................................ 511 Viewing the DLP sensor list .................................................................................... 511 Adding and configuring a DLP sensor .................................................................... 512 Adding or editing a rule in a DLP sensor ................................................................ 513 DLP Rules .................................................................................................................... 515 Viewing the DLP rule list......................................................................................... 515 Adding or configuring DLP rules ............................................................................. 516 DLP Compound Rules ................................................................................................ 519 Viewing the DLP compound rule list ....................................................................... 520 Adding and configuring DLP compound rules ........................................................ 520

Application Control.............................................................................. 523 What is application control? ...................................................................................... 523 FortiGuard application control database.................................................................. 523 Viewing the application control lists......................................................................... 524 Creating a new application control list ..................................................................... 524 Configuring an application control list ..................................................................... 525 Adding or configuring an application control list entry .......................................... 526 Application control statistics..................................................................................... 527

IPSec VPN ............................................................................................. 531 Overview of IPSec VPN configuration....................................................................... 531 Policy-based versus route-based VPNs ................................................................... 532 Auto Key ...................................................................................................................... 533 Creating a new phase 1 configuration .................................................................... Defining phase 1 advanced settings....................................................................... Creating a new phase 2 configuration .................................................................... Defining phase 2 advanced settings.......................................................................

534 536 538 539

Manual Key .................................................................................................................. 541 Creating a new manual key configuration .............................................................. 542 Internet browsing configuration ................................................................................ 544 Concentrator ............................................................................................................... 544 Defining concentrator options ................................................................................. 545 Monitoring VPNs ......................................................................................................... 545

16

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

PPTP VPN ............................................................................................. 547 PPTP configuration using FortiGate web-based manager...................................... 547 PPTP configuration using CLI commands ............................................................... 549

SSL VPN................................................................................................ 551 ssl.root ......................................................................................................................... 551 Configuring SSL VPN ................................................................................................. 552 Monitoring SSL VPN sessions................................................................................... 553 SSL VPN web portal.................................................................................................... 554 Default web portal configurations ............................................................................. 554 General tab ............................................................................................................. Advanced tab.......................................................................................................... Adding and editing widgets..................................................................................... Session Information widget..................................................................................... Bookmarks widget .................................................................................................. Connection Tool widget .......................................................................................... Tunnel Mode widget ...............................................................................................

556 556 558 559 559 563 564

User ....................................................................................................... 567 Getting started - User authentication........................................................................ 567 Local user accounts ................................................................................................... 568 Configuring Local user accounts ............................................................................ 568 Remote ......................................................................................................................... 571 RADIUS ........................................................................................................................ 571 Configuring a RADIUS server................................................................................. 572 Dynamically assigning VPN client IP addresses from a RADIUS record.......................................................................................... 573 LDAP ............................................................................................................................ 575 Configuring an LDAP server ................................................................................... 575 TACACS+ ..................................................................................................................... 578 Configuring TACACS+ servers............................................................................... 578 Directory Service......................................................................................................... 579 Configuring a Directory Service server ................................................................... 581 PKI ............................................................................................................................... 581 Configuring peer users and peer groups ................................................................ 582 User Group .................................................................................................................. 583 Firewall user groups ............................................................................................... Directory Service user groups ................................................................................ SSL VPN user groups............................................................................................. Viewing the User group list ..................................................................................... Configuring a user group ........................................................................................ Configuring FortiGuard Web filtering override options............................................ FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

584 585 585 586 586 589

17

Contents

Options......................................................................................................................... 590 Monitor ......................................................................................................................... 591 Firewall user monitor list ......................................................................................... IPSEC monitor list................................................................................................... SSL VPN monitor list .............................................................................................. IM user monitor list .................................................................................................

591 592 593 594

NAC quarantine and the Banned User list................................................................ 595 NAC quarantine and DLP ....................................................................................... NAC quarantine and DLP replacement messages ................................................. Configuring NAC quarantine................................................................................... The Banned User list ..............................................................................................

595 595 596 596

WAN optimization and web caching .................................................. 599 Frequently asked questions about FortiGate WAN optimization ........................... 599 Overview of FortiGate WAN optimization ................................................................. 601 WAN optimization tunnels....................................................................................... WAN optimization peer authentication.................................................................... Authentication Groups ............................................................................................ WAN optimization rules and firewall policies .......................................................... WAN optimization Transparent mode..................................................................... FortiGate models that support WAN optimization...................................................

602 602 603 603 604 604

Configuring WAN optimization .................................................................................. 605 How list order affects rule matching........................................................................ 606 Moving a rule to a different position in the rule list.................................................. 607 Configuring a WAN optimization rule ....................................................................... 608 Web caching ................................................................................................................ 610 Web cache only topology........................................................................................ Configuring web cache only WAN optimization ...................................................... Configuring client/server (active-passive) web caching.......................................... Configuring peer to peer web caching ....................................................................

611 611 612 614

Client/server or active passive WAN optimization................................................... 617 Configuring client/server (active-passive) WAN optimization ................................. 617 Peer to peer WAN optimization.................................................................................. 620 Configuring peer to peer WAN optimization ........................................................... 620 About WAN optimization addresses ....................................................................... 622 Protocol optimization ................................................................................................. 623 Byte caching................................................................................................................ 624 SSL offloading for WAN optimization and web caching ......................................... 624 Example configuration: SSL offloading for a WAN optimization tunnel .................. 625 SSL offloading and reverse proxy web caching for an internet web server............ 627 Secure tunnelling ........................................................................................................ 630 WAN optimization over IPSec VPN ........................................................................ 630

18

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Contents

WAN optimization with FortiClient ............................................................................ 630 Configuring WAN optimization storage .................................................................... 631 Example WAN optimization iSCSI configuration .................................................... 632 About partition labels .............................................................................................. 633 WAN optimization and HA.......................................................................................... 634 Configuring peers ....................................................................................................... 634 Configuring authentication groups ........................................................................... 635 Details about WAN optimization peer authentication.............................................. 636 Monitoring WAN optimization.................................................................................... 637 Changing web cache settings.................................................................................... 638

Endpoint control .................................................................................. 641 Configuring endpoint control .................................................................................... 641 Viewing FortiClient required version information .................................................... 642 Configuring FortiClient required version and installer download ............................ 642 Viewing and configuring the software detection list ................................................ 643 Monitoring endpoints ................................................................................................. 644

Log&Report .......................................................................................... 647 FortiGate logging ........................................................................................................ 647 FortiGuard Analysis and Management Service........................................................ 648 FortiGuard Analysis and Management Service portal web site .............................. 649 Log severity levels ...................................................................................................... 649 High Availability cluster logging ............................................................................... 650 Storing logs ................................................................................................................. 650 Logging to a FortiAnalyzer unit ............................................................................... Connecting to FortiAnalyzer using Automatic Discovery ........................................ Testing the FortiAnalyzer configuration .................................................................. Logging to a FortiGuard Analysis server ................................................................ Logging to memory ................................................................................................. Logging to a Syslog server ..................................................................................... Logging to WebTrends ...........................................................................................

650 651 652 653 654 654 655

Log types ..................................................................................................................... 657 Traffic log ................................................................................................................ Example configuration: logging all FortiGate traffic ................................................ Event log................................................................................................................. Data Leak Prevention log ....................................................................................... Application Control log............................................................................................ Antivirus log ............................................................................................................ Web filter log........................................................................................................... Spam filter log......................................................................................................... Attack log (IPS).......................................................................................................

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

657 658 659 660 660 660 661 661 661

19

Contents

Accessing Logs........................................................................................................... 662 Accessing logs stored in memory ........................................................................... Accessing logs stored on the hard disk .................................................................. Accessing logs stored on the FortiAnalyzer unit..................................................... Accessing logs stored on the FortiGuard Analysis server ......................................

662 662 663 664

Viewing log information ............................................................................................. 664 Customizing the display of log messages................................................................ 665 Column settings ...................................................................................................... 666 Filtering log messages............................................................................................ 667 Content Archive .......................................................................................................... 667 Content archiving and data leak prevention ........................................................... Configuring spam email message content archiving .............................................. Configuring VoIP content archiving ........................................................................ Viewing content archives ........................................................................................

668 668 669 670

Alert Email ................................................................................................................... 670 Configuring Alert Email ........................................................................................... 672 Reports......................................................................................................................... 673 Viewing basic traffic reports.................................................................................... FortiAnalyzer report schedules ............................................................................... Viewing FortiAnalyzer reports................................................................................. Printing your FortiAnalyzer report ...........................................................................

673 674 677 677

Index...................................................................................................... 679

20

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Introduction

Fortinet products

Introduction Ranging from the FortiGate®-50 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC™ processors and other hardware to provide a high-performance array of security and networking functions including: •

firewall, VPN, and traffic shaping

•

Intrusion Prevention system (IPS)

•

antivirus/antispyware/antimalware

•

web filtering

•

antispam

•

application control (for example, IM and P2P)

•

VoIP support (H.323, SIP, and SCCP)

•

Layer 2/3 routing

•

multiple redundant WAN interface options

FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats, including complex attacks favored by cybercriminals, without degrading network availability and uptime. FortiGate platforms include sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain capabilities to separate various networks requiring different security policies. This chapter contains the following sections: •

Fortinet products

•

About this document

•

Document conventions

•

Registering your Fortinet product

•

Customer service and technical support

•

Fortinet documentation

Fortinet products Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion. For more information on the Fortinet product family, go to www.fortinet.com/products.

About this document This FortiGate Version 4.0 Administration Guide provides detailed information for system administrators about FortiGate™ web-based manager and FortiOS options and how to use them. This guide also contains some information about the FortiGate CLI. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

21

About this document

Introduction

This section of the guide contains a brief explanation of the structure of the guide, and gives an overview of each chapter. The administration guide describes web-based manager functions in the same order as the web-based manager (or GUI) menu. The document begins with several chapters that provide an overview to help you start using the product: the FortiGate web-based manager, System Status, Managing Firmware, and Using virtual domains. Following these chapters, each item in the System, Router, Firewall, UTM, and VPN menus gets a separate chapter. Then User, WAN optimization, Endpoint Control, and Log&Report are all described in single chapters. The document concludes with a detailed index. VDOM and Global icons appear in this administration guide to indicate that a chapter or section is part of either the VDOM or Global configuration. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. No distinction is made between these configuration settings when virtual domains are not enabled. The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help. You can also find more information about FortiOS from the same FortiGate page, as well as from the Fortinet Knowledge Center. This administration guide contains the following chapters:

22

•

What’s new in FortiOS 4.0 lists and describes some of the new features and changes in FortiOS Version 4.0.

•

Web-based manager introduces the features of the FortiGate web-based manager, and explains how to connect to it. It also includes information about how to use the web-based manager online help.

•

System Status describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics. You can also access the CLI from this page. This section also describes status changes that you can make, including changing the unit firmware, host name, and system time. Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60.

•

Managing firmware versions describes upgrading and managing firmware versions. You should review this section before upgrading your FortiGate firmware because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful.

•

Using virtual domains describes how to use virtual domains to operate your FortiGate unit as multiple virtual FortiGate units, which effectively provides multiple separate firewall and routing services to multiple networks.

•

System Network explains how to configure physical and virtual interfaces and DNS settings on the FortiGate unit.

•

System Wireless describes how to configure the Wireless LAN interface on a FortiWiFi-60 unit.

•

System DHCP explains how to configure a FortiGate interface as a DHCP server or DHCP relay agent.

•

System Config contains procedures for configuring HA and virtual clustering, configuring SNMP and replacement messages, and changing the operation mode.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Introduction

About this document

•

System Admin guides you through adding and editing administrator accounts, defining admin profiles for administrators, configuring central management using the FortiGuard Analysis and Management Service or FortiManager, defining general administrative settings such as language, timeouts, and web administration ports.

•

System Certificates explains how to manage X.509 security certificates used by various FortiGate features such as IPSec VPN and administrator authentication.

•

System Maintenance details how to back up and restore the system configuration using a management computer or a USB disk, use revision control, enable FortiGuard services and FortiGuard Distribution Network (FDN) updates, and enter a license key to increase the maximum number of virtual domains.

•

Router Static explains how to define static routes and create route policies. A static route causes packets to be forwarded to a destination other than the factory configured default gateway.

•

Router Dynamic explains how to configure dynamic protocols to route traffic through large or complex networks.

•

Router Monitor explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table.

•

Firewall Policy describes how to add firewall policies to control connections and traffic between FortiGate interfaces, zones, and VLAN subinterfaces.

•

Firewall Address describes how to configure addresses and address groups for firewall policies.

•

Firewall Service describes available services and how to configure service groups for firewall policies.

•

Firewall Schedule describes how to configure one-time and recurring schedules for firewall policies.

•

Traffic Shaping how to create traffic shaping instances and add them to firewall policies.

•

Firewall Virtual IP describes how to configure and use virtual IP addresses and IP pools.

•

Firewall Load Balance describes how to use FortiGuard load balancing to intercept incoming traffic and balance it across available servers.

•

Firewall Protection Profile describes how to configure protection profiles for firewall policies.

•

SIP support includes some high-level information about VoIP and SIP and describes how FortiOS SIP support works and how to configure the key SIP features.

•

AntiVirus explains how to enable antivirus options when you create a firewall protection profile.

•

Intrusion Protection explains how to configure IPS options when a firewall protection profile is created.

•

Web Filter explains how to configure web filter options when a firewall protection profile is created.

•

Antispam explains how to configure spam filter options when a firewall protection profile is created.

•

Data Leak Prevention explains how use FortiGate data leak prevention to prevent sensitive data from leaving your network.

•

Application Control describes how to configure the application control options associated with firewall protection profiles.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

23

Document conventions

Introduction

•

IPSec VPN provides information about the tunnel-mode and route-based (interface mode) Internet Protocol Security (IPSec) VPN options available through the webbased manager.

•

PPTP VPN explains how to use the web-based manager to specify a range of IP addresses for PPTP clients.

•

SSL VPN provides information about basic SSL VPN settings.

•

User describes how to control access to network resources through user authentication.

•

WAN optimization and web caching describes how to use FortiGate units to improve performance and security of traffic passing between locations on your wide area network (WAN) or over the Internet by applying WAN optimization and web caching.

•

Endpoint control describes how to use FortiGate end point control to enforce the use of FortiClient End Point Security (Enterprise Edition) in your network.

•

Log&Report describes how to enable logging, view log files, and view the basic reports available through the web-based manager.

Document conventions Fortinet technical documentation uses the conventions described below.

IP addresses To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.

CLI constraints CLI constraints, such as , indicate which data types or string patterns are acceptable input for a given parameter or variable value. CLI constraint conventions are described in the CLI Reference document for each product.

Cautions, Notes and Tips Fortinet technical documentation uses the following guidance and styles for cautions, notes and tips. Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Note: Also presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.

Tip: Highlights useful additional information, often tailored to your workplace activity.

24

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Introduction

Registering your Fortinet product

Typographical conventions Fortinet documentation uses the following typographical conventions: Table 1: Typographical conventions in Fortinet technical documentation Convention

Example

Button, menu, text box, From Minimum log level, select Notification. field, or check box label Keyboard entry

Type a name for the remote VPN peer or client, such as Central_Office_1.

Navigation

Go to VPN > IPSEC > Auto Key (IKE).

Emphasis

HTTP connections are not secure and can be intercepted by a third party.

CLI input

config system dns set primary end

CLI output

FGT-602803030703 # get system settings comments : (null) opmode : nat

File content

Firewall Authentication

You must authenticate to use this service.

Hyperlink

Visit the Fortinet Technical Support web site, https://support.fortinet.com.

Publication

For details, see the FortiGate Administration Guide. The chapter or section contains VDOM configuration settings, see “VDOM configuration settings” on page 104. The chapter or section contains Global configuration settings, see “Global configuration settings” on page 107.

Registering your Fortinet product Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.

Customer service and technical support Fortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly, configure them easily, and operate them reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Center article What does Fortinet Technical Support require in order to best assist the customer? FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

25

Training

Introduction

Training Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at [email protected].

Fortinet documentation The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.

Tools and Documentation CD The documentation for your product is available on the Fortinet Tools and Documentation CD shipped with your product. The documents on this CD are current at shipping time. For the most current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Center The Fortinet Knowledge Center provides additional Fortinet technical documentation, such as troubleshooting and how-to articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to [email protected].

26

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

What’s new in FortiOS 4.0

What’s new in FortiOS 4.0 This section lists and describes some of the new features and changes in FortiOS Version 4.0. •

FortiOS 4.0 FortiGate models and features supported

•

UTM features grouped under new UTM menu

•

Data Leak Prevention

•

Application Control

•

SSL content scanning and inspection

•

WAN Optimization

•

Endpoint control

•

Network Access Control (NAC) quarantine

•

IPS extensions •

DoS policies for applying IPS sensors

•

NAC quarantine in DoS Sensors

•

Adding IPS sensors to a DoS policy from the CLI

•

One-arm IDS (sniffer mode)

•

IPS interface policies for IPv6

•

IPS Packet Logging

•

Enhanced Antispam Engine (ASE)

•

WCCP v2 support

•

“Any” interface for firewall policies

•

Global view of firewall policies

•

Identity-based firewall policies

•

Web filtering HTTP upload enhancements

•

Traffic shaping enhancements

•

Firewall load balancing virtual IP changes

•

Per-firewall policy session TTL

•

Gratuitous ARP for virtual IPs

•

Changes to protection profiles

•

Changes to content archiving

•

Customizable web-based manager pages

•

Administration over modem

•

Auto-bypass and recovery for AMC bridge module

•

Rogue Wireless Access Point detection

•

Configurable VDOM and global resource limits

•

User authentication monitor

•

OCSP and SCEP certificate over HTTPS

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

27

FortiOS 4.0 FortiGate models and features supported

What’s new in FortiOS 4.0

•

Adding non-standard ports for firewall authentication

•

Dynamically assigning VPN client IP addresses from a RADIUS record

•

DHCP over route-based IPSec VPNs

•

SNMP upgraded to v3.0

•

File Quarantine

•

Customizable SSL VPN web portals

•

Logging improvements

•

Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic)

FortiOS 4.0 FortiGate models and features supported You can install and run FortiOS 4.0 on the following FortiGate models: • • • • • • • • •

30B 50B 51B WiFi-50B 60B WiFi-60B 100A 11C 111C

• • • • • • • • •

200A 224B 300A 310B 400A 500A 620B 800, 800F 1000A, 1000AFA2

• • • • • • • • •

3016B 3600 3600A 3810A 5001SX 5001FA2 5001A-SW 5001A-DW 5005FA2

Note: The information in this section is subject to change.

Table 2 shows the FortiGate models that support some of the major new FortiOS 4.0 features. All other new FortiOS 4.0 features are available on all models except for the FortiGate-30 model which supports a reduced feature set. Table 2: New FortiOS 4.0 feature support Feature

FortiGate Models

WAN optimization

51B*, 111C*, 310B**, 620B**, 3016B**, 3600A**, 3810A**, 5001A-SW**

SSL Content Scanning and Inspection

110C, 111C, 310B, 620B, 3016B, 3600A, 3810A, 5001ASW, 5001A-DW, 5005FA2

Date Leak Prevention (DLP)

All Models that support FortiOS 4.0

End Point Control

All Models that support FortiOS 4.0

NAC Quarantine

All Models that support FortiOS 4.0

*WAN optimization is available on FortiGate-51B and 111C models because these models include high-capacity internal hard disks. **WAN optimization is available on FortiGate-310B, 620B, 3016B, 3600A, 3810A, and 5001A-SW models because these models include a single-width AMC slot. To support WAN optimization you can install a FortiGate-ASM-S08 module or FortiGate-ASM-SAS module in the single-width AMC slot and use the hard disk in the ASM-S08 module or a SAS disk array connected to the ASM-SAS module for WAN optimization. All FortiGate models that support a single-width AMC slot can also be configured to support iSCSI to cache WAN Optimization data to an external iSCSI storage device. You do not need to install an ASM module in the single-width AMC slot to configure and use iSCSI.

28

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

What’s new in FortiOS 4.0

UTM features grouped under new UTM menu

UTM features grouped under new UTM menu AntiVirus, Intrusion Protection, Web Filter, and AntiSpam, as well as the new Data Leak Prevention and Application Control features are grouped under a new UTM menu. All the familiar Antivirus, Intrusion Protection, Web Filter, and AntiSpam features are available here. Most IM, P2P, and VoIP functionality has been integrated into application control. IM user control has moved to User > Local > IM. IM user monitoring has moved to User > Monitor > IM User Monitor. If you enable virtual domains, you configure all UTM features separately for each VDOM except for the Antivirus quarantine and grayware configuration.

Data Leak Prevention The new Data Leak Prevention (DLP) feature protects sensitive information from being transmitted via web, email or file transfer protocols. You define rules and compound rules to detect possible data leaks and specify the action to take in response. Rules and compound rules are combined into DLP sensors, which you can enable in firewall protection profiles. For more information, see “Data Leak Prevention” on page 511.

Application Control The new Application Control UTM feature allows your FortiGate unit to detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a more userfriendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols. The FortiGate unit can recognize the network traffic generated by more than 70 applications. You can create application control lists that specify what action will be taken with the traffic of the applications you need to manage. You specify the application control list in the protection profile applied to the network traffic you need to monitor. You can also create multiple application control lists, each tailored to a particular network, for example. For more information, see “Application Control” on page 523.

SSL content scanning and inspection FortiGate models that include hardware supporting SSL acceleration now also support SSL content scanning and inspection. Using SSL content scanning and inspection, you can apply antivirus scanning, web filtering, FortiGuard web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic. The following FortiGate models support SSL content scanning and inspection: •

110C

•

111C

•

310B

•

602B

•

3016B

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

29

WAN Optimization

What’s new in FortiOS 4.0

•

3600A

•

3810A

•

5005FA2

•

5001A.

For more information, see “SSL content scanning and inspection” on page 399.

WAN Optimization You can use the new FortiGate WAN Optimization feature to improve performance and security across a WAN by applying a number of related techniques including protocol and application-based data compression and optimization data deduction (a technique that reduces how often the same data is transmitted across the WAN), web caching, secure tunneling and SSL acceleration. For more information, see “WAN optimization and web caching” on page 599.

Endpoint control The new Endpoint Compliance feature (also called endpoint control) replaces the FortiOS 3.0 Check FortiClient Installed and Running firewall options. You can enforce the use of FortiClient End Point Security (Enterprise Edition) in your network and ensure that clients have both the most recent version of the FortiClient software and the most up-to-date antivirus signatures. The FortiGate unit retrieves FortiClient software and antivirus updates from the FortiGuard Distribution Network. If the FortiGate unit contains a hard disk drive, these files are cached to more efficiently serve downloads to multiple end points. Go to Endpoint Control > FortiClient to see the software and antivirus signature versions that the endpoint control feature enforces. The Endpoint Compliance feature also provides monitoring. The FortiGate unit gathers information from client PCs when they use a firewall policy with the Enable Endpoint Compliance Check option enabled. For more information, see “Endpoint control” on page 641 and “Endpoint Compliance Check options” on page 336.

Network Access Control (NAC) quarantine FortiOS 4.0 provides new Network Access Control (NAC) quarantine features that you can use with Antivirus and intrusion protection to block (or quarantine) users or FortiGate interfaces when a virus is found or an attack is detected by an IPS Sensor or a DoS Sensor. You can also use IPS Senors and DoS Sensors to block communication between the source and destination of an attack. Data Leak Preventions (DLP) also includes features similar to NAC quarantine that you can use to block users who send content that matches a DLP sensor. The FortiGate unit adds blocked users and interfaces to the banned users list. FortiGate administrators can view the users and interfaces on the banned users list and manually remove them from the list to restore normal access. For information about NAC quarantine, see “NAC quarantine and the Banned User list” on page 595.

30

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

What’s new in FortiOS 4.0

IPS extensions

IPS extensions FortiOS 4.0 includes the following new IPS features: •

DoS policies for applying IPS sensors

•

NAC quarantine in DoS Sensors

•

Adding IPS sensors to a DoS policy from the CLI

•

One-arm IDS (sniffer mode)

•

IPS interface policies for IPv6

•

IPS Packet Logging

DoS policies for applying IPS sensors In FortiOS 4.0, you can now apply IPS Denial of Service (DoS) sensors to traffic on interfaces by creating DoS policies. DoS policies are independent from firewall policies and are used to associate DoS sensors with traffic that reaches a FortiGate interface. DoS policies deliver packets to the IPS before they are accepted by firewall policies. This arrangement has the following benefits: •

Protection from denial of service attacks is more effective because these attacks can be detected and blocked before the firewall sees the packets. So system resources are not affected by denial of service attacks.

•

All attacking traffic can be filtered out before being accepted by firewall policies.

•

IPS can inspect traffic that is not normally processed by the firewall, including traffic that is: •

normally dropped by the firewall (for example, packets with invalid headers)

•

using a protocol not normally processed by firewall policies (for example, flood, broadcast, and multicast traffic)

•

matched by a deny policy (deny policies do not include protection profiles)

•

not matched by any firewall policy.

For more information, see “DoS policies” on page 337.

NAC quarantine in DoS Sensors From the FortiGate CLI you can now configure NAC quarantine for each anomaly in a DoS Sensor. You can configure the anomaly to quarantine the source address of the attack (attacker) or both the source and destination address of the attack (both). config ips DoS edit new_DoS-sensor config anomaly edit "tcp_dst_session" set status enable set quarantine {attacker | both | none} set quarantine-expiry 600 set threshold 5000 end

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

31

IPS extensions

What’s new in FortiOS 4.0

Adding IPS sensors to a DoS policy from the CLI You can now add an IPS Sensor to a DoS policy from the CLI. The CLI command for configuring DoS policies is config firewall interface-policy. The following command syntax shows how to add an example IPS sensor called all-default_pass to a DoS policy with policy ID 5 that was previously added from the web-based manager. config firewall interface-policy edit 5 set ips-sensor-status enable set ips-sensor all_default_pass end

One-arm IDS (sniffer mode) Using the one-arm intrusion detection system (IDS), you can now configure a FortiGate unit to operate as an IDS appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets. To configure one-arm IDS, you enable sniffer mode on a FortiGate interface and connect that interface to a hub or to the SPAN port of a switch that is processing network traffic. Then you can add DoS policies for that FortiGate interface that include DoS sensors and optionally IPS sensors to detect attacks in the traffic that the FortiGate interface receives from the hub or switch SPAN port. In sniffer mode, the interface receives packets accepted by DoS policies only. All packets not received by DoS policies are dropped. All packets received by DoS policies go through IPS inspection and are dropped when this inspection detects attacks. One-arm IDS cannot block traffic. However, if you enable logging in the DoS and IPS sensors, the FortiGate unit records log messages for all detected attacks. Figure 1: One-arm IDS topology

Internet

Hub or switch

SPAN port

Internal network To enable sniffer mode on a FortiGate unit port5 interface, enter the following CLI commands: config system interface edit port5

32

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

What’s new in FortiOS 4.0

Enhanced Antispam Engine (ASE)

set ips-sniffer-mode enable end

IPS interface policies for IPv6 Similar to interface-based DoS policies for IPv4, you can use the FortiGate CLI command config firewall interface-policy6 to add IPv6 interface-based policies. In FortiOS version 4.0, you can add IPS Sensors to IPv6 interface-based policies: config firewall interface-policy6 edit 1 set interface "port1” set srcaddr6 "all" set dstaddr6 "all" set service6 "ANY" set ips-sensor-status enable set ips-sensor "all_default" end

IPS Packet Logging For FortiOS 4.0 IPS packet logging has been enhanced to allow sending log messages to a FortiAnalyzer unit or the FortiGuard Analysis and Manager Service. Also if you are storing IPS packets logs in FortiGate memory new CLI commands are available to control the amount of memory to available and the number of packets that are saved when logging packets. For more information, see “Packet logging” on page 467.

Enhanced Antispam Engine (ASE) FortiOS 4.0 includes a new Antispam Engine (ASE) that can be updated from the FortiGuard Distribution Network to add new antispam techniques without requiring a FortiOS firmware update. You can also update the ASE manually using the following CLI command: execute restore ase {ftp | sftp}

WCCP v2 support You can now use WCCP v2 to configure a FortiGate unit to optimize web traffic, thus reducing transmission costs and downloading time. This traffic includes user requests to view pages on Web servers and the replies to those requests. When a user requests a page from a web server, the FortiGate unit sends that request to a cache server (also called a web-cache server). If the cache server has a copy of the requested page in storage, the cache server sends the user that page. Otherwise, the cache server retrieves the requested page, caches a copy of it, and forwards it to the user. The FortiGate unit supports WCCP v2 by transparently redirecting selected types of traffic to a group of cache servers. When WCCP is enabled, the FortiGate unit maintains a web cache server list in the WCCP database. To configure WCCP support you use the config system wccp command to enable WCCP support. Then you enable WCCP for firewall policies using the wccp keyword. When these WCCP-enabled firewall policies accept traffic, the traffic is re-directed to a cache server. The FortiGate unit uses the information in the WCCP database to determine the cache server to redirect the traffic to.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

33

WCCP v2 support

What’s new in FortiOS 4.0

Finally you must configure interfaces connected to WCCP cache servers to accept wccp messages. If virtual domains are enabled, you configure WCCP separately for each virtual domain. To configure WCCP You configure WCCP from the CLI. 1 Start WCCP and configure WCCP database settings: config system wccp edit set router-id set server-list set group-address set password set forward-method {GRE | L2 | any} set return-method {GRE | L2 | any} set assignment-method {HASH | MASK | any} next end Variable

Description

Default

authentication {disable | enable}

Enable or disable using use MD5 authentication for the WCCP configuration.

0-255. 0 for HTTP.

router-id

An IP address known to all cache servers. This IP address 0.0.0.0 identifies a FortiGate interface IP address to the cache servers. If all cache servers connect to the same FortiGate interface, can be 0.0.0.0, and the FortiGate unit uses the IP address of that interface as the router-id. If the cache servers can connect to different FortiGate interfaces, you must set router-id to a single IP address, and this IP address must be added to the configuration of the cache servers.

server-list

The IP addresses of the cache servers.

group-address

The IP multicast address used by the cache servers. 0.0.0.0 0.0.0.0 means the FortiGate unit ignores multicast WCCP traffic. Otherwise, group-address must be from 224.0.0.0 to 239.255.255.255.

password

The MD5 authentication password. Maximum length is 8 characters.

forward-method {GRE | L2 | any}

Specifies how the FortiGate unit forwards traffic to cache servers. If forward-method is any the cache server determines the forward method.

GRE

return-method {GRE | L2 | any}

Specifies how a cache server declines a redirected packet and return it to the firewall. If return-method is any the cache server determines the return method.

GRE

1

0.0.0.0 0.0.0.0

assignment-method Specifies which assignment method the FortiGate prefers. If HASH {HASH | MASK | any} assignment-method is any the cache server determines the assignment method

2 Add a firewall policy to enable WCCP for traffic accepted by the firewall policy. config firewall policy Edit (configure the firewall policy) set wccp {enable | disable}

34

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

What’s new in FortiOS 4.0

“Any” interface for firewall policies

next end 3 Configure the interfaces that connected to cache servers to accept WCCP traffic. config system interface edit Load Balance > Monitor) shows the status of each virtual server and real server. For more information, see “Monitoring the servers” on page 395.

36

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

What’s new in FortiOS 4.0

Per-firewall policy session TTL

Per-firewall policy session TTL If required by a network or by the services to be provided by a FortiGate unit, you can now use the session-ttl keyword of the config firewall policy command to control the session time to live (TTL) time for communication sessions accepted by a firewall policy. The default setting for session-ttl in a firewall policy is 0, which means use the default session TTL as set by the config system session-ttl command. The default session TTL setting is 3600 seconds. The range for the firewall policy session TTL is 300 to 604800 seconds.

Gratuitous ARP for virtual IPs You can configure sending of ARP packets to maintain connectivity of virtual IPs where other routers clear their ARP table periodically. Use the following command syntax in the CLI to configure sending of ARP packets by a virtual IP. You can set the time interval between sending ARP packets. Set the interval to 0 to disable sending ARP packets. config firewall vip edit new_vip (configure the virtual IP) set gratuitous-arp-interval end

Changes to protection profiles New configuration settings have been added to protection profiles, and familiar configuration settings in protection profiles have been reorganized. For a complete description of FortiOS 4.0 protection profiles, see “Configuring a protection profile” on page 404.

Changes to content archiving You now configure full and summary content archiving in DLP sensors. Other content archiving settings are also available in protection profiles and from Application Control in the CLI. For information about FortiOS 4.0 content archiving, see “Content Archive” on page 667. Related to changes to content archiving, the information displayed by the Statistics widget on the system dashboard has also changed. See “Statistics” on page 71.

Customizable web-based manager pages In addition to configuring administrators with varying levels of access to different parts of the FortiGate unit configuration, if you are a super_admin, you can customize the FortiGate web-based manager (or GUI) to show, hide, and arrange widgets/menus/items according to your specific requirements. In standard operation mode, the display is static. Customizing the display allows you to vary or limit the GUI layout to fulfill different administrator roles. There are also several configuration widgets which you can enable for CLI-only options that are not displayed by default. The customized GUI layouts are stored as part of the administrator admin profile. For more information, see “Customizable web-based manager” on page 231.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

37

Administration over modem

What’s new in FortiOS 4.0

Administration over modem You can now use the following CLI command to configure a FortiGate modem interface so that you can dial into the modem and administer the FortiGate unit. config system dialinsvr set status enable set server-ip set client-ip set usrgrp "grp1" set allowaccess ping https ssh http telnet set modem-dev external end

Auto-bypass and recovery for AMC bridge module If you have installed one of the FortiGate-ASM-FX2 or FortiGate-ASM-CX4 AMC bridge modules, you can use the CLI to configure how the bridge module recovers from switching to bridge mode because of a failure with the FortiGate unit hardware or software process.

Note: AMC bridge mode is only supported in Transparent mode.

In this example, the FortiGate-ASM-CX4 module is installed in slot 1: config system amc set sw1 asm-cx4 set watchdog-recovery [enable | disable} set watchdog-recovery-period end The watchdog-recovery-period keyword determines the length of the hold-down period during which the software watchdog monitors critical software processes before concluding they have stabilized.

Rogue Wireless Access Point detection FortiWifi-50B and FortiWifi-60B units can now use rogue access point detection to scan for wireless access points. For more information, see “Rogue AP detection” on page 168.

Configurable VDOM and global resource limits FortiGate units have upper limits for resources such as firewall policies, protection profiles and VPN tunnels. These limits vary by model. In previous releases of FortiOS, maximum values for resources belonging to virtual domains (VDOMs) applied equally to each VDOM. Maximums for system-wide (global) resources applied globally and the resources were equally accessible to each VDOM. In FortiOS 4.0, you can control resource allocation to each VDOM. This limits the impact of each VDOM on other VDOMs due to resource contention and enables you to provide tiered services to your customers. Also, you can set global resource limits to control the impact of various features on system performance. For more information, see “Configuring global and VDOM resource limits” on page 116

38

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

What’s new in FortiOS 4.0

User authentication monitor

User authentication monitor You can now go to User > Authentication > User Authentication Monitor to view a list of currently authenticated users. For each authenticated user, the list includes the user name, user group, how long the user has been authenticated (duration), how long until the user’s session times out (time-left), the user’s source IP Address, the amount of traffic through the FortiGate unit caused by the user (traffic volume), and the authentication method used by the FortiGate unit for the user. The authentication methods can be FSAE, firewall authentication (FW-auth), or NTLM. You can sort and filter the information on the authentication monitor according to any of the columns in the monitor. For more information, see “Monitor” on page 591.

OCSP and SCEP certificate over HTTPS FortiGate units now support OCSP and SCEP communication between FortiGate units and SCEP servers over HTPPS. The SCEP URLs that you add to the FortiGate System Certificate configuration can be HTTPS URLs or URLs supported by your SCEP server. For more information, see “System Certificates” on page 243.

Adding non-standard ports for firewall authentication By default, when a communication session is accepted by an identity-based firewall policy, the user must authenticate with the firewall by using the FTP, HTTP, HTTPS, or Telnet protocol to enter a user name and password before being able to communicate through the FortiGate unit. And, by default, users can authenticate only with a communication session that uses the standard FTP, HTTP, HTTPS, or Telnet TCP ports (21, 80, 443, and 23 respectively). You can now use the following command if your firewall users need to authenticate with the FortiGate unit and if they use a non-standard port for FTP, HTTP, HTTPS, or Telnet sessions. config user setting config auth-ports edit set port set type { ftp | http | https | telnet } end end end Where is any integer. You can add multiple non-standard port tables. is the non-standard TCP authentication port number. Adding non-standard authentication ports does not change the standard authentication port for any protocol. You use this command only to add more non-standard authentication ports. The standard authentication port is still valid and cannot be changed. For example, if some users on your network web browse using HTTP on ports 8080 and 8008 and use telnet on port 4523, you could use the following commands to add HTTP authentication on ports 8080 and 8008 and Telnet authentication on port 4523: config user setting config auth-ports edit 1 set port 8080 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

39

Dynamically assigning VPN client IP addresses from a RADIUS record

set type next end edit 2 set port set type next end edit 3 set port set type end end

What’s new in FortiOS 4.0

http

8008 http

4523 telnet

If your FortiGate unit is operating with virtual domains enabled, each VDOM has a different non-standard authentication port configuration.

Dynamically assigning VPN client IP addresses from a RADIUS record SSL VPN tunnel mode, IPSec, and PPTP VPN sessions can now assign IP addresses to remote users by getting the IP address to assign from a RADIUS record. For more information, see Dynamically assigning VPN client IP addresses from a RADIUS record.

DHCP over route-based IPSec VPNs In previous releases of FortiOS, you could use DHCP to assign IP addresses to dialup clients on policy-based IPSec VPNs only. In FortiOS 4.0, DHCP is also available to dialup clients on route-based IPSec VPNs. The configuration differs only slightly from that of a route-based dialup VPN with static IP addresses. 1 Configure Phase 1 settings. Remote Gateway must be set to Dialup User. 2 Configure Phase 2 settings. Set Phase 1 to Dialup User. In the Advanced Settings, select DHCP-IPsec. For more information, see “DHCP-IPSec” on page 540. 3 Configure a DHCP server on the virtual IPSec interface. Set the server Type to DHCP. Enter the IP Range and Netmask that dialup clients will use and the Default Gateway that dialup clients should use. 4 Configure an ACCEPT firewall policy with the virtual IPSec interface as source and the local private network as destination.

SNMP upgraded to v3.0 SNMP v3.0 provides up-to-date information and status reporting about the hardware running on your network.

40

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

What’s new in FortiOS 4.0

File Quarantine

For more information, see “SNMP” on page 185.

File Quarantine The Quarantine tab is renamed File Quarantine to distinguish it from the NAC Quarantine feature that quarantines traffic. For more information, see “Viewing the File Quarantine list” on page 447.

Customizable SSL VPN web portals You can now create multiple SSL VPN web portal configurations to enable different types of web portal functionality and control the different web portal look and feel configurations. For more information, see “SSL VPN web portal” on page 554.

Logging improvements Logs provide more information about the FortiGate unit operation, including: •

event log for VPN tunnel up/down (IPSec, SSL, PPTP VPNs), including authenticated user name, local and remote IP addresses

•

event log for VPN tunnel re-key

•

event log for VPN tunnel periodic statistics (configurable period)

•

logs for new Data Leak Prevention feature

•

attacks detected by IPS

•

inclusion of Admin Profile in Administrator login event log

•

increase in memory of log entries increased to 1024 bytes from 512 bytes to reduce the number of truncated logs. This reduces the number of logs that can be stored.

For more information, see “Log&Report” on page 647.

Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) You can now block or provide client comforting for HTTP-POST activity by selecting the HTTP POST Action in a protection profile. For more information, see “Web Filtering options” on page 411.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

41

Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic)

42

What’s new in FortiOS 4.0

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Web-based manager This section describes the features of the user-friendly web-based manager administrative interface (sometimes referred to as a graphical user interface, or GUI) of your FortiGate unit. Using HTTP or a secure HTTPS connection from any management computer running a web browser, you can connect to the FortiGate web-based manager to configure and manage the FortiGate unit. The recommended minimum screen resolution for the management computer is 1280 by 1024. You can configure the FortiGate unit for HTTP and HTTPS web-based administration from any FortiGate interface. To connect to the web-based manager you require a FortiGate administrator account and password. The web-based manager supports multiple languages, but by default appears in English on first use. Figure 3: Example FortiGate-3810A web-based manager dashboard (default configuration)

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

43

Common web-based manager tasks

Web-based manager

You can go to System > Status to view detailed information about the status of your FortiGate unit on the system dashboard. The dashboard displays information such as the current FortiOS firmware version, antivirus and IPS definition versions, operation mode, connected interfaces, and system resources. It also shows whether the FortiGate unit is connected to a FortiAnalyzer unit and a FortiManager unit or other central management services. You can use the web-based manager menus, lists, and configuration pages to configure most FortiGate settings. Configuration changes made using the web-based manager take effect immediately without resetting the FortiGate unit or interrupting service. You can back up your configuration at any time using the Backup Configuration button on the button bar. The button bar is located in the upper right corner of the web-based manager. The saved configuration can be restored at any time. The web-based manager also includes detailed context-sensitive online help. Selecting Online Help on the button bar displays help for the current web-based manager page. You can use the FortiGate command line interface (CLI) to configure the same FortiGate settings that you can configure from the web-based manager, as well as additional CLIonly settings. The system dashboard provides an easy entry point to the CLI console that you can use without exiting the web-based manager. This section describes: •

Common web-based manager tasks

•

Changing your FortiGate administrator password

•

Changing the web-based manager language

•

Changing administrative access to your FortiGate unit

•

Changing the web-based manager idle timeout

•

Connecting to the FortiGate CLI from the web-based manager

•

Button bar features

•

Contacting Customer Support

•

Backing up your FortiGate configuration

•

Using FortiGate Online Help

•

Logging out

•

Web-based manager pages

•

Web-based manager icons

Common web-based manager tasks This section describes the following common web-based manager tasks: •

Connecting to the web-based manager

•

Changing your FortiGate administrator password

•

Changing the web-based manager language

•

Changing administrative access to your FortiGate unit

•

Changing the web-based manager idle timeout

•

Connecting to the FortiGate CLI from the web-based manager

Connecting to the web-based manager To connect to the web-based manager, you require:

44

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Common web-based manager tasks

•

a FortiGate unit connected to your network according to the instructions in the QuickStart Guide and Install Guide for your FortiGate unit

•

the IP address of a FortiGate interface that you can connect to

•

a computer with an Ethernet connection to a network that can connect to the FortiGate unit

•

a supported web browser. See the Knowledge Center articles Supported Windows web browsers and Using a Macintosh and the web-based manager.

To connect to the web-based manager 1 Start your web browser and browse to https:// followed by the IP address of the FortiGate unit interface that you can connect to. For example, if the IP address is 192.168.1.99, browse to https://192.168.1.99. (remember to include the “s” in https://). To support a secure HTTPS authentication method, the FortiGate unit ships with a selfsigned security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two security warnings in a browser. The first warning prompts you to accept and optionally install the FortiGate unit’s selfsigned security certificate. If you do not accept the certificate, the FortiGate unit refuses the connection. If you accept the certificate, the FortiGate login page appears. The credentials entered are encrypted before they are sent to the FortiGate unit. If you choose to accept the certificate permanently, the warning is not displayed again. Just before the FortiGate login page is displayed, a second warning informs you that the FortiGate certificate distinguished name differs from the original request. This warning occurs because the FortiGate unit redirects the connection. This is an informational message. Select OK to continue logging in. 2 Type admin or the name of a configured administrator in the Name field. 3 Type the password for the administrator account in the Password field. 4 Select Login.

Changing your FortiGate administrator password By default you can log into the web-based manager by using the admin administrator account and no password. You should add a password to the admin administrator account to prevent anybody from logging into the FortiGate and changing configuration options. For improved security you should regularly change the admin administrator account password and the passwords for any other administrator accounts that you add. Note: See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log into your FortiGate unit.

To change an administrator account password 1 Go to System > Admin > Administrators. This web-based manager page lists the administrator accounts that can log into the FortiGate unit. The default configuration includes the admin administrator account. 2 Select the Change Password icon and enter a new password. 3 Select OK.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

45

Common web-based manager tasks

Web-based manager

Note: You can also add new administrator accounts by selecting Create New. For more information about adding administrators, changing administrator account passwords and related configuration settings, see “System Admin” on page 209.

Changing the web-based manager language You can change the web-based manager to display language in English, Simplified Chinese, Japanese, Korean, Spanish, Traditional Chinese, or French. For best results, you should select the language that the management computer operating system uses. To change the web-based manager language 1 Go to System > Admin > Settings. 2 Under display settings, select the web-based manager display language. 3 Select Apply. The web-based manager displays the dashboard in the selected language. All web-based manager pages are displayed with the selected language. Figure 4: System > Admin > Settings displayed in Simplified Chinese

Changing administrative access to your FortiGate unit Through administrative access an administrator can connect to the FortiGate unit to view and change configuration settings. The default configuration of your FortiGate unit allows administrative access to one or more of the interfaces of the unit as described in your FortiGate unit QuickStart Guide and Install Guide. You can change administrative access by:

46

•

enabling or disabling administrative access from any FortiGate interface

•

enabling or disabling securing HTTPS administrative access to the web-based manager (recommended)

•

enabling or disabling HTTP administrative access to the web-based manager (not recommended)

•

enabling or disabling secure SSH administrative access to the CLI (recommended)

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Button bar features

•

enabling or disabling SSH or Telnet administrative access to the CLI (not recommended).

To change administrative access to your FortiGate unit 1 Go to System > Network > Interface. 2 Choose an interface for which to change administrative access and select Edit. 3 Select one or more Administrative Access types for the interface. 4 Select OK. For more information about changing administrative access see “Administrative access to an interface” on page 135.

Changing the web-based manager idle timeout By default, the web-based manager disconnects administrative sessions if no activity takes place for 5 minutes. This idle timeout is recommended to prevent someone from using the web-based manager from a PC that is logged into the web-based manager and then left unattended. However, you can use the following steps to change this idle timeout. To change the web-based manager idle timeout 1 Go to System > Admin > Settings. 2 Change the Idle Timeout minutes as required. 3 Select Apply.

Connecting to the FortiGate CLI from the web-based manager You can connect to the FortiGate CLI from the web-based manager dashboard by using the CLI console widget. You can use the CLI to configure all configuration options available from the web-based manager. Some configuration options are available only from the CLI. As well, you can use the CLI to enter diagnose commands and perform other advanced operations that are not available from the web-based manager. For more information about the FortiGate CLI see the FortiGate CLI Reference. To connect to the FortiGate CLI from the web-based manager 1 Go to System > Status. 2 Locate and select the CLI Console. Selecting the CLI console logs you into the CLI. For more information, see “CLI Console” on page 73.

Button bar features The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

47

Contacting Customer Support

Web-based manager

Figure 5: Web-based manager button bar

Contact Customer Support Online Help

Logout Back up your FortiGate Configuration

Contacting Customer Support The Contact Customer Support button opens the Fortinet Support web page in a new browser window. From this page you can: •

visit the Fortinet Knowledge Center

•

log into Customer Support (Support Login)

•

register your Fortinet product (Product Registration)

•

view Fortinet Product End of Life information

•

find out about Fortinet Training and Certification

•

visit the FortiGuard Center.

You must register your Fortinet product to receive product updates, technical support, and FortiGuard services. To register a Fortinet product, go to Product Registration and follow the instructions.

Backing up your FortiGate configuration The Backup Configuration button opens a dialog box for backing up your FortiGate configuration to: •

the local PC that you are using to manage the FortiGate unit.

•

a management station. This can be a FortiManager unit or the FortiGuard Analysis and Management Service. This option changes depending on your central management configuration (see “Central Management” on page 226).

•

a USB disk, if your FortiGate unit has a USB port and you have connected a USB disk to it (see “Formatting USB Disks” on page 261).

For more information, see “Backing up and restoring” on page 254.

48

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Using FortiGate Online Help

Figure 6: Backing up your FortiGate configuration

Using FortiGate Online Help The Online Help button displays context-sensitive online help for the current web-based manager page. The online help page that is displayed is called a content pane and contains information and procedures related to the current web-based manager page. Most help pages also contain hyperlinks to related topics. The online help system also includes a number of links that you can use to find additional information. FortiGate context-sensitive online help topics also include a VDOM or Global icon to indicate whether the web-based manager page is for VDOM-specific or global configuration settings. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. If you are not operating your FortiGate unit with virtual domains enabled, you can ignore the VDOM and Global icons. For more information about virtual domains, see “Using virtual domains” on page 103. Figure 7: A context-sensitive online help page (content pane only)

Bookmark Print

Show Navigation Previous Next

Email

Show Navigation

Open the online help navigation pane. From the navigation pane you can use the online help table of contents, index, and search to access all of the information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide.

Previous

Display the previous page in the online help.

Next

Display the next page in the online help

Email

Send an email to Fortinet Technical Documentation at [email protected] if you have comments on or corrections for the online help or any other Fortinet technical documentation product.

Print

Print the current online help page.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

49

Using FortiGate Online Help

Web-based manager

Bookmark

Add an entry for this online help page to your browser bookmarks or favorites list to make it easier to find useful online help pages. You cannot use the Bookmark icon to add an entry to your favorites list if you are viewing online help from Internet Explorer running on a management PC with Windows XP and service pack 2 installed. When you select help for a VDOM configuration settings web-based manager page the help display includes the VDOM icon. For information about VDOM configuration settings, see “VDOM configuration settings” on page 104. When you select help for a Global configuration settings web-based manager page the help display includes the Global icon. For information about Global configuration settings, see “Global configuration settings” on page 107.

To view the online help table of contents or index, and to use the search feature, select Online Help in the button bar in the upper right corner of the web-based manager. From the online help, select Show Navigation. Figure 8: Online help page with navigation pane and content pane

Contents Index Search Show in Contents

Contents

Display the online help table of contents. You can navigate through the table of contents to find information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide.

Index

Display the online help index. You can use the index to find information in the online help.

Search

Display the online help search. For more information, see “Searching the online help” on page 50.

Show in Contents

If you have used the index, search, or hyperlinks to find information in the online help, the table of contents may not be visible or the table of contents may be out of sync with the current help page. You can select Show in Contents to display the location of the current help page within the table of contents.

Searching the online help Using the online help search, you can search for one word or multiple words in the full text of the FortiGate online help system. Please note the following:

50

•

If you search for multiple words, the search finds only those help pages that contain all of the words that you entered. The search does not find help pages that only contain one of the words that you entered.

•

The help pages found by the search are ranked in order of relevance. The higher the ranking, the more likely the help page includes useful or detailed information about the word or words that you are searching for. Help pages with the search words in the help page title are ranked highest.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Using FortiGate Online Help

•

You can use the asterisk (*) as a search wildcard character that is replaced by any number of characters. For example, if you search for auth* the search finds help pages containing auth, authenticate, authentication, authenticates, and so on.

•

In some cases the search finds only exact matches. For example, if you search for windows the search may not find pages containing the word window. You can work around this using the * wildcard (for example by searching for window*).

To search in the online help system 1 From any web-based manager page, select the online help button. 2 Select Show Navigation. 3 Select Search. 4 In the search field, enter one or more words to search for and then press the Enter key on your keyboard or select Go. The search results pane lists the names of all the online help pages that contain all the words that you entered. Select a name from the list to display that help page. Figure 9: Searching the online help system

Go Search Field

Search Results

Using the keyboard to navigate in the online help You can use the keyboard shortcuts listed in Table 3 to display and find information in the online help. Table 3: Online help navigation keys Key

Function

Alt+1

Display the table of contents.

Alt+2

Display the index.

Alt+3

Display the Search tab.

Alt+4

Go to the previous page.

Alt+5

Go to the next page.

Alt+7

Send an email to Fortinet Technical Documentation at [email protected] if you have comments on or corrections for the online help or any other Fortinet technical documentation product.

Alt+8

Print the current online help page.

Alt+9

Add an entry for this online help page to your browser bookmarks or favorites list, to make it easier to find useful online help pages.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

51

Logging out

Web-based manager

Logging out The Logout button immediately logs you out of the web-based manager. Log out before you close the browser window. If you simply close the browser or leave the web-based manager, you remain logged in until the idle timeout (default 5 minutes) expires. To change the timeout, see “Changing the web-based manager idle timeout” on page 47.

Web-based manager pages The web-based manager interface consists of a menu and pages. Many of the pages have multiple tabs. When you select a menu item, such as System, the web-based manager expands to reveal a submenu. When you select one of the submenu items, the associated page opens at its first tab. To view a different tab, select the tab. The procedures in this manual direct you to a page by specifying the menu item, the submenu item and the tab, for example: 1 Go to System > Network > Interface. Figure 10: Parts of the web-based manager (shown for the FortiGate-50B)

Tabs

Page

Button bar

Menu

Using the web-based manager menu The web-based manager menu provides access to configuration options for all major FortiGate features (see Figure 10 on page 52).

52

System

Configure system settings, such as network interfaces, virtual domains, DHCP services, administrators, certificates, High Availability (HA), system time and set system options.

Router

Configure FortiGate static and dynamic routing and view the router monitor.

Firewall

Configure firewall policies and protection profiles that apply network protection features. Also configure virtual IP addresses and IP pools.

UTM

Configure antivirus and antispam protection, web filtering, intrusion protection, data leak prevention, and application control. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Web-based manager pages

VPN

Configure IPSec and SSL virtual private networking. PPTP is configured in the CLI.

User

Configure user accounts for use with firewall policies that require user authentication. Also configure external authentication servers such as RADIUS, LDAP, TACACS+, and Windows AD. Configure monitoring of Firewall, IPSec, SSL, IM, and Banned Users.

Endpoint control

Configure end points, view FortiClient configuration information, and configure software detection patterns.

Log&Report

Configure logging and alert email. View log messages and reports.

Using web-based manager lists Many of the web-based manager pages contain lists. There are lists of network interfaces, firewall policies, administrators, users, and others. If you log in as an administrator with an admin profile that allows Read-Write access to a list, depending on the list you will usually be able to: •

select Create New to add a new item to the list

•

select the Edit icon for a list item to view and change the settings of the item

•

select the Delete icon for a list item to delete the item. The delete icon will not be available if the item cannot be deleted. Usually items cannot be deleted if they have been added to another configuration; you must first find the configuration settings that the item has been added to and remove the item from them. For example, to delete a user that has been added to a user group you must first remove the user from the user group (see Figure 11).

Figure 11: A web-based manager list (read-write access)

Delete Edit If you log in as an administrator with an admin profile that allows Read Only access to a list, you will only be able to view the items on the list (see Figure 12). Figure 12: A web-based manager list (read only access)

View For more information, see “Admin profiles” on page 222.

Adding filters to web-based manager lists You can add filters to control the information that is displayed by the following complex lists: •

Session list (see “Viewing the session list” on page 83)

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

53

Web-based manager pages

Web-based manager

•

Firewall policy and IPv6 policy lists (see “Viewing the firewall policy list” on page 321)

•

Intrusion protection predefined signatures list (see “Viewing the predefined signature list” on page 457)

•

Firewall user monitor list (see “Firewall user monitor list” on page 591)

•

IPSec VPN Monitor (see “IPSEC monitor list” on page 592)

•

Endpoint control list of known endpoints (see “Monitoring endpoints” on page 644)

•

Log and report log access list (see “Accessing Logs” on page 662).

Filters are useful for reducing the number of entries that are displayed on a list so that you can focus on the information that is important to you. For example, you can go to System > Status, and, in the Statistics section, select Details on the Sessions line to view the communications sessions that the FortiGate unit is currently processing. A busy FortiGate unit may be processing hundreds or thousands of communications sessions. You can add filters to make it easier to find specific sessions. For example, you might be looking for all communications sessions being accepted by a specific firewall policy. You can add a Policy ID filter to display only the sessions for a particular Policy ID or range of Policy IDs. You add filters to a web-based manager list by selecting any filter icon to display the Edit Filters window. From the Edit Filters window you can select any column name to filter, and configure the filter for that column. You can also add filters for one or more columns at a time. The filter icon remains gray for unfiltered columns and changes to green for filtered columns. Figure 13: An intrusion protection predefined signatures list filtered to display all signatures containing “apache” with logging enabled, action set to drop, and severity set to high

Filter added to display names that include “apache”

No filter added

The filter configuration is retained after leaving the web-based manager page and even after logging out of the web-based manager or rebooting the FortiGate unit. Different filter styles are available depending on the type of information displayed in individual columns. In all cases, you configure filters by specifying what to filter on and whether to display information that matches the filter, or by selecting NOT to display information that does not match the filter. Note: Filter settings are stored in the FortiGate configuration and will be maintained the next time that you access any list for which you have added filters.

On firewall policy, IPv6 policy, predefined signature and log and report log access lists, you can combine filters with column settings to provide even more control of the information displayed by the list. See “Using filters with column settings” on page 59 for more information.

54

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Web-based manager pages

Filters for columns that contain numbers If the column includes numbers (for example, IP addresses, firewall policy IDs, or port numbers) you can filter by a single number or a range of numbers. For example, you could configure a source address column to display only entries for a single IP address or for all addresses in a range of addresses. To specify a range, separate the top and bottom values of the range with a hyphen, for example 25-50. Figure 14 shows a numeric filter configured to control the source addresses that are displayed on the session list. In this example, a filter is enabled for the Source Address column. The filter is configured to display only source addresses in the range of 1.1.1.11.1.1.2. To view the session list, go to System > Status. In the Statistics section, beside Sessions, select Details. Figure 14: A session list with a numeric filter set to display sessions with source IP address in the range of 1.1.1.1-1.1.1.2

Filters for columns containing text strings If the column includes text strings (for example, names and log messages) you can filter by a text string. You can also filter information that is an exact match for the text string (equals), that contains the text string, or that does not equal or does not contain the text string. You can also specify whether to match the capitalization (case) of the text string. The text string can be blank and it can also be very long. The text string can also contain special characters such as and so on. However, filtering ignores characters following a < unless the < is followed by a space (for example, filtering ignores characters and any characters inside them (for example, filtering ignores but does not ignore >string>).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

55

Web-based manager pages

Web-based manager

Figure 15: A firewall policy list filter set to display all policies that do not include a source address with a name that contains “My_Address”

Filters for columns that can contain only specific items For columns that can contain only specific items (for example, a log message severity or a pre-defined signature action) you can select a single item from a list. In this case, you can only filter on a single selected item. Figure 16: An intrusion protection predefined signature list filter set to display all signatures with Action set to block

Custom filters Other custom filters are also available. You can filter log messages according to date range and time range. You can also set the level filter to display log messages with multiple severity levels.

56

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Web-based manager pages

Figure 17: A log access filter set to display all log messages with level of alert, critical, error, or warning

Using page controls on web-based manager lists The web-based manager includes page controls to make it easier to view lists that contain more items than you can display on a typical browser window. These page controls are available for the following lists: •

session list (see “Viewing the session list” on page 83)

•

Router Monitor (see “Router Monitor” on page 315)

•

intrusion protection predefined signatures list (see “Viewing the predefined signature list” on page 457)

•

web filtering lists (see “Web Filter” on page 475)

•

antispam lists (see “Antispam” on page 495)

•

Firewall user monitor list (see “Firewall user monitor list” on page 591)

•

IPSec VPN Monitor (see “IPSEC monitor list” on page 592)

•

Banned user list (see “NAC quarantine and the Banned User list” on page 595)

•

log and report log access lists (see “Accessing Logs” on page 662).

•

Endpoint control list of known endpoints (see “Monitoring endpoints” on page 644)

Figure 18: Page controls

Previous Page

Total Number of Pages

First Page

Last Page Next Page Current Page (enter a page number to display that page)

First Page

Display the first page of items in the list.

Previous Page

Display the previous page of items in the list.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

57

Web-based manager pages

Web-based manager

Current Page

The current page number of list items that are displayed. You can enter a page number and press Enter to display the items on that page. For example if there are 5 pages of items and you enter 3, page 3 of the sessions will be displayed.

Total Number of Pages

The number of pages of list items that you can view.

Next Page

Display the next page of items in the list.

Last Page

Display the last page of items in the list.

Using column settings to control the columns displayed Using column settings, you can format some web-based manager lists so that information that is important to you is easy to find and less important information is hidden or less distracting. On the following web-based manager pages that contain complex lists, you can change column settings to control the information columns that are displayed for the list and to control the order in which they are displayed. •

Network interface list (see “Interfaces” on page 119)

•

Firewall policy and IPv6 policy (see “Viewing the firewall policy list” on page 321)

•

Intrusion protection predefined signatures list (see “Viewing the predefined signature list” on page 457)

•

Firewall user monitor list (see “Firewall user monitor list” on page 591)

•

IPSec VPN Monitor (see “IPSEC monitor list” on page 592)

•

Endpoint control list of known endpoints (see “Monitoring endpoints” on page 644)

•

Log and report log access lists (see “Accessing Logs” on page 662). Note: Any changes that you make to the column settings of a list are stored in the FortiGate configuration and will display the next time that you access the list.

To change column settings on a list that supports it, select Column Settings. From Available fields, select the column headings to be displayed and then select the Right Arrow to move them to the “Show these fields in this order” list. Similarly, to hide column headings, use the Left Arrow to move them back to the Available fields list. Use Move Up and Move Down to change the order in which to display the columns. For example, you can change interface list column headings to display only the IP/Netmask, MAC address, MTU, and interface Type for each interface.

58

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Web-based manager pages

Figure 19: Example of interface list column settings

Left Arrow

Right Arrow

Figure 20: A FortiGate-5001SX interface list with column settings changed

Using filters with column settings On firewall policy, IPv6 policy, predefined signature, firewall user monitor, IPSec monitor and log and report log access lists you can combine filters with column settings to provide even more control of the information displayed by the list. For example, you can go to Intrusion Protection > Signature > Predefined and configure the Intrusion Protection predefined signatures list to show only the names of signatures that protect against vulnerabilities for a selected application. To do this, set Column Settings to only display Applications and Name. Then apply a filter to Applications so that only selected applications are listed. In the pre-defined signatures list you can also sort the list by different columns; you might want to sort the list by application so that all signatures for each application are grouped together.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

59

Web-based manager icons

Web-based manager

Figure 21: A pre-defined signatures list displaying pre-defined signatures for the Veritas and Winamp applications

For more information, see “Adding filters to web-based manager lists” on page 53.

Web-based manager icons The web-based manager has icons in addition to buttons to help you to interact with your FortiGate unit. There are tooltips to assist you in understanding the function of most icons. Pause the mouse pointer over the icon to view the tooltip. Table 4 describes the icons that are available in the web-based manager. Table 4: web-based manager icons Icon

Name

Description

Administrative The administrative status of a FortiGate interface is down status down and the interface will not accept traffic. Administrative The administrative status of a FortiGate interface is up and status up the interface accepts traffic. Change Password

Change the administrator password. This icon appears in the Administrators list if your admin profile enables you to give write permission to administrators.

Clear

Clear all or remove all entries from the current list. For example, on a URL filter list you can use this icon to remove all URLs from the current URL filter list.

Delete

Delete an item. This icon appears in lists where the item can be deleted and you have edit permission for the item.

Description

The tooltip for this icon displays the Description or Comments field for this table entry.

Disconnect from cluster

Disconnect a FortiGate unit from a functioning HA cluster.

Download

Download information from a FortiGate unit. For example, you can download certificates and debug logs.

Edit

Edit a configuration. This icon appears in lists where you have write permission for the item.

Enter a VDOM Enter a virtual domain and use the web-based manager to configure settings for the virtual domain. Expand Arrow Expand this section to reveal more fields. This icon is used in (closed) some dialog boxes and lists.

60

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Web-based manager

Web-based manager icons

Table 4: web-based manager icons (Continued) Icon

Name

Description

Expand Arrow Close this section to hide some fields. This icon is used in (open) some dialog boxes and lists. Filter

Set a filter on one or more columns in this table. See “Adding filters to web-based manager lists” on page 53.

First page

View the first page of a list.

Insert before

Add a new item to a list so that it precedes the current item. Used in lists when the order of items in the list is significant, for example firewall policies, IPS Sensors, and DoS Sensors.

Last page

View the last page of a list.

Move to

Change the position of an item in a list. Used in lists when the order of items in the list is significant, for example firewall policies, IPS Sensors, and DoS Sensors.

Next page

View the next page of a list.

Previous page View the previous page of a list. Refresh

Update the information on this page.

View

View a configuration. This icon appears in lists instead of the Edit icon when you have read-only access to a web-based manager list.

View details

View detailed information about an item. For example, you can use this icon to view details about certificates.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

61

Web-based manager icons

62

Web-based manager

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Status page

System Status This section describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard™ license information, system resource usage, alert messages and network statistics. Note: Your browser must support Javascript to view the System Status page.

If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is available globally and system status settings are configured globally for the entire FortiGate unit. The Topology viewer is not available when VDOMs are enabled. For details, see “Using virtual domains” on page 103. This section describes: •

Status page

•

Changing system information

•

Changing the FortiGate firmware

•

Viewing operational history

•

Manually updating FortiGuard definitions

•

Viewing Statistics

•

Topology

Status page View the System Status page, also known as the system dashboard, for a snapshot of the current operating status of the FortiGate unit. FortiGate administrators whose admin profiles permit write access to system configuration can change or update FortiGate unit information. For more information on admin profiles, see “Admin profiles” on page 222. When the FortiGate unit is part of an HA cluster, the System Status page includes basic high availability (HA) cluster status such as including the name of the cluster and the cluster members including their host names. To view more specialized HA status information for the cluster, go to System > Config > HA. For more information, see “HA” on page 177. Note: The information on the System Status page applies to the whole HA cluster, not just the Master unit. This includes information such as URLs visited, emails sent and received, and viruses caught.

FortiGate administrators whose admin profiles permit write access to system configuration can change or update FortiGate unit information. For information on admin profiles, see “Admin profiles” on page 222.

Viewing system status The System Status page displays by default when you log in to the web-based manager. Go to System > Status to view the System Status page. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

63

Status page

System Status

To view this page, your admin profile must permit read access to system configuration. If you also have system configuration write access, you can modify system information and update FortiGuard - AV and FortiGuard - IPS definitions. For information on admin profiles, see “Admin profiles” on page 222. The System Status page is customizable. You can select which widgets to display, where they are located on the page, and if they are minimized or maximized. Each display has an icon associated with it for easy recognition when minimized. Figure 22: System Status page

Select Add Content to add any of the widgets not currently shown on the System Status page. Any widgets currently on the System Status page will be greyed out in the Add Content menu, as you can only have one of each display on the System Status page. Optionally select Back to Default to restore the historic System Status page configuration. Position your mouse over a display’s titlebar to see your available options for that display. The options vary slightly from display to display. Figure 23: A minimized display

Widget title Disclosure arrow

History Edit Refresh Close

Widget Title

Shows the name of the display

Disclosure arrow

Select to maximize or minimize the display.

History

Select to show an expanded set of data. Not available for all widgets.

Edit

Select to change settings for the display.

Refresh

Select to update the displayed information.

Close

Select to close the display. You will be prompted to confirm the action.

The available dashboard widgets are:

64

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Status page

•

System Information

•

License Information

•

Unit Operation

•

System Resources

•

Alert Message Console

•

Statistics

•

CLI Console

•

Top Sessions

•

Top Viruses

•

Top Attacks

•

Traffic History

System Information Go to System > Status to find System Information. Figure 24: System Information

Serial Number

The serial number of the FortiGate unit. The serial number is specific to the FortiGate unit and does not change with firmware upgrades.

Uptime

The time in days, hours, and minutes since the FortiGate unit was started.

System Time

The current date and time according to the FortiGate unit’s internal clock. Select Change to change the time or configure the FortiGate unit to get the time from an NTP server. For more information, see “Configuring system time” on page 78.

HA Status

The status of high availability for this unit. Standalone indicates the unit is not operating in HA mode. Active-Passive or Active-Active indicate the unit is operating in HA mode. Select Configure to configure the HA status for this unit. For more information, see “HA” on page 177.

Host Name

The host name of the current FortiGate unit. Select Change to change the host name. For more information, see “Changing the FortiGate unit host name” on page 78. If the FortiGate unit is in HA mode, this field is not displayed.

Cluster Name

The name of the HA cluster for this FortiGate unit. For more information, see “HA” on page 177. The FortiGate unit must be operating in HA mode to display this field.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

65

Status page

System Status

Cluster Members

The FortiGate units in the HA cluster. Information displayed about each member includes host name, serial number, and whether the unit is a primary (master) or subordinate (slave) unit in the cluster. For more information, see “HA” on page 177. The FortiGate unit must be operating in HA mode with virtual domains disabled to display this field.

Virtual Cluster 1 Virtual Cluster 2

The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2. For more information, see “HA” on page 177. The FortiGate unit must be operating in HA mode with virtual domains enabled to display these fields.

Firmware Version The version of the current firmware installed on the FortiGate unit. The format for the firmware version is Select Update to change the firmware. For more information, see “Upgrading to a new firmware version” on page 80. FortiClient Version The currently version of FortiClient uploaded to your FortiGate unit used for endpoint control. This field appears if you can upload a FortiClient image onto your FortiGate unit. See “Configuring FortiClient required version and installer download” on page 642. Operation Mode

The operating mode of the current FortiGate unit. Except for model 224B in switch view, a FortiGate unit can operate in NAT mode or Transparent mode. Select Change to switch between NAT and Transparent mode. For more information, see “Changing operation mode” on page 206 If virtual domains are enabled, this field shows the operating mode of the current virtual domain. Each virtual domain can be operating in either NAT mode or Transparent mode.

Virtual Domain

Status of virtual domains on your FortiGate unit. Select enable or disable to change the status of virtual domains feature. Multiple VDOM operation is not available on a FortiGate-224B unit in switch view. If you enable or disable virtual domains, your session will be terminated and you will need to log in again. For more information, see “Using virtual domains” on page 103.

Current Administrators

The number of administrators currently logged into the FortiGate unit. Select Details to view more information about each administrator that is currently logged in. The additional information includes user name, type of connection, IP address from which they are connecting, and when they logged in.

License Information License Information displays the status of your technical support contract and FortiGuard subscriptions. The FortiGate unit updates the license information status indicators automatically when attempting to connect to the FortiGuard Distribution Network (FDN). FortiGuard Subscriptions status indicators are green if the FDN was reachable and the license was valid during the last connection attempt, grey if the FortiGate unit cannot connect to the FDN, and orange if the FDN is reachable but the license has expired. Selecting any of the Configure options will take you to the Maintenance page. For more information, see “System Maintenance” on page 253.

66

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Status page

Figure 25: License Information

Support Contract

The Fortinet technical support contract number and expiry date, or registration status. If Not Registered appears, select Register to register the unit. If Expired appears, select Renew for information on renewing your technical support contract. Contact your local reseller.

FortiGuard Subscriptions AntiVirus

The FortiGuard Antivirus version, license issue date and service status. If your license has expired, you can select Renew two renew the license.

AV Definitions

The currently installed version of the FortiGuard Antivirus definitions. To update the definitions manually, select Update. For more information, see “Manually updating FortiGuard definitions” on page 82.

Intrusion Protection

The FortiGuard Intrusion Prevention System (IPS) license version, license issue date and service status. If your license has expired, you can select Renew two renew the license.

IPS Definitions

The currently installed version of the IPS attack definitions. To update the definitions manually, select Update. For more information, see “Manually updating FortiGuard definitions” on page 82.

Web Filtering

The FortiGuard Web Filtering license, license expiry date and service status. If your license has expired, you can select Renew two renew the license.

Antispam

The FortiGuard Antispam license type, license expiry date and service status. If your license has expired, you can select Renew two renew the license.

AS Rule Set

The currently installed version of the antispam rule set. To update the rule set manually, select Update. For more information, see “Manually updating FortiGuard definitions” on page 82.

Analysis and The FortiGuard Analysis and Management Service license, Management Service license expiry date, and reachability status. Services Account ID

Select “change“ to enter a different Service Account ID. This ID is used to validate your license for subscription services such as the FortiGuard Analysis and Management Service.

Virtual Domain VDOMs Allowed

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

The maximum number of virtual domains the unit supports with the current license. For high-end FortiGate, you can select the Purchase More link to purchase a license key through Fortinet technical support to increase the maximum number of VDOMs. See “Adding VDOM Licenses” on page 276.

67

Status page

System Status

Unit Operation In the Unit Operation area, an illustration of the FortiGate unit’s front panel shows the status of the unit’s Ethernet network interfaces. If a network interface is green, that interface is connected. Pause the mouse pointer over the interface to view the name, IP address, netmask and current status of the interface. If you select Reboot or ShutDown, a pop-up window opens allowing you to enter the reason for the system event. You can only have one management and one logging/analyzing method displayed for your FortiGate unit. The graphic for each will change based on which method you choose. If none are selected, no graphic is shown. Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and admin events are enabled. For more information on Event Logging, see “Event log” on page 659. Figure 26: Unit Operation (FortiGate-800)

Figure 27: Unit Operation (FortiGate 30B with FGAMS)

Figure 28: Unit Operation (FortiGate 3810A)

68

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Status page

INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. The names and WAN1 / WAN2 / 1 / 2 / number of these interfaces vary by model. The icon below the interface name indicates its up/down status by 3/4 color. Green indicates the interface is connected. Grey indicates there is no connection. For more information about the configuration and status of an interface, pause the mouse over the icon for that interface. A tooltip displays the full name of the interface, its alias if one is configured, the IP address and netmask, the status of the link, the speed of the interface, and the number of sent and received packets. AMC-SW1/1, ... AMC-DW1/1, ...

If your FortiGate unit supports Advanced Mezzanine Card (AMC) modules and if you have installed an AMC module containing network interfaces (for example, the FortiGate-ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display. The interfaces are named for the module, and the interface. For example AMC-SW1/3 is the third network interface on the SW1 module, and AMC-DW2/1 is the first network interface on the DW2 module. AMC modules support hard disks as well, such as the ASM-S08 module. When a hard disk is installed, ASM-S08 is visible as well as a horizontal bar and percentage indicating how full the hard disk is.

FortiAnalyzer

The icon on the link between the FortiGate unit graphic and the FortiAnalyzer graphic indicates the status of their OFTP connection. An ‘X’ on a red icon indicates there is no connection. A check mark on a green icon indicates there is OFTP communication. Select the FortiAnalyzer graphic to configure remote logging tot he FortiAnalyzer unit on your FortiGate unit. See “Logging to a FortiAnalyzer unit” on page 650.

FortiGuard Analysis Service

The icon on the link between the FortiGate unit graphic and the FortiGuard Analysis Service graphic indicates the status of their OFTP connection. An ‘X’ on a red icon indicates there is no connection. A check mark on a green icon indicates there is OFTP communication. Select the FortiGuard Analysis Service graphic to configure remote logging to the FortiGuard Analysis Service. See “FortiGuard Analysis and Management Service” on page 648.

FortiManager

The icon on the link between the FortiGate unit graphic and the FortiManager graphic indicates the status of the connection. An ‘X’ on a red icon indicates there is no connection. A check mark on a green icon indicates there is communication between the two units. Select the FortiManager graphic to configure central management on your FortiGate unit. See “Central Management” on page 226.

FortiGuard The icon on the link between the FortiGate unit graphic and the Management Service FortiGuard Analysis and Management Service graphic indicates the status of the connection. An ‘X’ on a red icon indicates there is no connection. A check mark on a green icon indicates there is communication. Select the FortiGuard Analysis and Management Service graphic to configure central management on your FortiGate unit. See “Central Management” on page 226. Reboot

Select to shutdown and restart the FortiGate unit. You will be prompted to enter a reason for the reboot that will be entered into the logs.

Shutdown

Select to shutdown the FortiGate unit. You will be prompted for confirmation, and also prompted to enter a reason for the shutdown that will be entered into the logs.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

69

Status page

System Status

System Resources The System Resources widget displays basic FortiGate unit resource usage, such as CPU and memory (RAM) usage. Any System Resources that are not displayed on the status page can be viewed as a graph by selecting the History icon. To see the most recent CPU and memory usage, select the Refresh icon. Figure 29: System Resources

History

A graphical representation of the last minute of CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours. For more information, see “Viewing operational history” on page 81.

CPU Usage

The current CPU status displayed as a dial gauge and as a percentage. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

Memory Usage

The current memory (RAM) status displayed as a dial gauge and as a percentage. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this FortiGate unit’s quota, displayed as a pie chart and a percentage. You can use the System Resources edit menu to select not to display this information. This is available only if you have configured logging to a FortiAnalyzer unit. Disk Usage

The current status of the FortiGate unit disk space used, displayed as a pie chart and a percentage. This is available only if you have a hard disk on your FortiGate unit.

Alert Message Console Alert messages help you track system events on your FortiGate unit such as firmware changes, network security events, or virus detection events. Each message shows the date and time that the event occurred.

70

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Status page

Figure 30: Alert Message Console

The following types of messages can appear in the Alert Message Console: System restart

The system restarted. The restart could be due to operator action or power off/on cycling.

Firmware upgraded by

The named administrator upgraded the firmware to a more recent version on either the active or non-active partition.

Firmware downgraded by

The named administrator downgraded the firmware to an older version on either the active or non-active partition.

FortiGate has reached connection limit for seconds

The antivirus engine was low on memory for the duration of time shown. Depending on model and configuration, content can be blocked or can pass unscanned under these conditions.

Found a new FortiAnalyzer Shows that the FortiGate unit has either found or lost Lost the connection to FortiAnalyzer the connection to a FortiAnalyzer unit. See “Logging to a FortiAnalyzer unit” on page 650. New firmware is available from FortiGuard

An updated firmware image is available to be downloaded to this FortiGate unit.

If there is insufficient space for all of the messages within the Alert Message Console widget, select History to view the list of alerts in a new window. To clear alert messages, select the History icon and then select Clear Alert Messages, which is located at the top of the pop-up window. This will acknowledge and hide all current alert messages from your FortiGate unit. Select Edit to display Custom Alert Display options that offer the following customizations for your alert message display: •

Do not display system shutdown and restart.

•

Do not display firmware upgrade and downgrade.

•

Do not display conserve mode messages

Statistics The Statistics widget is designed to allow you to see at a glance what is happening on your FortiGate unit with regards to network traffic and attack attempts. You can quickly see the amount and type of traffic as well as any attack attempts on your system. To investigate an area that draws your attention, select Details for a detailed list of the most recent activity. The information displayed in the statistics widget is derived from log messages that can be saved to a FortiAnalyzer unit, saved locally, or backed up to an external source such as a syslog server. You can use this data to see trends in network activity or attacks over time. Various configuration settings are required to actually collect data for the statistics widget. See the descriptions of content archive and attack log for details. For detailed procedures involving the Statistics list, see “Viewing Statistics” on page 83.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

71

Status page

System Status

Figure 31: Statistics

Refresh Reset Close

Figure 32: Statistics

Refresh Reset Close

72

Since

The date and time when the counts were last reset. Counts are reset when the FortiGate unit reboots, or when you select Reset.

Reset

Reset the Content Archive and Attack Log statistic counts to zero.

Sessions

The number of communications sessions being handled by the FortiGate unit. Select Details for detailed information. See “Viewing the session list” on page 83.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Status page

Content Archive

A summary of the HTTP, HTTPS, email, FTP and IM traffic that has passed through the FortiGate unit, and whose metadata has been content archived. The Details pages list the last 64 items of the selected type and provides links to the FortiAnalyzer unit where the archived traffic is stored. If logging to a FortiAnalyzer unit is not configured, the Details pages provide a link to Log & Report > Log Config > Log Settings. You configure the FortiGate unit to collect content archive data for the statistics widget by configuring protection profiles to display content meta-information on the system dashboard. To configure a protection profile, go to Firewall > Protection Profile. Create or edit a protection profile and configure Data Leak Prevention Sensor > Display content meta-information on the system dashboard and select the protocols to collect statistics for. By default meta-data is collected and displayed on the statistics widget for all protocols. For more information, see “Data Leak Prevention Sensor options” on page 419. You must also add the protection profile to a firewall policy. When the firewall policy receives sessions for the selected protocols, meta-data is added to the statistics widget. You can configure a protection profile to collect statistics for HTTP, HTTPS, FTP, IMAP, POP3, and SMTP traffic. If your FortiGate unit supports SSL content scanning and inspection, a protection profile can also collect statistics for IMAPS, POP3S, and SMTPS traffic. For more information, see “SSL content scanning and inspection” on page 399. By default meta-data is collected and displayed on the statistics widget for all of these protocols. The Email statistics are based on email protocols. POP3 and IMAP traffic is registered as incoming email, and SMTP is outgoing email. If your FortiGate unit supports SSL content scanning and inspection, incoming email also includes POP3S and IMAPS and outgoing email also includes SMTPS. If incoming or outgoing email does not use these protocols, these statistics will not be accurate. The IM statistics are based on the AIM, ICQ, MSN, and Yahoo! protocols. You can also configure displaying meta-information on the system dashboard for these IM protocols.

Attack Log A summary of viruses, attacks, spam email messages, and blocked URLs that the FortiGate unit has intercepted. Also displays the number of sessions matched by DLP. The Details pages list the 20 most recent items, providing the time, source, destination and other information. DLP data loss detected actually displays the number of sessions that have matched DLP sensors added to protection profiles. DLP collects meta-data about all sessions matched by DLP sensors and records this meta-data in the DLP log. Every time a DLP log message is recorded, the DLP data loss detected number increases. If you are using DLP for content summary or full content archiving the DLP data loss detected number can get very large. This number may not indicate that data has been lost or leaked. For more information, see “Adding or editing a rule in a DLP sensor” on page 513.

CLI Console The System Status page can include a CLI. To use the console, select it to automatically log in to the admin account you are currently using in the web-based manager. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console. Figure 33: CLI Console

Customize

The two controls located on the CLI Console widget’s title bar are Customize, and Detach.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

73

Status page

System Status

Detach moves the CLI Console widget into a pop-up window that you can resize and reposition. The two controls on the detached CLI Console are Customize and Attach. Attach moves the CLI console widget back onto the System Status page. Customize allows you to change the appearance of the console by defining fonts and colors for the text and background. Figure 34: Customize CLI Console window

Preview

A preview of your changes to the CLI Console’s appearance.

Text

Select the current color swatch next to this label, then select a color from the color palette to the right to change the color of the text in the CLI Console.

Background

Select the current color swatch next to this label, then select a color from the color palette to the right to change the color of the background in the CLI Console.

Use external command input box

Select to display a command input field below the normal console emulation area. When this option is enabled, you can enter commands by typing them into either the console emulation area or the external command input field.

Console buffer length Enter the number of lines the console buffer keeps in memory. Valid numbers range from 20 to 9999. Font

Select a font from the list to change the display font of the CLI Console.

Size

Select the size of the font. The default size is 10 points.

Top Sessions Top Sessions displays either a bar graph or a table showing the IP addresses that have the most sessions open on the FortiGate unit. The sessions are sorted by their source or destination IP address, or the port address. The sort criteria being used is displayed in the top right corner. The Top Sessions display polls the kernel for session information, and this slightly impacts the FortiGate unit performance. For this reason when this display is not shown on the dashboard, it is not collecting data, and not impacting system performance. When the display is shown, information is only stored in memory.

74

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Status page

Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero. Figure 35: Top sessions bar graph showing destination IP addresses

Last updated Sort Criteria

Number of active sessions

Change to a detailed table view Criteria of Top Sessions (Source IP Address)

Number of sessions displayed

The Top Sessions display is not part of the default dashboard display. It can be displayed by selecting Add Content > Top Sessions. To view detailed information about all displayed sessions at once, select Details. This changes the Top Sessions display to a table format, without opening a new window. To return to the chart display, select Return. The table displays more detailed information about sessions than the chart display, including: •

the session protocol such as tcp or udp

•

source address and port

•

destination address and port

•

the ID of the policy, if any, that applies to the session

•

how long until the session expires

•

which virtual domain the session belongs to

To view detailed information about a single session bar in the chart, click on the bar. The display will change to the table format, with the filters set to only show the selected information. Selecting edit for Top Sessions allows changes to the: •

refresh interval

•

sort criteria to change between source and destination addresses of the sessions

•

number of top sessions to show

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

75

Status page

System Status

Figure 36: Edit menu for Top Sessions

Sort Criteria

Select the method used to sort the Top Sessions on the System Status display. Choose one of: • Source Address • Destination Address • Port Address

Display UserName

Select to include the username associated with this source IP address, if available. In the table display format this will be a separate column. Display UserName is available only when the sort criteria is Source Address.

Resolve Host Name

Select to resolve the IP address to the host name. Resolve Host Name is not available when the sort criteria is Destination Port.

Resolve Service

Select to resolve a port addresses into their commonly associated service names. Any port address without a service, will continue to be displayed as the port address. For example port 443 would resolve to HTTPS. Resolve Service is only available when the sort criteria is Destination Port.

Display Format

Select how the Top Session information is displayed. Choose one of: • Chart • Table

Top Sessions to Show

Select the number of sessions to display. Choose to display 5, 10, 15, or 20 sessions.

Refresh Interval

Select how often the display is updated. The refresh interval range is from 10 to 240 seconds. Selecting 0 will disable the automatic refresh of the display. You will still be able to select the manual refresh option on the Top Sessions title bar. Shorter refresh intervals may impact the performance of your FortiGate unit. If this occurs, try increasing the refresh interval or disabling the automatic refresh.

Top Viruses Top Viruses displays a bar graph representing the virus threats that have been detected most frequently by the FortiGate unit. The Top Viruses display is not part of the default dashboard display. It can be displayed by selecting Add Content, and selecting Top Viruses from the drop down menu. Selecting the history icon opens a window that displays up to the 20 most recent viruses that have been detected with information including the virus name, when it was last detected, and how many times it was detected. The system stores up to 1024 entries, but only displays up to 20 in the GUI. Selecting the edit icon for Top Viruses allows changes to the: •

76

refresh interval FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Status page

•

top viruses to show

Top Attacks Top Attacks displays a bar graph representing the most numerous attacks detected by the FortiGate unit. The Top Attacks display is not part of the default dashboard display. It can be displayed by selecting Add Content > Top Attacks from the drop down menu. Selecting the history icon opens a window that displays up to the 20 most recent attacks that have been detected with information including the attack name, when it was last detected, and how many times it was detected. The FortiGate unit stores up to 1024 entries, but only displays up to 20 in the web-based manager. Selecting the Edit icon for Top Attacks allows changes to the: •

refresh interval

•

top attacks to show

Traffic History The traffic history display shows the traffic on one selected interface over the last hour, day, and month. This feature can help you locate peaks in traffic that you need to address as well as their frequency, duration, and other information. Only one interface at a time can be monitored. You can change the interface being monitored by selecting Edit, choosing the interface from the drop down menu, and selecting Apply. Doing this will clear all the traffic history data. Figure 37: Traffic History

Interface being monitored

Interface

The interface that is being monitored .

kbit/s

The units of the traffic graph. The scale varies based on traffic levels to allow it to show traffic levels no matter how little or how much traffic there is.

Last 60 Minutes Last 24 Hours Last 30 Days

Three graphs showing the traffic monitored on this interface of the FortiGate unit over different periods of time. Certain trends may be easier to spot in one graph over the others.

Traffic In

The traffic entering the FortiGate unit on this interface is indicated with a thin red line.

Traffic Out

The traffic leaving the FortiGate unit on this interface is indicated with a dark green line, filled in with light green.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

77

Changing system information

System Status

Changing system information FortiGate administrators whose admin profiles permit write access to system configuration can change the system time, host name and the operation mode for the VDOM.

Configuring system time 1 Go to System > Status. 2 In the System Information section, select Change on the System Time line. 3 Select the time zone and then either set the date and time manually or configure synchronization with an NTP server. Figure 38: Time Settings

System Time

The current FortiGate system date and time.

Refresh

Update the display of the current FortiGate system date and time.

Time Zone

Select the current FortiGate system time zone.

Automatically adjust Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and standard time. clock for daylight saving changes Set Time

Select to set the FortiGate system date and time to the values you set in the Hour, Minute, Second, Year, Month and Day fields.

Synchronize with NTP Server

Select to use an NTP server to automatically set the system date and time. You must specify the server and synchronization interval.

Server

Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, see http://www.ntp.org.

Sync Interval

Specify how often the FortiGate unit should synchronize its time with the NTP server. For example, a setting of 1440 minutes causes the FortiGate unit to synchronize its time once a day.

Changing the FortiGate unit host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. The host name is also used as the SNMP system name. For information about SNMP, see “SNMP” on page 185. The default host name is the FortiGate unit serial number. For example FGT8002805030003 would be a FortiGate-800 unit. Administrators whose admin profiles permit system configuration write access can change the FortiGate unit host name.

78

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Changing the FortiGate firmware

Note: If the FortiGate unit is part of an HA cluster, you should use a unique host name to distinguish the unit from others in the cluster.

To change the FortiGate unit host name If the host name is longer than 16 characters, it will be displayed as being truncated and end with a “~”. The full host name will be displayed under System > Status, but the truncated host name will be displayed on the CLI and other places it is used. 1 Go to System > Status. 2 In the Host Name field of the System Information section, select Change. 3 In the New Name field, type a new host name. 4 Select OK. The new host name is displayed in the Host Name field, and in the CLI prompt, and is added to the SNMP System Name.

Changing the FortiGate firmware FortiGate administrators whose admin profiles permit maintenance read and write access can change the FortiGate firmware. Firmware images can be transferred from a number of sources including a local hard disk, a local USB disk, or the FortiGuard Network. Note: To access firmware updates for your FortiGate model, you will need to register your FortiGate unit with Customer Support. For more information go to http://support.fortinet.com or contact Customer Support.

For more information about using the USB disk, and the FortiGuard Network see “System Maintenance” on page 253. Figure 39: Firmware Upgrade/Downgrade

Upgrade From

Select the firmware source from the drop down list of available sources. Possible sources include Local Hard Disk, USB, and FortiGuard Network.

Upgrade File

Browse to the location of the firmware image on your local hard disk. This field is available for local hard disk and USB only.

Upgrade Partition

The number of the partition being updated. This field is available only if your FortiGate unit has more than one firmware partition.

more info

Select to go to the FortiGuard Center to learn more about firmware updates through the FortiGuard network.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

79

Changing the FortiGate firmware

System Status

Firmware changes either upgrade to a newer version or revert to an earlier version. Follow the appropriate procedure to change your firmware. For more information about managing firmware, see “Managing firmware versions” on page 91.

Upgrading to a new firmware version When an update for your FortiGate unit is available, you can update your unit with the new firmware version. To determine what version firmware you have, refer to Firmware version on System > Status > System Information. The version is in the format of “X.Y.Z” where X is the major version number, Y is the minor version number, and Z is the patch number. For example firmware version 4.0.1 is major version 4, with patch 1. Use the following procedure to upgrade the FortiGate unit to a newer firmware version. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure “To update antivirus and attack definitions” on page 272 to make sure that antivirus and attack definitions are up to date.

To upgrade the firmware using the web-based manager 1 Copy the new firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Technical Support web site. Log in to the site and go to Firmware Images > FortiGate. 2 Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges. 3 Go to System > Status. 4 In the System Information section, select Update on the Firmware Version line. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, closes all sessions, restarts, and displays the FortiGate login. This process takes a few minutes. 7 Log into the web-based manager. 8 Go to System > Status and check the Firmware Version to confirm that the firmware upgrade is successfully installed. 9 Update antivirus and attack definitions. For information about updating antivirus and attack definitions, see “Configuring FortiGuard Services” on page 264.

Reverting to a previous firmware version Use the following procedure to revert your FortiGate unit to a previous firmware version. This also reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures, web content lists, email filtering lists, and changes to replacement messages. Back up your FortiGate unit configuration to preserve this information. For information, see “About the Maintenance menu” on page 253. If you are reverting to a previous FortiOS™ version (for example, reverting from FortiOS v3.0 to FortiOS v2.8), you might not be able to restore the previous configuration from the backup configuration file.

80

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Viewing operational history

Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure “To update antivirus and attack definitions” on page 272 to make sure that antivirus and attack definitions are up to date.

To revert to a previous firmware version using the web-based manager 1 Copy the firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Technical Support web site. Log in to the site and go to Firmware Images > FortiGate. 2 Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges. 3 Go to System > Status. 4 In the System Information section, select Update on the Firmware Version line. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK. The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes. 7 Log into the web-based manager. 8 Go to System > Status and check the Firmware Version to confirm that the firmware is successfully installed. 9 Restore your configuration. For information about restoring your configuration, see “About the Maintenance menu” on page 253. 10 Update antivirus and attack definitions. For information about antivirus and attack definitions, see “To update antivirus and attack definitions” on page 272.

Viewing operational history The System Resource History page displays six graphs representing different system resources and protection activity over time. Note the refresh rate is 3 second intervals for the graphs. To view the operational history 1 Go to System > Status. 2 Select History in the upper right corner of the System Resources section.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

81

Manually updating FortiGuard definitions

System Status

Figure 40: Sample system resources history

Time Interval

Select the time interval for the graphs to display.

CPU Usage History

CPU usage for the preceding interval.

Memory Usage History

Memory usage for the preceding interval.

Session History

Number of sessions over the preceding interval.

Network Utilization History

Network utilization for the preceding interval.

Virus History

Number of Viruses detected over the preceding interval.

Intrusion History

Number of intrusion attempts detected over the preceding interval.

Manually updating FortiGuard definitions You can update your FortiGuard antivirus database, Intrusion Protection definitions, and antispam rule set at any time from the License Information section of the System Status page. Note: For information about configuring automatic FortiGuard updates, see “Configuring FortiGuard Services” on page 264.

To update FortiGuard antivirus definitions, IPS definitions, or antispam rule set manually 1 Download the latest update file from Fortinet support site and copy it to the computer that you use to connect to the web-based manager. 2 Start the web-based manager and go to System > Status. 3 In the License Information section, in the AV Definitions, IPS Definitions, or AS Rule Set field of the FortiGuard Subscriptions, select Update. 4 Select Browse and locate the update file or type the path and filename. 5 Select OK to copy the update file to the FortiGate unit. The FortiGate unit updates the AV definitions. This takes about 1 minute. 6 Go to System > Status to confirm that the version information for the selected definition or rule set has updated.

82

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Viewing Statistics

Viewing Statistics The System Status Statistics provide information about sessions, content archiving and network protection activity.

Viewing the session list From the Statistics section of the System Status page, you can view statistics about HTTP, HTTPS, email, FTP and IM traffic through the FortiGate unit. You can select the Details link beside each traffic type to view more information. To view the session list 1 Go to System > Status. 2 In the Statistics section, select Details on the Sessions line. Figure 41: Session list

Virtual Domain

Select a virtual domain to list the sessions being processed by that virtual domain. Select All to view sessions being processed by all virtual domains. This is only available if virtual domains are enabled. For more information see “Using virtual domains” on page 103.

Refresh Icon

Update the session list.

First Page

Select to go to the first displayed page of current sessions.

Previous Page

Select to go to the page of sessions immediately before the current page

Page

Enter the page number of the session to start the displayed session list. For example if there are 5 pages of sessions and you enter 3, page 3 of the sessions will be displayed. The number following the ‘/’ is the number of pages of sessions.

Next Page

Select to go to the next page of sessions.

Last Page

Select to go to the last displayed page of current sessions.

Total

The total number sessions.

Clear All Filters

Select to reset any display filters that may have been set.

Filter Icon

The icon at the top of all columns except #, and Expiry. When selected it brings up the Edit Filter dialog allowing you to set the display filters by column. See “Adding filters to web-based manager lists” on page 53.

Protocol

The service protocol of the connection, for example, udp, tcp, or icmp.

Source Address

The source IP address of the connection.

Source Port

The source port of the connection.

Destination Address

The destination IP address of the connection.

Destination Port

The destination port of the connection.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

83

Viewing Statistics

System Status

Policy ID

The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session, for example).

Expiry (sec)

The time, in seconds, before the connection expires.

Delete icon

Stop an active communication session. Your admin profile must include read and write access to System Configuration.

Viewing Content Archive information on the Statistics widget From the Statistics widget of the System Status page, you can view statistics about HTTP, HTTPS, email, FTP and IM traffic through the FortiGate unit. You can select the Details link beside each traffic type to view more information. You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. Viewing HTTP content information 1 Go to System > Status. 2 In the Content Archive section, select Details for HTTP.

Date and Time

The time when the URL was accessed.

From

The IP address from which the URL was accessed.

URL

The URL that was accessed.

Viewing Email content information 1 Go to System > Status. 2 In the Content Archive section, select Details for Email.

84

Date and Time

The time that the email passed through the FortiGate unit.

From

The sender’s email address.

To

The recipient’s email address.

Subject

The subject line of the email.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Viewing Statistics

Viewing archived FTP content information 1 Go to System > Status. 2 In the Content Archive section, select Details for FTP.

Date and Time

The time of access.

Destination

The IP address of the FTP server that was accessed.

User

The User ID that logged into the FTP server.

Downloads

The names of files that were downloaded.

Uploads

The names of files that were uploaded.

Viewing IM content information 1 Go to System > Status. 2 In the Content Archive section, select Details for IM.

Date / Time

The time of access.

Protocol

The protocol used in this IM session.

Kind

The kind of IM traffic this transaction is.

Local

The local address for this transaction.

Remote

The remote address for this transaction

Direction

If the file was sent or received.

Viewing the Attack Log From the Statistics section of the System Status page, you can view statistics about the network attacks that the FortiGate unit has stopped. You can view statistics about viruses caught, attacks detected, spam email detected, and URLs blocked. You can also view information about sessions matched by DLP rules. You can select the Details link beside each attack type to view more information. You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. Viewing viruses caught 1 Go to System > Status. 2 In the Attack Log section, select Details for AV.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

85

Viewing Statistics

System Status

Date and Time

The time when the virus was detected.

From

The sender’s email address or IP address.

To

The intended recipient’s email address or IP address.

Service

The service type, such as POP or HTTP.

Virus

The name of the virus that was detected.

Viewing attacks blocked 1 Go to System > Status. 2 In the Attack Log section, select Details for IPS. Date and Time

The time that the attack was detected.

From

The source of the attack.

To

The target host of the attack.

Service

The service type.

Attack

The type of attack that was detected and prevented.

Viewing spam email detected 1 Go to System > Status. 2 In the Attack Log section, select Details for Spam. Date and Time

The time that the spam was detected.

From->To IP

The sender and intended recipient IP addresses.

From->To Email Accounts

The sender and intended recipient email addresses.

Service

The service type, such as SMTP, POP or IMAP.

SPAM Type

The type of spam that was detected.

Viewing URLs blocked 1 Go to System > Status. 2 In the Attack Log section, select Details for Web. Date and Time

The time that the attempt to access the URL was detected.

From

The host that attempted to view the URL.

URL Blocked

The URL that was blocked.

Viewing the sessions matched by DLP 1 Go to System > Status. 2 In the Attack Log section, select Details for DLP.

86

Date and Time

The time that the attempt to access the URL was detected.

Service

The service type, such as HTTP, SMTP, POP or IMAP.

Source

The source address of the session.

From

The host that attempted to view the URL.

URL Blocked

The URL that was blocked.

From

The sender’s email address or IP address.

To

The intended recipient’s email address or IP address.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Topology

Topology The Topology page provides a way to diagram and document the networks connected to your FortiGate unit.The Topology viewer is not available if Virtual Domains (VDOMs) are enabled. Go to System > Status > Topology to view the system topology. The Topology page consists of a large canvas upon which you can draw a network topology diagram of your FortiGate installation. Figure 42: Topology page

Zoom/Edit controls

Text object

FortiGate unit object

Subnet object

Viewport

Viewport control

Viewport and viewport control The viewport displays only a portion of the drawing area. The viewport control, at the bottom right of the topology page, represents the entire drawing area. The darker rectangle represents the viewport. Drag the viewport rectangle within the viewport control to determine which part of the drawing area the viewport displays. The “+” and “-” buttons in the viewport control have the same function as the Zoom in and Zoom out controls.

FortiGate unit object The FortiGate unit is a permanent part of the topology diagram. You can move it, but not delete it. The FortiGate unit object shows the link status of the unit’s interfaces. Green indicates the interface is up. Gray indicates the interface is down. Select the interface to view its IP address and netmask, if assigned. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

87

Topology

System Status

Zoom and Edit controls The toolbar at the top left of the Topology page shows controls for viewing and editing the topology diagram. Table 5: Zoom and Edit controls for Topology Refresh the displayed diagram.

Zoom in. Select to display a smaller portion of the drawing area in the viewport, making objects appear larger.

Zoom out. Select to display a larger portion of the drawing area in the viewport, making objects appear smaller.

Select to begin editing the diagram. This button expands the toolbar to show the editing controls described below: Save changes made to the diagram. Note: If you switch to any other page in the web-based manager without saving your changes, your changes are lost. Add a subnet object to the diagram. The subnet object is based on the firewall address that you select, and is connected by a line to the interface associated with that address. See “Adding a subnet object” on page 89. Insert Text. Select this control and then click on the diagram where you want to place the text object. Type the text and then click outside the text box. Delete. Select the object(s) to delete and then select this control or press the Delete key.

Customize. Select to change the colors and the thickness of lines used in the drawing. See “Customizing the topology diagram” on page 90. Drag. Select this control and then drag objects in the diagram to arrange them. Scroll. Select this control and then drag the drawing area background to move the viewport within the drawing area. This has the same effect as moving the viewport rectangle within the viewport control. Select. Select this control and then drag to create a selection rectangle. Objects within the rectangle are selected when you release the mouse button. Exit. Select to finish editing the diagram. Save changes first. The toolbar contracts to show only the Refresh and Zoom controls.

88

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Status

Topology

Adding a subnet object While editing the topology diagram, you can select the Add Subnet control to define a subnet object. The object is drawn and connected by a line to the interface associated with the address. Figure 43: Adding an existing subnet to the topology diagram

Figure 44: Adding a new subnet to the topology diagram

Select from existing address/group

Create a subnet object based on an existing firewall address. The object has the name of the firewall address and is connected by a line to the interface associated with that address. For more information about firewall addresses, see “Firewall Address” on page 345.

Address Name

Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies.

Connect to interface

Select the interface or zone to associate with this address. If the field already displays a name, changing the setting changes the interface or zone associated with this existing address. If the address is currently used in a firewall policy, you can choose only the interface selected in the policy.

New addresses

Create a new firewall address and add a subnet object based on that address to the topology diagram. The address is associated with the interface you choose.

Address Name

Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies.

Type

Select the type of address: Subnet/IP Range or FQDN.

Subnet / IP Range

If Type is Subnet / IP Range, enter the firewall IP address, followed by a forward slash and then the subnet mask. Alternatively, enter IP range start address, followed by a hyphen (-) and the IP range end address.

FQDN

If Type is FQDN, enter the fully qualified domain name.

Connect to interface

Select the interface or zone to associate with this address.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

89

Topology

System Status

Customizing the topology diagram In System > Status > Topology, select the Customize button to open the Topology Customization window. Modify the settings as needed and select OK when you are finished. Figure 45: Topology Customization window

90

Preview

A simulated topology diagram showing the effect of the selected appearance options.

Canvas Size

The size of the drawing in pixels.

Resize to Image

If you selected an image as Background, resize the diagram to fit within the image.

Background

One of:

Solid

A solid color selected in Background Color.

U.S. Map

A map of the United States.

World Map

A map of the world.

Upload My Image

Upload the image from Image Path

Background Color

Select the color of the diagram background.

Image path

If you selected Upload My Image for Background, enter the path to your image, or use the Browse button to find it.

Exterior Color

Select the color of the border region outside your diagram.

Line Color

Select the color of connecting lines between subnet objects and interfaces.

Line Width

Select the thickness of connecting lines.

Reset to Default

Reset all topology diagram settings to default.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Managing firmware versions

Managing firmware versions Fortinet recommends reviewing this section before upgrading because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful. You should also review the FortiGate Upgrade Guide when a new firmware version is released, or the What’s New chapter of this guide when a new firmware maintenance release is released. Both contain valuable information about the changes and new features that may cause issues with the current configuration. In addition to firmware images, Fortinet releases patch releases—maintenance release builds that resolve important issues. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware. Follow the steps below: •

Download and review the release notes for the patch release.

•

Download the patch release.

•

Back up the current configuration.

•

Install the patch release using the procedure “Testing firmware before upgrading” on page 94.

•

Test the patch release until you are satisfied that it applies to your configuration.

Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues. With FortiOS 4.0, you can also configure your FortiGate unit to use NAT while in transparent mode. For more information, see the Fortinet Knowledge Center article, Configuring NAT in Transparent mode. If you enable virtual domains (VDOMs) on the FortiGate unit, system firmware versions are configured globally. For more information, see “Using virtual domains” on page 103. This section describes: •

Backing up your configuration

•

Testing firmware before upgrading

•

Upgrading your FortiGate unit

•

Reverting to a previous firmware image

•

Restoring your configuration Note: For more information about the settings that are available on the Backup and Restore page, (such as remotely backing up to a FortiManager unit), see “System Maintenance” on page 253.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

91

Backing up your configuration

Managing firmware versions

Backing up your configuration Caution: Always back up your configuration before installing a patch release, upgrading/downgrading firmware, or resetting configuration to factory defaults.

You can back up configuration settings to a local PC, a FortiManager unit, FortiGuard Analysis and Management server, or to a USB key. You can also back up to a FortiGuard Analysis and Management server if you have FortiGuard Analysis and Management Service enabled. Fortinet recommends backing up all configuration settings from your FortiGate unit before upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.

Backing up your configuration through the web-based manager You can back up your configuration to a variety of locations, such as a FortiManager unit or a FortiGuard Analysis and Management server. The following procedure describes how to properly back up your current configuration in the web-based manager. To back up your configuration file through the web-based manager 1 Go to System > Maintenance > Backup & Restore. 2 Select to back up the configuration to either a Local PC, FortiManager, or FortiGuard (if your FortiGate unit is configured for FortiGuard Analysis and Management Service). If you want to encrypt your configuration file to save VPN certificates, select the Encrypt configuration file check box, enter a password, and then enter it again to confirm. 3 Select Backup. 4 Save the file.

Backing up your configuration through the CLI You can back up your configuration file using a TFTP or FTP server, or the USB key. If you have the FortiGuard Analysis and Management Service configured, you can also back up your configuration to the FortiGuard Analysis and Management server. When backing up your configuration in the CLI, you can choose to back up the entire configuration (execute backup full-config) or part of the configuration (execute backup config). If you have virtual domains, there are limitations to what certain administrators are allowed to back up. For more information, see the FortiGate CLI Reference. The following procedure describes how to back up your current configuration in the CLI and assumes that you are familiar with the following commands. For more information about the individual commands used in the following procedure, see the FortiGate CLI Reference. To back up your configuration file through the CLI 1 Enter the following to back up the configuration file to a USB key: execute backup config usb

92

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Managing firmware versions

Backing up your configuration

2 Enter the following to back up the configuration file to a TFTP or FTP server: execute backup config {tftp | ftp} Backup & Restore. 2 Select USB Disk from Backup configuration to list. If you want to encrypt your configuration file to save VPN certificates, select the Encrypt configuration file check box, enter a password, and then enter it again to confirm. 3 Select Backup. After successfully backing up your configuration file, either from the CLI or the web-based manager, proceed with upgrading to FortiOS 4.0.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

93

Testing firmware before upgrading

Managing firmware versions

Testing firmware before upgrading You may want to test the firmware that you need to install before upgrading to a new firmware version, or to a maintenance or patch release. By testing the firmware, you can familiarize yourself with the new features and changes to existing features, as well as understand how your configuration works with the firmware. A firmware image is tested by installing it from a system reboot, and then saving it to system memory. After the firmware is saved to system memory, the FortiGate unit operates using the firmware with the current configuration. The following procedure does not permanently install the firmware; the next time the FortiGate unit restarts, it operates using the firmware originally installed on the FortiGate unit. You can install the firmware permanently by using the procedures in “Upgrading your FortiGate unit” on page 95. You can use the following procedure for either a regular firmware image or a patch release. The following procedure assumes that you have already downloaded the firmware image to your management computer. To test the firmware image before upgrading 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. 5 Enter the following to restart the FortiGate unit. execute reboot 6 As the FortiGate unit reboots, a series of system startup messages appears. When the following message appears, immediately press any key to interrupt the system startup: Press any key to display configuration menu… You have only three seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat steps 5 to 6 again. If you successfully interrupt the startup process, the following message appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. 7 Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 8 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:

94

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Managing firmware versions

Upgrading your FortiGate unit

9 Type the internal IP address of the FortiGate unit. This IP address connects the FortiGate unit to the TFTP server. This IP address must be on the same network as the TFTP server, but make sure you do not use an IP address of another device on the network. The following message appears: Enter File Name [image.out]: 10 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R] 11 Type R. The FortiGate firmware image installs and saves to system memory. The FortiGate unit starts running the new firmware image with the current configuration. When you have completed testing the firmware, you can reboot the FortiGate unit and resume using the original firmware.

Upgrading your FortiGate unit If your upgrade is successful, and your FortiGate unit has a hard drive, you can use the Boot alternate firmware option located in System > Maintenance > Backup and Restore. This option enables you to have two firmware images, such as FortiOS 3.0 MR7 and FortiOS 4.0, available for downgrading or upgrading. If the upgrade was not successful, go to “Reverting to a previous firmware image” on page 98. You can also use the following procedure when installing a patch release. A patch release is a firmware image that resolves specific issues, but does not contain new features or changes to existing features. You can install a patch release whether or not you upgraded to the current firmware version.

Upgrading to FortiOS 4.0 through the web-based manager Caution: Always back up your configuration before installing a patch release, upgrading/downgrading firmware, or resetting configuration to factory defaults.

The following procedure describes how to upgrade to FortiOS 4.0 in the web-based manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. To upgrade to FortiOS 4.0 through the web-based manager 1 Download the firmware image file to your management computer. 2 Log in to the web-based manager. 3 Go to System > Status and locate the System Information widget. 4 Beside Firmware Version, select Update. 5 Enter the path and filename of the firmware image file, or select Browse and locate the file.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

95

Upgrading your FortiGate unit

Managing firmware versions

6 Select OK. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process may take a few minutes. When the upgrade is successfully installed: •

ping to your FortiGate unit to verify there is still a connection.

•

clear the browser’s cache and log in to the web-based manager.

After logging back in to the web-based manager, you should save the configuration settings that carried forward. Some settings may have carried forward from FortiOS 3.0 MR7, while others may not have, such as certain IPS group settings. Go to System > Maintenance > Backup and Restore to save the configuration settings that carried forward. Note: After upgrading to FortiOS 4.0, perform an “Update Now” to retrieve the latest AV/NIDS signatures from the FortiGuard Distribution Network (FDN) as these signatures included in the firmware may be older than those currently available on the FDN. See the FortiGate Administration Guide for more information about updating AV/NIDS signatures.

Upgrading to FortiOS 4.0 through the CLI Caution: Always back up your configuration before installing a patch release, upgrading/downgrading firmware, or resetting configuration to factory defaults.

The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for CLI procedure, for additional information about upgrading firmware in the CLI. The following procedure assumes that you have already downloaded the firmware image to your management computer. To upgrade to FortiOS 4.0 through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image Where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image.out 192.168.1.168 The FortiGate unit responds with a message similar to the following: This operation will replace the current firmware version! Do you want to continue? (y/n)

96

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Managing firmware versions

Upgrading your FortiGate unit

6 Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. 7 Reconnect to the CLI. 8 Enter the following command to confirm the firmware image installed successfully: get system status 9 To update antivirus and attack definitions from the CLI, enter the following: execute update-now If you want to update antivirus and attack definitions from the web-based manager instead, log in to the web-based manager and go to System > Maintenance > FortiGuard.

Verifying the upgrade After logging back in to the web-based manager, most of your FortiOS 3.0 MR7 configuration settings have been carried forward. For example, if you go to System > Network > Options you can see your DNS settings carried forward from your FortiOS 3.0 MR7 configuration settings. You should verify what configuration settings carried forward. You should also verify that administrative access settings carried forward as well. Verifying your configuration settings allows you to familiarize yourself with the new features and changes in FortiOS 4.0. You can verify your configuration settings by: •

going through each menu and tab in the web-based manager

•

using the show shell command in the CLI.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

97

Reverting to a previous firmware image

Managing firmware versions

Reverting to a previous firmware image You may need to revert to a previous firmware image (or version, for example, FortiOS 3.0) if the upgrade was not successfully installed. The following procedures describe how to properly downgrade to a previous firmware image using either the web-based manager or CLI, and include steps on how to restore your previous configuration. The following are included in this topic: •

Downgrading to a previous firmware through the web-based manager

•

Downgrading to a previous firmware through the CLI

•

Restoring your configuration

Downgrading to a previous firmware through the web-based manager Caution: Always back up your configuration before installing a patch release, upgrading/downgrading, or when resetting to factory defaults.

When downgrading to a previous firmware, only the following settings are retained: •

operation mode

•

Interface IP/Management IP

•

route static table

•

DNS settings

•

VDOM parameters/settings

•

admin user account

•

session helpers

•

system accprofiles.

If you created additional settings in FortiOS 4.0, make sure to back up the current configuration before downgrading. For more information, see “Backing up your configuration” on page 92. To downgrade through the web-based manager 1 Go to System > Status and locate the System Information widget. 2 Beside Firmware Version, select Update. 3 Enter the path and filename of the firmware image file, or select Browse and locate the file.. 4 Select OK. The following message appears: This version will downgrade the current firmware version. Are you sure you want to continue? 5 Select OK. The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes. 6 Log in to the web-based manager. Go to System > Status to verify that the firmware version under System Information has changed to the correct firmware.

98

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Managing firmware versions

Reverting to a previous firmware image

Verifying the downgrade After successfully downgrading to a previous firmware, verify your connections and settings. If you are unable to connect to the web-based manager, make sure your administration access settings and internal network IP address are correct. The downgrade may change your configuration settings to default settings.

Downgrading to a previous firmware through the CLI Caution: Always back up your configuration before installing a patch release, upgrading/downgrading, or when resetting to factory defaults.

When downgrading to a previous firmware, only the following settings are retained: •

operation mode

•

Interface IP/Management IP

•

route static table

•

DNS settings

•

VDOM parameters/settings

•

admin user account

•

session helpers

•

system accprofiles.

If you have created additional settings in FortiOS 4.0, make sure you back up your configuration before downgrading. For more information, see “Backing up your configuration” on page 92. The following procedure assumes that you have already downloaded the firmware image to your management computer. To downgrade through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image tftp Where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n)

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

99

Reverting to a previous firmware image

Managing firmware versions

6 Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following is displayed: Get image from tftp server OK. Check image OK. This operation will downgrade the current firmware version! Do you want to continue? (y/n) 7 Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes. After the FortiGate unit uploads the firmware, you need to reconfigure your IP address since the FortiGate unit reverts to default settings, including its default IP address. See your install guide for configuring IP addresses. 8 Reconnect to the CLI. 9 Enter the following command to confirm the firmware image installed successfully: get system status See “Restoring your configuration” on page 101 to restore you previous configuration settings.

100

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Managing firmware versions

Restoring your configuration

Restoring your configuration Your configuration settings may not carry forward after downgrading to a previous firmware. You can restore your configuration settings for a previous firmware with the configuration file you saved before upgrading to FortiOS 4.0. You can also use the following procedures for restoring your configuration after installing a current patch release or maintenance release.

Restoring your configuration settings in the web-based manager The following procedure restores your previous firmware configuration settings in the web-based manager. To restore configuration settings in the web-based manager 1 Log in to the web-based manager. 2 Go to System > Maintenance > Backup & Restore. 3 Select to restore the configuration from either a Local PC, FortiManager or FortiGuard (if your FortiGate unit is configured for FortiGuard Analysis and Management Service). 4 If required, enter your password for the configuration file. 5 Enter the location of the file or select Browse to locate the file. 6 Select Restore. The FortiGate unit restores the configuration settings. This may take a few minutes since the FortiGate unit will reboot. You can verify that the configuration settings are restored by logging in to the web-based manager and going through the various menus and tabs.

Restoring your configuration settings in the CLI The following procedure restores your previous firmware configuration settings in the CLI. To restore configuration settings in the CLI 1 Copy the backed-up configuration file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

101

Restoring your configuration

Managing firmware versions

5 Enter the following command to copy the backed -up configuration file to restore the file on the FortiGate unit: execute restore allconfig Where is the name of the backed up configuration file and is the IP address of the TFTP server and is the password you entered when you backed up your configuration settings. For example, if the backed up configuration file is confall and the IP address of the TFTP server is 192.168.1.168 and the password is ghrffdt123: execute restore allconfig confall 192.168.1.168 ghrffdt123 The FortiGate unit responds with the message: This operation will overwrite the current settings and the system will reboot! Do you want to continue? (y/n) 6 Type y. The FortiGate unit uploads the backed up configuration file. After the file uploads, a message, similar to the following, is displayed: Getting file confall from tftp server 192.168.1.168 ## Restoring files... All done. Rebooting... This may take a few minutes. Use the CLI show shell command to verify your settings are restored, or log in to the web-based manager.

102

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Virtual domains

Using virtual domains This section describes virtual domains (VDOMs) along with some of their benefits, and how to use VDOMs to operate your FortiGate unit as multiple virtual units. If you enable VDOMs on the FortiGate unit, you configure virtual domains globally for the FortiGate unit. To get started working with virtual domains, see “Enabling VDOMs” on page 108. This section describes: •

Virtual domains

•

Enabling VDOMs

•

Configuring global and VDOM resource limits

•

Configuring VDOMs and global settings

Virtual domains Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. A single FortiGate unit is then flexible enough to serve multiple departments of an organization, separate organizations, or to act as the basis for a service provider’s managed security service.

Benefits of VDOMs Some benefits of VDOMs are: •

Easier administration

•

Continued security maintenance

•

Savings in physical space and power

Easier administration VDOMs provide separate security domains that allow separate zones, user authentication, firewall policies, routing, and VPN configurations. Using VDOMs can also simplify administration of complex configurations because you do not have to manage as many routes or firewall policies at one time. For more information, see “VDOM configuration settings” on page 104. By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings. Also you can assign an administrator account restricted to that VDOM. If the VDOM is created to serve an organization, this feature enables the organization to manage its own configuration. Management systems such as SNMP, logging, alert email, FDN-based updates and NTPbased time setting use addresses and routing in the management VDOM to communicate with the network. They can connect only to network resources that communicate with the management virtual domain. The management VDOM is set to root by default, but you can change it. For more information, see “Changing the management VDOM” on page 116. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

103

Virtual domains

Using virtual domains

Continued security maintenance When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create firewall policies for connections between VLAN subinterfaces or zones in the VDOM. Packets do not cross the virtual domain border internally. To travel between VDOMs, a packet must pass through a firewall on a physical interface. The packet then arrives at another VDOM on a different interface, but it must pass through another firewall before entering the VDOM. Both VDOMs are on the same FortiGate unit. Inter-VDOMs change this behavior in that they are internal interfaces; however their packets go through all the same security measures as on physical interfaces. Without VDOMs, administrators can easily access settings across the FortiGate unit. This can lead to security issues or far-reaching configuration errors. However, administrator permissions are specific to one VDOM. An admin on one VDOM cannot change information on another VDOM. Any configuration changes, and potential errors, will apply only to that VDOM and limit potential down time. The remainder of the FortiGate unit’s functionality is global—it applies to all VDOMs on the unit. This means there is one intrusion prevention configuration, one antivirus configuration, one web filter configuration, one protection profile configuration, and so on. VDOMs also share firmware versions, as well as antivirus and attack databases. The operating mode, NAT/Route or Transparent, can be selected independently for each VDOM. For a complete list of shared configuration settings, see “Global configuration settings” on page 107.

Savings in physical space and power Increasing VDOMs involves no extra hardware, no shipping, and very few changes to existing networking. They take no extra physical space—you are limited only by the size of the license you buy for your VDOMs. By default, most FortiGate units supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. For high-end FortiGate models, you can purchase a license key to increase the maximum number of VDOMs to 25, 50, 100 or 250. For more information see “VDOM licenses” on page 109. Note: During configuration on a FortiAnalyzer unit, VDOMs count toward the maximum number of FortiGate units allowed by the FortiAnalyzer unit’s license. The total number of devices registered can be seen on the FortiAnalyzer unit’s System Status page under License Information.

If virtual domain configuration is enabled and you log in as the default super_admin, you can go to System > Status and look at Virtual Domain in the License Information section to see the maximum number of virtual domains supported on your FortiGate unit. For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.

VDOM configuration settings To configure and use VDOMs, you must enable virtual domain configuration. For more information, see “Enabling VDOMs” on page 108. You can configure a VDOM by adding VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings. You can also move physical interfaces from the root VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. For more information on VLANs, see “VLAN overview” on page 150.

104

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Virtual domains

The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains. A regular VDOM administrator sees only these settings. The default super_admin can also access these settings, but must first select which VDOM to configure. Table 6: VDOM configuration settings Configuration Object

For more information, see

System Network Zone

“Configuring zones” on page 138

Network Web Proxy

“Web Proxy” on page 147

Network Routing Table “Routing table (Transparent Mode)” on page 149 (Transparent mode) Network Modem

“Configuring the modem interface” on page 139

Wireless Settings

“Wireless settings” on page 162

Wireless MAC Filter

“Wireless MAC Filter” on page 165

Wireless Monitor

“Wireless Monitor” on page 167

Wireless Rogue AP

“Rogue AP detection” on page 168

DHCP service

“Configuring DHCP services” on page 172

DHCP Address Leases “Viewing address leases” on page 175 Config Operation mode “Changing operation mode” on page 206 (NAT/Route or Transparent) Config Management IP “Changing operation mode” on page 206 (Transparent mode) Router Static

“Router Static” on page 277

Dynamic

“Router Dynamic” on page 289

Monitor

“Router Monitor” on page 315

Firewall Policy

“Firewall Policy” on page 319

Address

“Firewall Address” on page 345

Service

“Firewall Service” on page 351

Schedule

“Firewall Schedule” on page 361

Virtual IP

“Firewall Virtual IP” on page 365

Virtual IP Group

“Virtual IP Groups” on page 380

Virtual IP, IP pool

“IP pools” on page 381

Load Balance

“Firewall Load Balance” on page 389

Protection Profile

“Firewall Protection Profile” on page 397

UTM AntiVirus File Filter

“File Filter” on page 443

Intrusion Protection

“Intrusion Protection” on page 455

Web Filter

“Web Filter” on page 475

AntiSpam

“Antispam” on page 495

Data Leak Prevention

“Data Leak Prevention” on page 511

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

105

Virtual domains

Using virtual domains

Table 6: VDOM configuration settings (Continued) Configuration Object

For more information, see

Application Control

“Application Control” on page 523

VPN IPSec

“IPSec VPN” on page 531

PPTP

“PPTP VPN” on page 547

SSL

“SSL VPN” on page 551

User Local

“Local user accounts” on page 568

Remote

“Remote” on page 571

Directory Service

“Directory Service” on page 579

PKI

“PKI” on page 581

User Group

“User Group” on page 583

Options

“Settings” on page 228

Monitor

“Monitoring administrators” on page 229

Log&Report

106

Logging configuration

“FortiGate logging” on page 647 (Memory only)

Alert E-mail

“Configuring Alert Email” on page 672 (Send alert email for the following)

Event Log

“Event log” on page 659

Log access

“Accessing Logs” on page 662 (Memory only)

Content Archive

“Content Archive” on page 667

Report Access

“Reports” on page 673

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Virtual domains

Global configuration settings The following configuration settings affect all virtual domains. When virtual domains are enabled, only accounts with the default super_admin profile can access global settings. Table 7: Global configuration settings Configuration Object

For more information, see

System Status System Time

“Configuring system time” on page 78

Status Host name

“Changing the FortiGate unit host name” on page 78

Status Firmware version

“Upgrading to a new firmware version” on page 80 (System Status page) or “Managing firmware versions” on page 91.

Network Interfaces and “Interfaces” on page 119 and “VLAN overview” on page 150 VLAN subinterfaces (You configure interfaces as part of the global configuration but each interface and VLAN subinterface belongs to a VDOM. You add interfaces to VDOMs as part of the global configuration.) Network Options DNS

“DNS Servers” on page 146

Network Options Dead gateway detection

“Dead gateway detection” on page 146

Admin Settings Idle and authentication time-out

“Settings” on page 228 and “Getting started - User authentication” on page 567

Admin Settings Webbased manager language

“Settings” on page 228

Admin Settings LCD panel PIN, where applicable

“Settings” on page 228

Wireless Settings

“Wireless settings” on page 162

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

107

Enabling VDOMs

Using virtual domains

Table 7: Global configuration settings (Continued) Configuration Object

For more information, see

Wireless MAC Filter

“Wireless MAC Filter” on page 165

Wireless Monitor

“Wireless Monitor” on page 167

WIreless Rogue AP

“Rogue AP detection” on page 168

Config HA

“HA” on page 177

Config SNMP

“SNMP” on page 185

Config Replacement messages

“Replacement messages” on page 194

Admin Administrators

“Administrators” on page 209 (You can add global administrators. You can also add administrators to VDOMs. VDOM administrators cannot add or configure administrator accounts.)

Admin profiles

“Admin profiles” on page 222

Admin Central Management configuration

“Central Management” on page 226

Certificates

“System Certificates” on page 243

Configuration backup and restore

“Backing up and restoring” on page 254

Scripts

“Using script files” on page 262

FDN update configuration

“FortiGuard Distribution Network” on page 264

UTM AntiVirus

“AntiVirus” on page 439

Log&Report Log Configuration

“FortiGate logging” on page 647 (Remote and Syslog)

Alert E-mail

“Configuring Alert Email” on page 672 (Alert email account settings.)

Report Config

“Reports” on page 673

Report Access

“Reports” on page 673

Enabling VDOMs Using the default admin administration account, you can enable multiple VDOM operation on the FortiGate unit. To enable virtual domains 1 Log in to the web-based manager on a super_admin profile account. 2 Go to System > Status. 3 In System Information, next to Virtual Domain select Enable. The FortiGate unit logs you off. You can now log in again as admin. Alternatively, through the CLI, enter: config system global, set vdom-admin When virtual domains are enabled, the web-based manager and the CLI are changed as follows:

108

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Configuring VDOMs and global settings

•

Global and per-VDOM configurations are separated.

•

A new VDOM entry appears under the System option.

•

Within a VDOM, reduced dashboard menu options are available, and a new Global option appears. Selecting Global exits the current VDOM.

•

There is no operation mode selection at the Global level.

•

Only super_admin profile accounts can view or configure global options.

•

Super_admin profile accounts can configure all VDOM configurations.

•

One or more administrators can be set up for each VDOM; however, these admin accounts cannot edit settings for any VDOMs for which they are not set up.

When virtual domains are enabled, the current virtual domain is displayed at the bottom left of the screen, in the format Current VDOM: .

Configuring VDOMs and global settings A VDOM is not useful unless it contains at least two physical interfaces or virtual subinterfaces for incoming and outgoing traffic. Availability of the associated tasks depends on the permissions of the admin. If your are using a super_admin profile account, you can perform all tasks. If you are using a regular admin account, the tasks available to you depend on whether you have read only or read/write permissions, Table 6 shows what roles can perform which tasks. Table 8: Admin VDOM permissions Tasks

Read only permission

Regular administrator account Read/write permission

Super_admin profile administrator account

View global settings

yes

yes

yes

Configure global settings

no

no

yes

Create or delete VDOMs

no

no

yes

Configure multiple VDOMs

no

no

yes

Assign interfaces to a VDOM

no

no

yes

Create VLANs

no

yes - for 1 VDOM

yes - for all VDOMs

Assign an administrator to a VDOM

no

no

yes

Create additional admin accounts

no

yes - for 1 VDOM

yes - for all VDOMs

Create and edit protection profiles

no

yes - for 1 VDOM

yes - for all VDOMs

VDOM licenses All FortiGate units, except the 30B, support 10 VDOMs by default. High-end FortiGate models support the purchase of a VDOM license key from customer service to increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500. Configuring 250 or more VDOMs will result in reduced system performance.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

109

Configuring VDOMs and global settings

Using virtual domains

Table 9: VDOM support by FortiGate model FortiGate model

Support VDOMs

Default VDOM maximum

Maximum VDOM license

30B

no

0

0

Low and mid-range models

yes

10

10

High-end models

yes

10

500

Note: Your FortiGate unit has limited resources that are divided amongst all configured VDOMs. These resources include system memory, and CPU. When running 250 or more VDOMs, you cannot run Unified Threat Management (UTM) features such as proxies, web filtering, or antivirus—your FortiGate unit can only provide basic firewall functionality.

Tip: If you do not have a System > Maintenance > License tab, your FortiGate model does not support more than 10 VDOMs.

To obtain a VDOM license key 1 Log in to your FortiGate unit using the admin account. Other accounts such as other super_admin profile accounts may also have sufficient privileges to install VDOM licenses. 2 Go to System > Status. 3 Record your FortiGate unit serial number as shown in “System Information” on page 65. 4 Under License Information > Virtual Domains, select Purchase More. 5 You will be taken to the Fortinet customer support web site where you can log in and purchase a license key for 25, 50, 100, 250, or 500 VDOMs. 6 When you receive your license key, go to System > Maintenance > License. 7 In the License Key field, enter the 32-character license key you received from Fortinet customer support. 8 Select Apply. To verify the new VDOM license, go to System > Status under Global Configuration. In the License Information area Virtual Domains, VDOMs Allowed shows the maximum number of VDOMs allowed. Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.

Creating a new VDOM By default, every FortiGate unit has a root VDOM that is visible when VDOMs are enabled. To use additional VDOMs, you must first create them. When using multiple VDOMs, it can be useful to assign fewer resources to some VDOMs and more resources to others. This VDOM resource management will result in better FortiGate unit performance. For more information, see “VDOM resource limits” on page 117.

110

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Configuring VDOMs and global settings

VDOM names have the following restrictions: •

Only letters, numbers, “-”, and “_” are allowed.

•

A name can have no more than 11 characters.

•

A name cannot contain spaces.

•

VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If you attempt to name a new VDOM vsys_ha or vsys_fgfm, the FortiGate unit will generate an error. Note: When creating 250 or more VDOMs, you cannot enable UTM features such as proxies, web filtering, and antivirus due to limited resources. Also when creating large numbers of VDOMs, you may experience reduced performance. To improve performance with multiple VDOMs, see “VDOM resource limits” on page 117.

Figure 46: New Virtual Domain

To create a new VDOM 1 Log in as a super_admin profile admin. 2 Ensure VDOMs are enabled. For more information, see “Enabling VDOMs” on page 108. 3 Go to System > VDOM. 4 Select Create New. 5 Enter a name for the new VDOM, up to a maximum of 11 characters. This name cannot be changed. 6 Optionally enter a comment for the VDOM, up to a maximum of 63 characters. 7 Select OK.

Working with VDOMs and global settings When you log in as admin and virtual domains are enabled, the FortiGate unit is automatically in global configuration, as demonstrated by the appearance of the VDOM option under System. To work with virtual domains, select System > VDOM.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

111

Configuring VDOMs and global settings

Using virtual domains

Figure 47: VDOM list Disabled VDOM

Management VDOM

112

Create New

Select to add a new VDOM. Enter the new VDOM name and select OK. The VDOM must not have the same name as an existing VDOM, VLAN or zone. The VDOM name can have a maximum of 11 characters and must not contain spaces.

Management Virtual Domain

Change the management VDOM to the selected VDOM in the list. The management VDOM is then grayed out in the Enable column. The default management VDOM is root. For more information, see “Changing the management VDOM” on page 116.

Apply

Select to save your changes to the Management VDOM.

Enable

There are three states this column can be in. • A green check mark indicates this VDOM is enabled, and that you can select the Enter icon to change to that VDOM. • An empty check box indicates this VDOM is disabled. When disabled, the configuration of that VDOM is preserved. The Enter icon is not available. • A grayed-out check box indicates this VDOM is the management VDOM. It cannot be deleted or changed to disabled; it is always active.

Name

The name of the VDOM.

Operation Mode

The VDOM operation mode, either NAT or Transparent. When a VDOM is in Transparent mode, SNMP can display the management address, address type and subnet mask for that VDOM. For more information, see “SNMP” on page 185.

Interfaces

The interfaces associated with this VDOM, including virtual interfaces. Every VDOM includes an SSL VPN virtual interface named for that VDOM. For the root VDOM this interface is ssl.root.

Comments

Comments added by an admin when this VDOM was created.

Delete icon

Delete the VDOM. The Delete icon appears only when there are no configuration objects associated with that VDOM. For example, you must remove all referring interfaces, profiles, and so on before you can delete the VDOM. If the icon does not appear and you do not want to delete all the referring configuration, you can disable the VDOM instead. The disabled VDOM configuration remains in memory, but the VDOM is not usable until it is enabled.

Edit icon

Change the description of the VDOM. The name of the VDOM cannot be changed.

Enter icon

Enter the selected VDOM. After entering a VDOM you will only be able to view and change settings specific to that VDOM.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Configuring VDOMs and global settings

Adding interfaces to a VDOM A VDOM must contain at least two interfaces to be useful. These can be physical or virtual interfaces such as VLAN subinterfaces. By default, all physical interfaces are in the root virtual domain. VLAN subinterfaces often need to be in a different VDOM than their physical interface. To do this, the super administrator must first create the VDOM, create the VLAN subinterface, and then assign the VLAN to the correct VDOM. VDOMs can only be added in global settings, and not within VDOMs. For information on creating VLAN subinterfaces, see “Adding VLAN subinterfaces” on page 153.

Inter-VDOM links An inter-VDOM link is a pair of interfaces that enable you to communicate between two VDOMs internally without using a physical interface. Inter-VDOM links have the same security as physical interfaces, but allow more flexible configurations that are not limited by the number of physical interfaces on your FortiGate unit. As with all virtual interfaces, the speed of the link depends on the CPU load, but generally it is faster than physical interfaces. There are no MTU settings for inter-VDOM links. DHCP support includes interVDOM links. A packet can pass through an inter-VDOM link a maximum of three times. This is to prevent a loop. When traffic is encrypted or decrypted, it changes the content of the packets and this resets the inter-VDOM counter. However, using IPIP or GRE tunnels does not reset the counter. In HA mode, inter-VDOM links must have both ends of the link within the same virtual cluster. DHCP over IPSec is supported for inter-VDOM links, however regular DHCP services are not available. To view inter-VDOM links, go to System > Network > Interface. When an inter-VDOM link is created, it automatically creates a pair of virtual interfaces that correspond to the two internal VDOMs. Each of the virtual interfaces is named using the inter-VDOM link name with an added “0” or “1”. So if the inter-VDOM link is called “vlink” the interfaces are “vlink0” and “vlink1”. Select the Expand Arrow beside the VDOM link to display the virtual interfaces.

Note: Inter-VDOM links cannot refer to a domain that is in transparent mode.

Figure 48: VDOM link interfaces

To create an inter-VDOM link 1 Log in as admin. 2 Go to System > Network > Interface. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

113

Configuring VDOMs and global settings

Using virtual domains

3 Select the arrow on the Create New button. 4 Select VDOM link. You will see the New VDOM Link screen. Figure 49: New VDOM link

5 Enter the name for the new VDOM link, up to a maximum of 11 characters. The name must not contain any spaces or special characters. Hyphens (“-”) and underlines (“_”) are allowed. Remember that the name will have a “0” or “1” attached to the end for the actual interfaces. 6 Configure VDOM link “0”. 7 Select the VDOM from the menu that this interface will connect to. 8 Enter the IP address and netmask for this interface. 9 Select the administrative access method or methods. Keep in mind that PING, TELNET, and HTTP are less secure methods. 10 Optionally enter a description for this interface. 11 Repeat steps 7 through 10 for VDOM link “1”. 12 Select OK to save your configuration and return to the System > Interface screen.

Assigning an interface to a VDOM The following procedure describes how to reassign an existing interface from one virtual domain to another. It assumes VDOMs are enabled and more than one VDOM exists. You cannot delete a VDOM if it is used in any configurations. For example, if an interface is assigned to that VDOM, you cannot delete the VDOM. You cannot remove an interface from a VDOM if the interface is included in any of the following configurations:

114

•

DHCP server

•

zone

•

routing

•

firewall policy

•

IP pool

•

proxy arp (only accessible through the CLI).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Configuring VDOMs and global settings

Before removing these configurations, it is recommended that you back up your configuration, so you can restore it if you want to create this VDOM at a later date. Delete the items in this list or modify them to remove the interface before proceeding. Note: You can reassign or remove an interface or subinterface once the Delete icon is displayed. Absence of the icon means that the interface is being used in a configuration somewhere.

Tip: You can disable a VDOM instead of deleting it. Your configuration will be preserved, saving time you would otherwise need to remove and reconfigure it.

To assign an interface to a VDOM 1 Log in as admin. 2 Go to System > Network > Interface. 3 Select Edit for the interface that you want to reassign. 4 Select the new virtual domain for the interface. 5 Configure other settings as required and select OK. For more information, see “Interface settings” on page 123. The interface is assigned to the VDOM. Existing firewall IP pools and virtual IP addresses for this interface are deleted. You should manually delete any routes that include this interface, and create new routes for this interface in the new VDOM. Otherwise your network traffic will not be properly routed. For more information on creating static routes, see “Router Static” on page 277.

Assigning an administrator to a VDOM If you are creating a VDOM to serve an organization that will be administering its own resources, you need to create an administrator account for that VDOM. A VDOM admin can change configuration settings within that VDOM but cannot make changes that affect other VDOMs on the FortiGate unit. A regular administrator assigned to a VDOM can log in to the web-based manager or the CLI only on interfaces that belong to that VDOM. The super administrator can connect to the web-based manager or CLI through any interface on the FortiGate unit that permits management access. Only the super administrator or a regular administrator of the root domain can log in by connecting to the console interface. Note: If an admin account is assigned to a VDOM, that VDOM cannot be deleted until that account is assigned to another VDOM or removed.

To assign an administrator to a VDOM 1 Log in as the super_admin. 2 Ensure that virtual domains are enabled. For more information, see “Enabling VDOMs” on page 108. 3 Go to System > Admin >Administrators. 4 Create a new administrator account or select the Edit icon of an existing administrator account. 5 Go to the Virtual Domain list.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

115

Configuring global and VDOM resource limits

Using virtual domains

6 Select the VDOM that this administrator manages. Administrators are assigned to a specific VDOM when the account is created unless they are super_admin administrators. For more information, see “Configuring an administrator account” on page 212. 7 Configure other settings as required. For detailed information, see “Configuring an administrator account” on page 212. 8 Select OK.

Changing the management VDOM The management VDOM on your FortiGate unit is where some default types of traffic originate, including: •

SNMP

•

logging

•

alert email

•

FDN-based updates

•

NTP-based time setting.

Before you change the management VDOM, ensure that virtual domains are enabled on the system dashboard screen. For more information, see “Enabling VDOMs” on page 108. Only one VDOM can be the management VDOM at any given time. Global events are logged with the VDOM set to the management VDOM. Note: You cannot change the management VDOM if any administrators are using RADIUS authentication.

To change the management VDOM 1 Go to System > VDOM. 2 From the list of VDOMs, select the VDOM to be the new management VDOM. This list is located to the immediate left of the Apply button. 3 Select Apply to make the change. At the prompt, confirm the change. Management traffic will now originate from the new management VDOM.

Configuring global and VDOM resource limits FortiGate units have upper limits for resources such as firewall policies, protection profiles and VPN tunnels. These limits vary by model. In general, the more VDOMs the FortiGate unit supports, the greater the impact on resource limits. In previous releases of FortiOS, maximum values for resources belonging to virtual domains (VDOMs) applied equally to each VDOM. Maximums for system-wide (global) resources applied globally and the resources were equally accessible to each VDOM. If you are a super administrator, you can control resource allocation to each VDOM. This limits the impact of each VDOM on other VDOMs due to resource competition. Also, you can set global resource limits to control the impact of various features on system performance.

116

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Using virtual domains

Configuring global and VDOM resource limits

Note: The resource limits vary for different FortiGate models. The resource limits are increased when two or more FortiGates are in HA mode due to the increased resources that are available to the HA cluster.

VDOM resource limits You can configure VDOM resource limits when you create a new VDOM or edit an existing VDOM. These resource limits are restricted by the FortiGate global limits in that the total of each resource across all VDOMs cannot exceed the global limit. You can optionally set a guaranteed minimum level of resources that will be available to the VDOM. This will ensure that other VDOMs do not use all of an available resource. To configure VDOM resource limits 1 Go to System > VDOM. 2 Select Create New, enter a name and then select OK, or select the Edit icon of an existing VDOM. 3 Modify the values described in the table below as required. 4 Select OK. Figure 50: Configuring VDOM resource limits

Resource

Description of the resource.

Maximum

Enter the maximum amount of the resource allowed for this VDOM. This amount might not be available due to usage of this resource type by other VDOMs.

Guaranteed

Enter the minimum amount of the resource available to this VDOM regardless of usage by other VDOMs.

Current

The amount of the resource that this VDOM currently uses.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

117

Configuring global and VDOM resource limits

Using virtual domains

If you enter a value that is not valid, the web-based manager displays the range of valid values.

Global resource limits To ensure system performance, you can set global resource limits that are less than the maximums set by your unit’s hardware. Your configured maximum value for any resource must be greater than amount of the resource already in use and greater than the sum of all VDOM guaranteed resource values. To view or set global resource limits, go to System > VDOM > Global Resources. Select the Edit icon to change any settings. Figure 51: Configuring global resource limits

Resource

Description of the resource.

Configured Maximum

The maximum amount of the resource allowed. This amount matches the default maximum until you change it.

Default Maximum

The default maximum value for this resource. This value depends on the unit hardware limitations.

Current Usage The amount of the resource currently in use.

118

Edit icon

Change the configured maximum for this resource. The Edit Global Resource Limits dialog box lists the valid range of values for the configured maximum. For some resources, you can set the maximum to zero to set no limit.

Reset icon

Reset the configured maximum to the default maximum value.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

System Network This section describes how to configure your FortiGate unit to operate in your network. Basic network settings include configuring FortiGate interfaces and DNS settings. More advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate network configuration. If you enable virtual domains (VDOMs) on the FortiGate unit, you configure most system network settings globally for the entire FortiGate unit. For example, all interface settings, including adding interfaces to VDOMs, are part of the global configuration. However, zones, the modem interface, and the Transparent mode routing table are configured separately for each virtual domain. For details, see “Using virtual domains” on page 103. This section describes: •

Interfaces

•

Configuring zones

•

Configuring the modem interface

•

Configuring Networking Options

•

Web Proxy

•

Routing table (Transparent Mode)

•

VLAN overview

•

VLANs in NAT/Route mode

•

VLANs in Transparent mode Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate interface or to a virtual FortiGate VLAN subinterface.

Note: If you can enter both an IP address and a netmask in the same field, you can use the short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered as 192.168.1.100/24.

Interfaces In NAT/Route mode, go to System > Network > Interface to configure FortiGate interfaces. You can: •

modify the configuration of a physical interface

•

add and configure VLAN subinterfaces

•

aggregate several physical interfaces into an IEEE 802.3ad interface (models 300A, 400A, 500A, and 800 or higher)

•

combine physical interfaces into a redundant interface

•

add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs) (see “Adding a wireless interface” on page 163)

•

add and configure VDOM links (see “Inter-VDOM links” on page 113)

•

view loopback interfaces

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

119

Interfaces

System Network

•

configure the modem (see “Configuring the modem interface” on page 139)

•

change which information about the interfaces is displayed

For information about VLANs, see “FortiGate units and VLANs” on page 151. Figure 52: Interface list - regular admin view

Figure 53: Interface list - admin view with virtual domains enabled

120

Create New

Select Create New to create a VLAN subinterface. On models 800 and higher, you can also create an IEEE 802.3ad aggregated interface. When VDOMs are enabled, selecting the Create New arrow enables you to create new Inter-VDOM links. For more information see “Inter-VDOM links” on page 113.

Switch Mode

Select to change between switch mode and interface mode. Switch mode combines the internal interfaces into one switch with one address. Interface mode gives each internal interface its own address. Before switching modes, all configuration settings that point to ‘internal’ interfaces must be removed. This option is visible on models 100A and 200A for Rev2.0 and higher. Switch mode is also visible on the FortiGate-60B and FortiWiFi-60B. For more information see “Switch Mode” on page 122.

show backplane interfaces

Select to make the two backplane interfaces visible as port9 and port10. Once visible these interfaces can be treated as regular physical interfaces. This option is available only on 5000 models.

Column Settings

Select to change the which columns of information about the network interfaces is displayed. For more information, see “Column Settings” on page 122.

Description icon

The tooltip for this icon displays the Description field for this interface. For more information see “Interface settings” on page 123.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

Name

The names of the physical interfaces on your FortiGate unit. This includes any alias names that have been configured. The name, including number, of a physical interface depends on the model. Some names indicate the default function of the interface such as Internal, External and DMZ. Other names are generic such as port1. FortiGate models numbered 50 and 60 provide a modem interface. Also models with a USB port support a connected modem. See “Configuring the modem interface” on page 139. The oob/ha interface is the FortiGate-4000 out of band management interface. You can connect to this interface to manage the FortiGate unit. This interface is also available as an HA heartbeat interface. On FortiGate models 300A, 310B, 400A, 500A, 620B, and 800 or higher, if you combine several interfaces into an aggregate interface, only the aggregate interface is listed, not the component interfaces. The same is true for redundant interfaces. See “Creating an 802.3ad aggregate interface” on page 127 or “Creating a redundant interface” on page 128. If you have added VLAN subinterfaces, they also appear in the name list, below the physical or aggregated interface to which they have been added. See “VLAN overview” on page 150. If you have loopback virtual interfaces configured you will be able to view them. You can only edit these interfaces in the CLI. For more information on these interfaces see “Configuring interfaces with CLI commands” on page 134 or the config system interface command in the FortiGate CLI Reference. If you have software switch interfaces configured, you will be able to view them. You can only edit these interfaces in the CLI. For more information on these interfaces see “Configuring interfaces with CLI commands” on page 134 or the config system switch-interface command in the FortiGate CLI Reference. If virtual domain configuration is enabled, you can view information only for the interfaces that are in your current virtual domain, unless you are using the super admin account. If VDOMs are enabled, you will be able to create, edit, and view inter-VDOM links. For more information see “Inter-VDOM links” on page 113. If you have interface mode enabled on a FortiGate model 100A or 200A Rev2.0 or higher or on the FortiGate-60B and FortiWiFi-60B models, you will see multiple internal interfaces. If switch mode is enabled, there will only be one internal interface. For more information see “Switch Mode” on page 122. If your FortiGate unit supports AMC modules and have installed an AMC module containing interfaces (for example, the FortiGate-ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display. The interfaces are named AMC-SW1/1, AMC-DW1/2, and so on. SW1 indicates it is a single width or double width card respectively in slot 1. The last number “/1” indicates the interface number on that card - for the ASM-FB4 card there would be “/1” through “/4”.

IP/Netmask

The current IP address/netmask of the interface. In VDOM mode, when VDOMs are not all in NAT or Transparent mode some values may not be available for display and will be displayed as “-” instead. When IPv6 Support on GUI is enabled, IPv6 addresses may be displayed in this column.

Access

The administrative access configuration for the interface. See “Administrative access to an interface” on page 135.

Administrative Status

The administrative status for the interface. If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status, select Bring Down or Bring Up.

Link Status

The status of physical connection. The status of a non-physical interface will always be down.

MAC

The MAC address of the interface.

Mode

Shows the addressing mode of this interface such as manual, DHCP, or PPPoE.

MTU

The maximum number of bytes per transmission unit. Anything over 1500 are jumbo frames. See “Interface MTU packet size” on page 135.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

121

Interfaces

System Network

Secondary IP

Any secondary IPs for this interface.

Type

The type of the interface. Valid types include: • Physical - a physical network interface, including modem • VLAN - a virtual network interface • Aggregate - a group of interfaces • Redundant - a group of interfaces • VDOM Link - a pair of virtual interface that join two VDOMs • Pair - one two interfaces that are joined together, such as 2 VDOM links

Virtual Domain

The virtual domain to which the interface belongs. This column is visible only to the super admin and only when virtual domain configuration is enabled.

VLAN ID

The identification number of the VLAN. Non-VLAN interface entries will be blank.

Delete, edit, and view icons

Delete, edit, or view an entry.

Column Settings Go to System > Network > Column Settings to change which information about the interfaces is displayed. The VDOM field is only available for display when VDOMs are enabled. Figure 54: Column Settings

Available fields

The list of fields (columns) not currently being displayed.

Show these fields in this order

The list of fields (columns) currently being displayed. They are displayed in order. Top to bottom of the list will be displayed left to right on screen respectively.

Right arrow

Move selected fields to the Show these fields in this order list.

Left arrow

Move selected fields to the Available fields list.

Move up

Move selected item up in the Show these fields in this order list. The corresponding column is moved to the left on the network interface display.

Move down

Move selected item down in the Show these fields in this order list. The corresponding column is moved to the right on the network interface display.

Switch Mode The internal interface is a switch with either four or six physical interface connections, depending on the FortiGate model. Normally the internal interface is configured as a single interface shared by all physical interface connections - a switch.

122

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

The switch mode feature has two states - switch mode and interface mode. Switch mode is the default mode with only one interface and one address for the entire internal switch. Interface mode allows you to configure each of the internal switch physical interface connections separately. This allows you to assign different subnets and netmasks to each of the internal physical interface connections. FortiGate models 100A and 200A Rev2.0 and higher have four internal interface connections. The FortiGate-60B and FortiWifi-60B have six internal interface connections. Consult your release notes for the most current list of supported models for this feature. Selecting Switch Mode on the System > Network > Interface screen displays the Switch Mode Management screen. Caution: Before you are able to change between switch mode and interface mode all references to ‘internal’ interfaces must be removed. This includes references such as firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments, and routing. If they are not removed, you will not be able to switch modes, and you will see an error message. Figure 55: Switch Mode Management

Switch Mode

Select Switch Mode. Only one internal interface is displayed. This is the default mode.

Interface Mode

Select Interface Mode. All internal i nterfaces on the switch are displayed as individually configurable interfaces.

Switch Mode can also be configured using CLI commands. For more information see the FortiGate CLI Reference.

Interface settings Go to System > Network > Interface and select Create New. Selecting the Create New arrow enables you to create Inter-VDOM links. For more information on Inter-VDOM links, see “Inter-VDOM links” on page 113. Some types of interfaces such as loopback interfaces can only be configured using CLI commands. For more information, see “Configuring interfaces with CLI commands” on page 134 or the FortiGate CLI Reference To be able to configure a DHCP server on an interface, that interface must have a static IP address. You cannot create a virtual IPSec interface on this screen, but you can specify its endpoint addresses, enable administrative access and provide a description if you are editing an existing interface. For more information, see “Configuring a virtual IPSec interface” on page 133.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

123

Interfaces

System Network

Figure 56: Create New Interface settings

Figure 57: Edit Interface settings

124

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

Figure 58: Edit Interface settings

Name

Enter a name for the interface. You cannot change the name of an existing interface.

Alias

Enter another name for the interface that will easily distinguish this interface from another. This is available only for physical interfaces where where you cannot configure the name. The alias can be a maximum of 15 characters. The alias name is not part of the interface name, but it will appear in brackets beside the interface name. It will not appears in logs.

Type

The type of the interfaces. When creating a new interface, this is VLAN by default. On models 300A, 400A, 500A, 800 and higher, you can create VLAN, 802.3ad Aggregate, and Redundant interfaces. • On FortiGate 100A and 200A models of Rev2.0 and higher and on all 60B models, software switch is a valid type. You cannot edit this type in the GUI. • FortiWiFi models support up to four SSIDs by adding up to three wireless interfaces (for a total of four wireless interfaces). Other models support creation of VLAN interfaces only and have no Type field. You cannot change the type of an existing interface.

Interface

Select the name of the physical interface on which to create the VLAN. Once created, the VLAN subinterface is listed below its physical interface in the Interface list. You cannot change the interface of an existing VLAN subinterface. This field is only displayed when Type is set to VLAN.

VLAN ID

Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. You cannot change the VLAN ID of an existing VLAN subinterface. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information, see “VLAN overview” on page 150. This field is only displayed when Type is set to VLAN.

Virtual Domain Select the virtual domain to which this VLAN subinterface belongs. Admin accounts with super-admin profile can change the VDOM for a VLAN when VDOM configuration is enabled. For more information, see “Using virtual domains” on page 103.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

125

Interfaces

System Network

Physical Interface Members

This section has two different forms depending on the interface type: • Software switch interface - this section is a display-only field showing the interfaces that belong to the software switch virtual interface • 802.3ad aggregate or Redundant interface - this section includes available interface and selected interface lists to enable adding or removing interfaces from the interface.

Available Interfaces

Select interfaces from this list to include in the grouped interface - either redundant or aggregate interface. Select the right arrow to add an interface to the grouped interface.

Selected interfaces

These interfaces are included in the aggregate or redundant interface. Select the left arrow to remove an interface from the grouped interface. For redundant interfaces, the interfaces will be activated during failover from the top of the list to the bottom

Addressing mode

Select the type of addressing mode as Manual, DHCP, or PPPoE. To configure a static IP address for the interface, select Manual. By default, low-end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled. These settings allow for easy out-of-the-box configuration. You can also configure the interface for dynamic IP address assignment. For more information, see “Configuring DHCP on an interface” on page 130 or “Configuring an interface for PPPoE” on page 131.

IP/Netmask

Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects. Two interfaces cannot have IP addresses on the same subnet. This field is only available when Manual addressing mode is selected.

DDNS

Select DDNS to configure a Dynamic DNS service for this interface. For more information, see “Configuring Dynamic DNS on an interface” on page 132.

Ping Server

To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. For more information, see “Dead gateway detection” on page 146.

Explicit Web Proxy

Select to enable explicit web proxying on this interface. When enabled, this interface will be displayed on System > Network > Web Proxy under Listen on Interfaces and web traffic on this interface will be proxied according to the Web Proxy settings. For more information, see “Web Proxy” on page 147.

Administrative Select the types of administrative access permitted on this interface. Access

126

HTTPS

Allow secure HTTPS connections to the web-based manager through this interface.

PING

Interface responds to pings. Use this setting to verify your installation and for testing.

HTTP

Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party.

SSH

Allow SSH connections to the CLI through this interface.

SNMP

Allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page 186.

TELNET

Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

MTU

To change the MTU, select Override default MTU value (1 500) and enter the MTU size based on the addressing mode of the interface • 68 to 1 500 bytes for static mode • 576 to 1 500 bytes for DHCP mode • 576 to 1 492 bytes for PPPoE mode • up to 16 110 bytes for jumbo frames (on FortiGate models that support jumbo frames) • NP2-accelerated interfaces support a jumbo frame limit of 16 000 bytes • FA2-accelerated interfaces do not support jumbo frames This field is available only on physical interfaces. VLANs inherit the parent interface MTU size by default. For more information on MTU and jumbo frames, see “Interface MTU packet size” on page 135.

Secondary IP Address

Add additional IP addresses to this interface. Select the blue arrow to expand or hide the section. See “Secondary IP Addresses” on page 136.

Description

Enter a description up to 63 characters.

Administrative Select either Up (green arrow) or Down (red arrow) as the status of this interface. Status Up indicates the interface is active and can accept network traffic. Down indicates the interface is not active and cannot accept traffic. Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.

To configure a specific type of interface, refer to the appropriate section. To configure: •

an aggregate interface, see “Creating an 802.3ad aggregate interface” on page 127.

•

a redundant interface, see “Creating a redundant interface” on page 128.

•

a VLAN subinterface, see “FortiGate units and VLANs” on page 151.

•

a wireless interface, see “Adding a wireless interface” on page 163.

Creating an 802.3ad aggregate interface You can aggregate (combine) two or more physical interfaces to increase bandwidth and provide some link redundancy. An aggregate interface provides more bandwidth but also creates more points of failure than redundant interfaces. The interfaces must connect to the same next-hop routing destination. Support of the IEEE standard 802.3ad for link aggregation is part of FortiGate firmware on models 300A, 310B, 400A, 500A, 620B, and models 800 and higher. An interface is available to be an aggregate interface if: •

it is a physical interface, not a VLAN interface

•

it is not already part of an aggregate or redundant interface

•

it is in the same VDOM as the aggregated interface

•

it does not have a IP address and is not configured for DHCP or PPPoE

•

it does not have a DHCP server or relay configured on it

•

it does not have any VLAN subinterfaces

•

it is not referenced in any firewall policy, VIP, IP Pool or multicast policy

•

it is not an HA heartbeat interface

•

it is not one of the FortiGate 5000 series backplane interfaces

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

127

Interfaces

System Network

Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you will lose the acceleration. For example, if you aggregate two accelerated interfaces you will get slower throughput than if the two interfaces were separate.

Note: FortiGate-5000 backplane interfaces have to be made visible before they can be added to an aggregate or a redundant interface.

When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface screen. You cannot configure the interface individually and it is not available for inclusion in firewall policies, VIPs, IP pools, or routing. Figure 59: Settings for an 802.3ad aggregate interface

To create an 802.3ad Aggregate interface 1 Go to System > Network > Interface. 2 Select Create New. 3 In the Name field, enter a name for the aggregated interface. The interface name must be different from any other interface, zone or VDOM. 4 From the Type list, select 802.3ad Aggregate. 5 In the Available Interfaces list, select each interface that you want to include in the aggregate interface and move it to the Selected Interfaces list. 6 If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see: • “Configuring DHCP on an interface” on page 130 • “Configuring an interface for PPPoE” on page 131 7 Configure other interface options as required. 8 Select OK.

Creating a redundant interface You can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

128

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration. FortiGate firmware on models 300A, 310B, 400A, 500A, 620B, and models 800 and higher implements redundant interfaces. An interface is available to be in a redundant interface if: •

it is a physical interface, not a VLAN interface

•

it is not already part of an aggregated or redundant interface

•

it is in the same VDOM as the redundant interface

•

it has no defined IP address and is not configured for DHCP or PPPoE

•

it has no DHCP server or relay configured on it

•

it does not have any VLAN subinterfaces

•

it is not referenced in any firewall policy, VIP, IP Pool or multicast policy

•

it is not monitored by HA

•

it is not one of the FortiGate 5000 series backplane interfaces Note: FortiGate-5000 backplane interfaces have to be made visible before they can be added to an aggregate or a redundant interface.

When an interface is included in a redundant interface, it is not listed on the System > Network > Interface page. You cannot configure the interface individually and it is not available for inclusion in firewall policies, VIPs, IP pools, or routing. Figure 60: Settings for a redundant interface

To create a redundant interface 1 Go to System > Network > Interface. 2 Select Create New. 3 In the Name field, enter a name for the redundant interface. The interface name must different from any other interface, zone or VDOM. 4 From the Type list, select Redundant Interface.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

129

Interfaces

System Network

5 In the Available Interfaces list, select each interface that you want to include in the redundant interface and move it to the Selected Interfaces list. In a failover situation, the interface activated will be the next interface down the Selected Interfaces list. 6 If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see: • “Configuring DHCP on an interface” on page 130 • “Configuring an interface for PPPoE” on page 131 7 Configure other interface options as required. 8 Select OK.

Configuring DHCP on an interface If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request. The interface is configured with the IP address and any DNS server addresses and default gateway address that the DHCP server provides. By default, low-end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled. These settings allow for easy out-of-the-box configuration. To configure DHCP on an interface 1 Go to System > Network > Interface. 2 Select Create New or select the Edit icon of an existing interface. 3 In the Addressing mode section, select DHCP. Figure 61: Interface DHCP settings

Status

130

Displays DHCP status messages as the FortiGate unit connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message. Only displayed if you selected Edit. Status can be one of: • initializing - No activity. • connecting - interface attempts to connect to the DHCP server. • connected - interface retrieves an IP address, netmask, and other settings from the DHCP server. • failed - interface was unable to retrieve an IP address and other settings from the DHCP server.

Obtained IP/Netmask

The IP address and netmask leased from the DHCP server. Only displayed if Status is connected.

Renew

Select to renew the DHCP license for this interface. Only displayed if Status is connected.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

Expiry Date

The time and date when the leased IP address and netmask is no longer valid. Only displayed if Status is connected.

Default Gateway

The IP address of the gateway defined by the DHCP server. Only displayed if Status is connected, and if Receive default gateway from server is selected,.

Distance

Enter the administrative distance for the default gateway retrieved from the DHCP server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.

Retrieve default gateway from server

Enable to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table. Enabled by default on low-end models.

Override internal DNS

Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page. On low end models, this is enabled by default. When VDOMs are enabled, you can override the internal DNS only on the management VDOM.

Connect to Server

Enable so that the interface automatically attempts to connect to a DHCP server. Disable this option if you are configuring the interface offline.

Configuring an interface for PPPoE If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoErequest. When configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request, do not enable Connect to Server. FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered IPs, initial discovery timeout and PPPoE Active Discovery Terminate (PADT). To configure an interface for PPPoE 1 Go to System > Network > Interface. 2 Select Create New or select the Edit icon of an existing interface. 3 In the Addressing mode section, select PPPoE. Figure 62: Interface PPPoE settings

Status

initializing

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message. Only displayed if you selected Edit. Status can be one of the following 4 messages. No activity.

131

Interfaces

System Network

connecting

The interface is attempting to connect to the PPPoE server.

connected

The interface retrieves an IP address, netmask, and other settings from the PPPoE server. When the status is connected, PPPoE connection information is displayed.

failed

The interface was unable to retrieve an IP address and other information from the PPPoE server.

Reconnect

Select to reconnect to the PPPoE server. Only displayed if Status is connected.

User Name

The PPPoE account user name.

Password

The PPPoE account password.

Unnumbered IP

Specify the IP address for the interface. If your ISP has assigned you a block of IP addresses, use one of them. Otherwise, this IP address can be the same as the IP address of another interface or can be any IP address.

Initial Disc Timeout Enter Initial discovery timeout. Enter the time to wait before starting to retry a PPPoE discovery. Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable. Distance

Enter the administrative distance for the default gateway retrieved from the PPPoE server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1.

Retrieve default gateway from server

Enable to retrieve a default gateway IP address from a PPPoE server. The default gateway is added to the static routing table.

Override internal DNS

Enable to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the PPPoE server. When VDOMs are enabled, you can override the internal DNS only on the management VDOM.

Connect to server

Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server when you select OK or Apply. Disable this option if you are configuring the interface offline.

Configuring Dynamic DNS on an interface When the FortiGate unit has a static domain name and a dynamic public IP address, you can use a DDNS service to update Internet DNS servers when the IP address for the domain changes. Dynamic DNS is available only in NAT/Route mode. To configure DDNS on an interface 1 Get the DDNS configuration information from your DDNS service. 2 Go to System > Network > Interface. 3 Select Create New. 4 Enable DDNS. 5 Enter DDNS configuration information. If at any time your Fortigate unit cannot contact the DDNS server, it will retry three times at one minute intervals and then change to retrying at three minute intervals. This is to prevent flooding the DDNS server.

132

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

Figure 63: DDNS service configuration

Server

Select a DDNS server to use. The client software for these services is built into the FortiGate firmware. The FortiGate unit can connect only to one of these services.

Domain

Enter the fully qualified domain name of the DDNS service.

Username

Enter the user name to use when connecting to the DDNS server.

Password

Enter the password to use when connecting to the DDNS server.

Configuring a virtual IPSec interface You create a virtual IPSec interface by selecting IPSec Interface Mode by going to VPN > IPSec > Auto Key or VPN > IPSec > Manual Key when you create a VPN. You also select a physical or VLAN interface from the Local Interface list. The virtual IPSec interface is listed as a subinterface of that interface by going to System > Network > Interface. For more information, see •

“Overview of IPSec VPN configuration” on page 531

•

“Auto Key” on page 533 or “Manual Key” on page 541

Go to System > Network > Interface and select Edit on an IPSec interface to: •

configure IP addresses for the local and remote endpoints of the IPSec interface so that you can run dynamic routing over the interface or use ping to test the tunnel

•

enable administrative access through the IPSec interface

•

enter a description for the interface

Figure 64: Virtual IPSec interface settings

Name

The name of the IPSec interface.

Virtual Domain

Select the VDOM of the IPSec interface.

IP Remote IP

If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface, enter IP addresses for the local and remote ends of the tunnel. These two addresses must not be used anywhere else in the network.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

133

Interfaces

System Network

Administrative Access

Select the types of administrative access permitted on this interface.

HTTPS

Allow secure HTTPS connections to the web-based manager through this interface.

PING

Allow the interface to respond to pings. Use this setting to verify your installation and for testing.

HTTP

Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party.

SSH

Allow SSH connections to the CLI through this interface.

SNMP

Allow a remote SNMP manager to request SNMP information by connecting to this interface. See “Configuring SNMP” on page 186.

TELNET

Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.

Description

Enter a description of the interface. It can be up to 63 characters.

Configuring interfaces with CLI commands While nearly all types of interfaces can be configured from the GUI interface, a few, such as loopback and soft switch interface, can only be configured using CLI commands. Virtual interfaces are not connected to any physical devices or cables outside the FortiGate unit. They allow additional connections inside the FortiGate unit, which allow for more complex configurations. Virtual interfaces also have the added benefit of speed. Depending on the CPU load, virtual interfaces are consistently faster than physical interfaces.

Loopback interface A loopback interface is an ‘always up’ virtual interface that is not connected to any other interfaces. Loopback interfaces connect to a Fortigate unit’s interface IP address without depending on a specific external port. A loopback interface is not connected to hardware, so it is not affected by hardware problems. As long as the FortiGate unit is functioning, the loopback interface is active. This ‘always up’ feature is useful in dynamic routing where the Fortigate unit relies on remote routers and the local Firewall policies to access to the loopback interface. The CLI command to configure a loopback interface called loop1 with an IP address of 10.0.0.10 is:

config system interface edit loop1 set type loopback set ip 10.0.0.10 255.255.255.0 end For more information, see config system interface in the FortiGate CLI Reference.

Software switch interface A software switch interface forms a simple bridge between two or more physical or wireless FortiGate interfaces. The interfaces added to a soft switch interface are called members. The members of a switch interface cannot be accessed as an individual interface after being added to a soft switch interface. They are removed from the system interface table.

134

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

Similar to aggregate interfaces, a soft switch interface functions like a normal interface. A soft switch interface has one IP address. You create firewall policies to and from soft switch interfaces and soft switch interfaces can be added to zones. There are some limitations; soft switch interfaces cannot be monitored by HA or used as HA heartbeat interfaces. To add interfaces to a software switch group, no configuration settings can refer to those interfaces. This includes default routes, VLANs, inter-VDOM links, and policies. You can view available interfaces on the CLI when entering the ‘set member ’ command by using ‘?’ or to scroll through the available list. The CLI command to configure a software switch interface called soft_switch with port1, external and dmz interfaces is: config system switch-interface edit soft_switch set members port1 external dmz end For more information, see config system switch-interface in the FortiGate CLI Reference.

Administrative access to an interface Administrative access is how an administrator can connect to the FortiGate unit to view and change configuration settings. Two methods of administrative access are HTTPS and SSH. You can allow remote administration of the FortiGate unit running in NAT/Route mode, but allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid this unless it is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: •

Use secure administrative user passwords.

•

Change these passwords regularly.

•

Enable secure administrative access to this interface using only HTTPS or SSH.

•

Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 228).

For more information on configuring administrative access in Transparent mode, see “Operation mode and VDOM management access” on page 206. To control administrative access to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Select the Administrative Access methods for the interface. 4 Select OK.

Interface MTU packet size To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits. Ideally, the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger than the smallest MTU, they are broken up or fragmented, which slows down transmission. Experiment by lowering the MTU to find an MTU size for optimum network performance.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

135

Interfaces

System Network

FortiGate models numbered 3 000 and higher support jumbo frames - frames larger than the traditional 1 500 bytes. Some models support a jumbo frame limit of 9 000 bytes while others support 16 110 bytes. NP2-accelerated interfaces support a jumbo frame limit of 16 000 bytes. FA2-accelerated interfaces do not support jumbo frames. Jumbo frames are much larger than the maximum standard Ethernet frames (packets) size of 1 500 bytes. As new Ethernet standards have been implemented (such as Gigabit Ethernet), 1 500 byte frames remain in the standard for backward compatibility. To be able to send jumbo frames over a route, all Ethernet devices on that route must support jumbo frames, otherwise your jumbo frames are not recognized and are dropped. If you have standard ethernet and jumbo frame traffic on the same interface, routing alone cannot route them to different routes based only on frame size. However you can use VLANs to make sure the jumbo frame traffic is routed over network devices that support jumbo frames. VLANs will inherit the MTU size from the parent interface. You will need to configure the VLAN to include both ends of the route as well as all switches and routers along the route. For more information on VLAN configurations, see the VLAN and VDOM guide. To change the MTU size of the packets leaving an interface 1 Go to System > Network > Interface. 2 Choose a physical interface and select Edit. 3 Below Administrative Access, select Override default MTU value (1 500). 4 Set the MTU size. If you select an MTU size larger than your FortiGate unit supports, an error message will indicate this. In this situation, try a smaller MTU size until the value is supported. Supported maximums are 16 110, 9 000, and 1 500. Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU value of VLAN subinterfaces on the modified interface.

Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.

See also

Secondary IP Addresses An interface can be assigned more than one IP address. You can create and apply separate firewall policies for each IP address on an interface. You can also forward traffic and use RIP or OSPF routing with secondary IP addresses. There can be up to 32 secondary IP addresses per interface including primary, secondary, and any other IP addresses assigned to the interface. Primary and secondary IP addresses can share the same ping generator. The following restrictions must be in place before you are able to assign a secondary IP address:

136

•

A primary IP address must be assigned to the interface.

•

The interface must use manual addressing mode.

•

By default, IP addresses cannot be part of the same subnet. To allow interface subnet overlap use the CLI command:

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Interfaces

config system global set allow-interface-subnet-overlap enable end You can use the CLI command config system interface to add a secondary IP address to an interface. For more information, see config secondaryip under system interface in the FortiGate CLI Reference. Figure 65: Adding Secondary IP Addresses

IP/Netmask

Enter the IP address/subnet mask in the IP/Netmask field. The Secondary IP address must be on a different subnet than the Primary IP address. This field is only available in Manual addressing mode.

Ping Server

To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. See “Dead gateway detection” on page 146. Multiple addresses can share the same ping server.

Administrative Access

Select the types of administrative access permitted on the secondary IP. These can be different from the primary address.

HTTPS

Allow secure HTTPS connections to the web-based manager through this secondary IP.

PING

Allow secondary IP to respond to pings. Use this setting to verify your installation and for testing.

HTTP

Allow HTTP connections to the web-based manager through this secondary IP. HTTP connections are not secure and can be intercepted by a third party.

SSH

Allow SSH connections to the CLI through this secondary IP.

SNMP

Allow a remote SNMP manager to request SNMP information by connecting to this secondary IP. See “Configuring SNMP” on page 186.

TELNET

Allow Telnet connections to the CLI through this secondary IP. Telnet connections are not secure and can be intercepted by a third party.

Add

Select Add to add the configured secondary IP address to the secondary IP table. Addresses in this table are not added to the interface until you select OK or Apply.

Secondary IP table

A table that displays all the secondary IP addresses that have been added to this interface. These addresses are not permanently added to the interface until you select OK or Apply.

#

The identifying number of the secondary IP address.

IP/Netmask

The IP address and netmask for the secondary IP.

Ping Server

The IP address of the ping server for the address. The ping server can be shared by multiple addresses.

Enable

Indicates if the ping server option is selected.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

137

Configuring zones

System Network

Access

The administrative access methods for this address. They can be different from the primary IP address.

Delete Icon

Select to remove this secondary IP entry.

Note: It is recommended that after adding a secondary IP, you refresh the secondary IP table and verify your new address is listed. If not, one of the restrictions (have a primary IP address, use manual addressing mode, more than one IP on the same subnet, more than 32 IP addresses assigned to the interface, etc.) prevented the address from being added.

See also

Configuring zones Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can configure policies for connections to and from a zone, but not between interfaces in a zone. You can add zones, rename and edit zones, and delete zones from the zone list. When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Zones are configured from virtual domains. If you have added multiple virtual domains to your FortiGate configuration, make sure you are configuring the correct virtual domain before adding or editing zones. Figure 66: Zone list

Create New

Select to create a new zone.

Name

Names of the zones.

Block intra-zone traffic

Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked.

Interface Members

Names of the interfaces added to the zone. Interface names depend on the FortiGate model.

Edit/View icons

Edit or view a zone.

Delete icon

Delete a zone.

To configure zone settings 1 Go to System > Network > Zone. 2 Select Create New or select the Edit icon for a zone. 3 Select name, and interfaces. 4 Select OK.

138

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Configuring the modem interface

Figure 67: Zone settings

Zone Name

Enter the name to identify the zone.

Block intra-zone traffic Select to block traffic between interfaces or VLAN subinterfaces in the same zone. Interface members

Select the interfaces that are part of this zone. This list includes configured VLANs.

Configuring the modem interface All FortiGate models with a USB interface support USB modems, and FortiGate-50 series and FortiGate-60 series modules include a serial modem port. In NAT/Route mode the modem can be in one of two modes: •

In redundant (backup) mode, the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable.

•

In standalone mode, the modem interface is the connection from the FortiGate unit to the Internet.

In redundant or standalone mode when connecting to the ISP, you can configure the FortiGate unit to automatically have the modem dial up to three dialup accounts until the modem connects to an ISP. Other models can connect to an external modem through a USB-to-serial converter. For these models, you must configure modem operation using the CLI. Initially modem interfaces are disabled, and must be enabled in the CLI to be visible in the web-based manager. See the system modem command in the FortiGate CLI Reference. Note: The modem interface is not the AUX port. While the modem and AUX port may appear similar, the AUX port has no associated interface and is used for remote console connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and 3000A. For more information, see the config system aux command in the FortiGate CLI Reference.

This section describes: •

Configuring modem settings

•

Redundant mode configuration

•

Standalone mode configuration

•

Adding firewall policies for modem connections

•

Connecting and disconnecting the modem

•

Checking modem status

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

139

Configuring the modem interface

System Network

Configuring modem settings Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts. You can configure up to three dialup accounts, select standalone or redundant operation, and configure how the modem dials and disconnects. For FortiGate-60B and FortiWifi-60B models with modems, the modem can be a management interface. When enabled, a user can dial into the unit’s modem and perform administration actions as if logged in over one of the standard interfaces. This feature is enabled in the CLI using

config system dialinsvr. If VDOMs are enabled, the modem can be assigned to one of the VDOMs just like the other interfaces. If the modem is disabled it will not appear in the interface list, and must be enabled from the CLI using: config system modem set status enable end

Note: You cannot configure and use the modem in Transparent mode.

Figure 68 shows the only the settings specific to standalone mode. The remaining settings are common to both standalone and redundant modes and are shown in Figure 69. Figure 68: Modem settings (Standalone)

140

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Configuring the modem interface

Figure 69: Modem settings (Redundant)

Enable Modem

Select to enable the FortiGate modem.

Modem status

Modem status can be: not active, connecting, connected, disconnecting, or hung up.

Dial Now/Hang Up

(Standalone mode only) Select Dial Now to manually connect to a dialup account. If the modem is connected, you can select Hang Up to manually disconnect the modem.

Mode

Select Standalone or Redundant mode.

Auto-dial (Standalone mode)

Select to dial the modem automatically if the connection is lost or the FortiGate unit is restarted. You cannot select Auto-dial if Dial on demand is selected.

Dial on demand (Standalone mode)

Select to dial the modem when packets are routed to the modem interface. The modem disconnects after the idle timeout period if there is no network activity. You cannot select Dial on demand if Auto-dial is selected.

Idle timeout (Standalone mode)

Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects.

Redundant for (Redundant mode)

Select the ethernet interface for which the modem provides backup service.

Holddown Timer (Redundant mode)

(Redundant mode only) Enter the time (1-60 seconds) that the FortiGate unit waits before switching back to the primary interface from the modem interface, after the primary interface has been restored. The default is 1 second. Configure a higher value if you find the FortiGate unit switching repeatedly between the primary interface and the modem interface.

Redial Limit

The maximum number of times (1-10) that the FortiGate unit modem attempts to reconnect to the ISP if the connection fails. The default redial limit is 1. Select None to have no limit on redial attempts.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

141

Configuring the modem interface

System Network

Wireless Modem

Display a connected wireless modem if available.

Supported Modems Select to view a list of supported modems. Usage History

Dialup Account

Display connections made on the modem interface. Information displayed about connections includes: • date and time • duration of the connection in hours, minutes, and seconds • IP address connected to • traffic statistics including received, sent, and total • current status of the connection Configure up to three dialup accounts. The FortiGate unit tries connecting to each account in order until a connection can be established. The active dialup account is indicated with a green check mark.

Phone Number

The phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account.

User Name

The user name (maximum 63 characters) sent to the ISP.

Password

The password sent to the ISP.

To configure the modem in Redundant mode, see “Redundant mode configuration” on page 142. To configure the modem in Standalone mode, see “Standalone mode configuration” on page 143.

Redundant mode configuration In redundant mode the modem interface backs up a selected ethernet interface. If that ethernet interface disconnects from its network, the modem automatically dials the configured dialup accounts. When the modem connects to a dialup account, the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface. The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface is able to connect to its network. You can set a holddown timer that delays the switch back to the ethernet interface to ensure it is stable and fully active before switching the traffic. The modem will disconnect after a period of network inactivity set by the value in idle timeout. This saves money on dialup connection charges. For the FortiGate unit to be able to switch from an ethernet interface to the modem, you must select the name of the interface in the modem configuration and configure a ping server for that interface. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces. Note: Do not add policies for connections between the modem interface and the ethernet interface that the modem is backing up.

To configure redundant mode 1 Go to System > Network > Modem. 2 Select Redundant mode. 3 Enter the following information:

142

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Configuring the modem interface

Redundant for

From the list, select the interface to back up.

Holddown timer

Enter the number of seconds to continue using the modem after the network connectivity is restored.

Redial Limit

Enter the maximum number of times to retry if the ISP does not answer.

Dialup Account 1 Dialup Account 2 Dialup Account 3

Enter the ISP phone number, user name and password for up to three dialup accounts.

4 Select Apply. 5 Configure a ping server for the ethernet interface the modem backs up. See “To add a ping server to an interface” on page 146. 6 Configure firewall policies for network connectivity through the modem interface. See “Adding firewall policies for modem connections” on page 144.

Standalone mode configuration In standalone mode, the modem connects to a dialup account to provide a connection to the Internet. You can configure the modem to dial when the FortiGate unit restarts or when there are unrouted packets. You can also hang up or redial the modem manually. If the connection to the dialup account fails, the FortiGate unit will redial the modem. The modem redials the number of times specified by the redial limit, or until it connects to a dialup account. The modem will disconnect after a period of network inactivity set by the value in idle timeout. This saves money on dialup connection charges. You must configure firewall policies for connections between the modem interface and other FortiGate interfaces. You must also go to Router > Static to configure static routes to route traffic to the modem interface. For example, if the modem interface is acting as the FortiGate unit external interface you must set the device setting of the FortiGate unit default route to modem. To configure standalone mode 1 Go to System > Network > Modem. 2 Select Standalone mode. 3 Enter the following information: Auto-dial

Select if you want the modem to dial when the FortiGate unit restarts.

Dial on demand

Select if you want the modem to connect to its ISP whenever there are unrouted packets.

Idle timeout

Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects.

Redial Limit

Enter the maximum number of times to retry if the ISP does not answer.

Dialup Account 1 Enter the ISP phone number, user name and password for up to three Dialup Account 2 dialup accounts. Dialup Account 3

4 Select Apply. 5 Configure firewall policies for network connectivity through the modem interface. See “Adding firewall policies for modem connections” on page 144.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

143

Configuring the modem interface

System Network

6 Go to Router > Static and set device to modem to configure static routes to route traffic to the modem interface. See “Adding a static route to the routing table” on page 284.

Adding firewall policies for modem connections The modem interface requires firewall addresses and policies. You can add one or more addresses to the modem interface. For information about adding addresses, see “Configuring addresses” on page 347. You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit. For information on configuring firewall policies, see “Configuring firewall policies” on page 323.

Connecting and disconnecting the modem Note: The modem must be in Standalone mode before connecting or disconnecting from a dialup account.

To connect to a dialup account 1 Go to System > Network > Modem. 2 Select Enable USB Modem. 3 Verify the information in Dialup Accounts. 4 Select Apply. 5 Select Dial Now. The FortiGate unit dials into each dialup account in turn until the modem connects to an ISP. To disconnect from a dialup account 1 Go to System > Network > Modem. 2 Select Hang Up to disconnect the modem.

Checking modem status You can determine the connection status of your modem and which dialup account is active. If the modem is connected to the ISP, you can see the IP address and netmask. To check the modem status, go to System > Network > Modem. Modem status is one of the following: not active

The modem is not connected to the ISP.

connecting

The modem is attempting to connect to the ISP.

connected

The modem is connected to the ISP.

disconnecting

The modem is disconnecting from the ISP.

hung up

The modem has disconnected from the ISP. (Standalone mode only) The modem will not redial unless you select Dial Now.

A green check mark indicates the active dialup account. The IP address and netmask assigned to the modem interface appears on the System Network Interface screen of the web-based manager.

144

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Configuring Networking Options

Configuring Networking Options Network options include DNS server and dead gateway detection settings. To configure network options 1 Go to System > Network > Options. 2 Enter primary and secondary DNS servers. 3 Enter local domain name. 4 Enter Dead Gateway Detection settings. 5 Select OK. Figure 70: Configuring Networking Options - FortiGate models 200 and higher

Figure 71: Configuring Networking Options - FortiGate models 100 and lower

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

145

Configuring Networking Options

System Network

Obtain DNS server address This option applies only to FortiGate models 100 and lower. automatically Select to obtain the DNS server IP address when DHCP is used on an interface, also obtain the DNS server IP address. Available only in NAT/Route mode. You should also enable Override internal DNS in the DHCP settings of the interface. See “Configuring DHCP on an interface” on page 130. Use the following DNS server addresses

This option applies only to FortiGate models 100 and lower. Use the specified Primary DNS Server and Secondary DNS Server addresses.

Primary DNS Server

Enter the primary DNS server IP address.

Secondary DNS Server

Enter the secondary DNS server IP address.

Local Domain Name

Enter the domain name to append to addresses with no domain portion when performing DNS lookups.

Enable DNS forwarding from

This option applies only to FortiGate models 100 and lower operating in NAT/Route mode. Select the interfaces that forward DNS requests they receive to the configured DNS servers.

Dead Gateway Detection

Dead gateway detection confirms connectivity using a ping server added to an interface configuration. For information about adding a ping server to an interface, see “Dead gateway detection” on page 146.

Detection Interval

Enter a number in seconds to specify how often the FortiGate unit pings the target.

Fail-over Detection

Enter the number of times that the ping test fails before the FortiGate unit assumes that the gateway is no longer functioning.

DNS Servers Several FortiGate functions use DNS, including alert email and URL blocking. You can specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS server IP addresses are usually supplied by your ISP. You can configure FortiGate models numbered 100 and lower to obtain DNS server addresses automatically. To obtain these addresses automatically, at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode. See “Configuring DHCP on an interface” on page 130 or “Configuring an interface for PPPoE” on page 131. FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Hosts on the attached network use the interface IP address as their DNS server. DNS requests sent to the interface are forwarded to the DNS server addresses that you configured or that the FortiGate unit obtained automatically.

Dead gateway detection Dead gateway detection periodically pings a ping server to confirm network connectivity. Typically, the ping server is the next-hop router that leads to an external network or the Internet. The ping period (Detection Interval) and the number of failed pings that is considered to indicate a loss of connectivity (Fail-over Detection) are set in System > Network > Options. To apply dead gateway detection to an interface, you must configure a ping server for that interface. To add a ping server to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Set Ping Server to the IP address of the next hop router on the network.

146

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Web Proxy

4 Select Enable. 5 Select OK.

Web Proxy You can use the Web Proxy settings and FortiGate interface settings to enable explicit HTTP and HTTPS proxying on one or more interfaces. When enabled, the FortiGate unit becomes a web proxy server. All HTTP and HTTPS session received by interfaces with Explicit web proxy enabled are intercepted by the explicit web proxy relayed to their destinations. To use the explicit proxy, users must add the IP address of a FortiGate interface and the explicit proxy port number to the proxy configuration settings of their web browsers. On FortiGate units that support WAN optimization you can also enable web caching for the explicit proxy. For more information, see “Web caching” on page 610. To enable explicit web proxy on an interface, go to System > Network > Interface, select the interface, and enable explicit web proxy. If VDOMs are enabled, only interfaces that belong to the current VDOM and have explicit web proxy enabled will be displayed. If you enable the web proxy on an interface that has VLANs on it, the VLANs will only be enabled for web proxy if you manually enable each of them. Web proxy is not in the Global Network section when VDOMs are enabled. Note: To enable protection profiles for explicit web proxy traffic, you must configure 2 VDOMs and use inter-VDOM routing to pass the web traffic between them.

Web proxies are configured for each VDOM when VDOMs are enabled. To configure web proxies go to System > Network > Web Proxy. Figure 72: Configuring Web Proxy settings

Proxy FQDN

Enter the fully qualified domain name (FQDN) for the proxy server. This is the domain name to enter into browsers to access the proxy server.

Max HTTP request length

Enter the maximum length of an HTTP request. Larger requests will be rejected.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

147

Web Proxy

System Network

Max HTTP message length

Enter the maximum length of an HTTP message. Larger messages will be rejected.

Add headers to Forwarded Requests

The web proxy server will forward HTTP requests to the internal network. You can include the following headers in those requests:

Client IP Header

Enable to include the Client IP Header from the original HTTP request.

Via Header

Enable to include the Via Header from the original HTTP request.

X-forwarded-for Header

Enable to include the X-Forwarded-For (XFF) HTTP header. The XFF HTTP header identifies the originating IP address of a web client or browser that is connecting through an HTTP proxy, and the remote addresses it passed through to this point.

Front-end HTTPS Header Enable to include the Front-end HTTP Header from the original HTTPS request. Explicit Web Proxy Options

Web proxies can be transparent or explicit. Transparent web proxy does not modify the web traffic in any way, but just forwards it to the destination. Explicit web proxy can modify web traffic to provide extra services and administration. Explicit web proxy is configured with the following options.

Enable Explicit Web Proxy

Enable the explicit web proxy.

Port

Enter the explicit web proxy server port. To use the explicit proxy, users must add this port to their web browser proxy configuration.

Listen on Interfaces

Displays the interfaces that are being monitored by the explicit web proxy server.

Unknown HTTP version

Select the action to take when the proxy server must handle an unknown HTTP version request or message. Choose from either Reject or Best Effort. The Reject option is more secure.

To enable the explicit web proxy on one or more interfaces To use the explicit web proxy, users must add a proxy server to their web browser configuration. The IP address of the proxy server would be the IP address of the FortiGate interface connected to their network (if the FortiGate unit is operating in NAT mode) or the management IP address (if the FortiGate unit is operating in transparent mode). The port number of the proxy server would be the same as the Explicit web proxy Port configured step 6 below. 1 Go to System > Network > Interface. 2 Select an interface to enable the explicit web proxy for. 3 Select Enable explicit web proxy, and save the changes. 4 Repeat to enable the explicit web proxy on all of the interfaces that users will connect to when web browsing. When you go to System > Network > Web Proxy, under Explicit web proxy you will see the interfaces that you enabled. Note: Only interfaces that have explicit web proxy enabled and are in the current VDOM will be displayed. If an interface has a VLAN subinterface configured, it must be enabled separately for explicit web proxy. Enabled interfaces will be displayed independent of explicit web proxy being enabled or not on the Web Proxy screen.

5 Go to System > Network > Web Proxy and select Enable Explicit Proxy. 6 Enter a Port number for the explicit proxy. For example, 8888. 7 Select Apply to save your changes.

148

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

Routing table (Transparent Mode)

To enable web caching for the explicit web proxy You can enable web caching for the explicit web proxy on FortiGate units that support WAN optimization and web caching. For more information, see “Web caching” on page 610. 1 Use the procedure “To enable the explicit web proxy on one or more interfaces” on page 148 to enable the explicit web proxy 2 Go to WAN Opt. & Cache > Cache and select Enable Cache Explicit Proxy. 3 Select Apply to save your changes. Web content requested by users using the explicit proxy are now cached by the FortiGate unit using the WAN optimization web cache.

Routing table (Transparent Mode) In NAT/Route mode the static routing table is located at System > Routing > Static, but in Transparent Mode that static routing table is located at System > Network > Routing Table. Adding a static route in Transparent Mode 1 Ensure your FortiGate unit is in Transparent mode. For more details see “Changing operation mode” on page 206. 2 Go to System > Network > Routing Table. 3 Select Create New. Figure 73: Static routing table - Transparent Mode

Create New

Add a new static route.

#

Position of the route in the routing table.

IP

The destination IP address for the route.

Mask

The netmask for the route.

Gateway

The IP address of the next hop router to which the route directs traffic.

Distance

The administration distance or relative preferability of the route. An administration distance of 1 is most preferred.

Delete icon

Remove a route.

View/edit icon

Edit or view a route.

Move To icon

Change the position of a route in the list.

Transparent mode route settings Configuring a static route in Transparent mode 1 Go to System > Network > Routing Table. 2 Select Create New. You can also select the Edit icon of an existing route to modify it. 3 Enter the Destination IP and netmask. 4 Enter the Gateway IP address. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

149

VLAN overview

System Network

5 Enter the administrative distance. 6 Select OK. Figure 74: Transparent mode route settings

Destination IP /Mask Enter the destination IP address and netmask for the route. To create a default route, set the IP and netmask to 0.0.0.0. Gateway

Enter the IP address of the next hop router to which the route directs traffic. For an Internet connection, the next hop routing gateway routes traffic to the Internet.

Distance

The administration distance or relative preferability of the route. An administration distance of 1 is most preferred.

VLAN overview A VLAN is group of PCs, servers, and other network devices that communicate as if they were on the same LAN segment, regardless of their location. For example, the workstations and servers for an accounting department could be scattered throughout an office or city and connected to numerous network segments, but still belong to the same VLAN. A VLAN segregates devices logically instead of physically. Each VLAN is treated as a broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but cannot connect with devices in other VLANs. The communication among devices on a VLAN is independent of the physical network. A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information. For more information on VLANs, see the FortiGate VLANs and VDOMs Guide.

150

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

VLANs in NAT/Route mode

Figure 75: Basic VLAN topology

Internet

Untagged packets Router VL AN 1 VL AN 2

VL AN 1

VLAN 1 network

VLAN switch

VL AN 2

VLAN 2 Network

FortiGate units and VLANs In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN are normally handled by layer-2 switches but can be handled by layer-3 devices. Packets passing between devices in different VLANs must be handled by a layer-3 device such as router, firewall, or layer-3 switch. Using VLANs, a single FortiGate unit can provide security services and control connections between multiple security domains. Traffic from each security domain is given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains. The FortiGate unit can also apply policies, protection profiles, and other firewall features for network and VPN traffic that is allowed to pass between security domains.

VLANs in NAT/Route mode Operating in NAT/Route mode, the FortiGate unit functions as a layer-3 device to control the flow of packets between VLANs. The FortiGate unit can also remove VLAN tags from incoming VLAN packets and forward untagged packets to other networks, such as the Internet. FortiGate units in NAT/Route mode can use VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate units. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router. The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

151

VLANs in NAT/Route mode

System Network

When constructing VLAN trunks, you add VLAN subinterfaces that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk to the FortiGate internal interface. If the IDs don’t match, traffic will not be delivered. The FortiGate unit directs packets with VLAN IDs to subinterfaces with matching VLAN IDs. For example packets from the sending system VLAN ID#101 are delivered to the recipient system’s VLAN ID#101. You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add different VLAN tags to outgoing packets.

Rules for VLAN IDs In NAT/Route mode, two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.

Rules for VLAN IP addresses IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces. Note: If you are unable to change your existing configurations to prevent IP overlap, enter the CLI command config system global and set allow-interfacesubnet-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only.

Figure 64 shows a simplified NAT/Route mode VLAN configuration. In this configuration, the FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external interface connects to the Internet. The external interface is not configured with VLAN subinterfaces. When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies VLAN tags and forwards the packets to local ports and across the trunk to the FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow between VLANs and from the VLANs to the external network.

152

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

VLANs in NAT/Route mode

Figure 76: FortiGate unit in NAT/Route mode

Internet

Untagged packets External 172.16.21.2

FortiGate unit Internal 192.168.110.126

802.1Q trunk Fa 0/24

VLAN 100

Fa 0/9 Fa 0/3 VLAN switch

VLAN 200

VLAN 100 network 10.1.1.0

VLAN 200 network 10.1.2.0

Adding VLAN subinterfaces The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved. Each VLAN subinterface must also be configured with its own IP address and netmask. VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.

Note: A VLAN must not have the same name as a virtual domain or zone.

To add a VLAN subinterface in NAT/Route mode 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter a Name to identify the VLAN subinterface. 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 6 If you are an administrator with a super-admin profile, you can create VLAN subinterfaces for any virtual domain. If not, you can only create VLAN subinterfaces in your own VDOM. See “Using virtual domains” on page 103 for information about virtual domains. 7 Configure the VLAN subinterface settings. See “Interface settings” on page 123.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

153

VLANs in Transparent mode

System Network

8 Select OK. The FortiGate unit adds the new VLAN subinterface to the interface that you selected in step 4. To add firewall policies for a VLAN subinterface After you add a VLAN subinterface you can add firewall policies for connections between a VLAN subinterface or from a VLAN subinterface to a physical interface. 1 Go to Firewall > Address. 2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. See “About firewall addresses” on page 345. 3 Go to Firewall > Policy. 4 Configure firewall policies as required.

VLANs in Transparent mode In Transparent mode, the FortiGate unit can apply firewall policies and services, such as authentication, protection profiles, and other firewall features, to traffic on an IEEE 802.1 VLAN trunk. You can insert the FortiGate unit into the trunk without making changes to the network. In a typical configuration, the FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router that can be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk. For VLAN traffic to be able to pass between the FortiGate internal and external interface you add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit applies firewall policies to the traffic on this VLAN. If these VLAN subinterfaces have different VLAN IDs, or if you add more than two VLAN subinterfaces, you can also use firewall policies to control connections between VLANs. If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can configure a FortiGate unit to provide security for network traffic passing between different VLANs. To support VLAN traffic in Transparent mode, you add virtual domains to the FortiGate unit configuration. A virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual domain, a zone can contain one or more VLAN subinterfaces. When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is directed to the VLAN subinterface with the matching VLAN ID. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. The firewall policies for the source and destination VLAN subinterface pair are applied to the packet. If the packet is accepted by the firewall, the FortiGate unit forwards the packet to the destination VLAN subinterface. The destination VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN trunk. Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode. This includes VLANs. If no other interfaces are configured for a VDOM, you can configure up to 255 VLANs in that VDOM.

Figure 77 shows a FortiGate unit operating in Transparent mode with 2 virtual domains and configured with three VLAN subinterfaces.

154

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

VLANs in Transparent mode

Figure 77: FortiGate unit with two virtual domains in Transparent mode FortiGate unit VLAN1

VLAN2 VLAN Switch or router

Internal VLAN1 VLAN2 VLAN3 VLAN trunk

root virtual domain

External VLAN1 VLAN2 VLAN3

VLAN1

VLAN1

VLAN trunk

New virtual domain VLAN2 VLAN2 VLAN3 VLAN3

Internet

VLAN Switch or router

VLAN3

Figure 78 shows a FortiGate unit operating in Transparent mode and configured with three VLAN subinterfaces. In this configuration, the FortiGate unit would provide virus scanning, web content filtering, and other services to each VLAN. Figure 78: FortiGate unit in Transparent mode

Internet

Router Untagged packets

VLAN Switch

VLAN Trunk

VL AN 1 VL AN 2 VL AN 3 FortiGate unit in Transparent mode

VLAN Trunk

VL AN 1 VL AN 2 VL AN 3

VLAN Switch

VLAN 1

VLAN 1 Network

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

VLAN 2

VLAN 2 Network

VLAN 3

VLAN 3 Network

155

VLANs in Transparent mode

System Network

Rules for VLAN IDs In Transparent mode, two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN subinterfaces with the same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.

Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode.

Transparent mode virtual domains and VLANs VLAN subinterfaces are added to and associated with virtual domains. By default the FortiGate configuration includes one virtual domain, named root, and you can add as many VLAN subinterfaces as you require to this virtual domain. You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains. For information on adding and configuring virtual domains, see “Using virtual domains” on page 103 Adding a VLAN subinterface in Transparent mode

Note: A VLAN must not have the same name as a virtual domain or zone.

To add a VLAN subinterface 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter a Name to identify the VLAN subinterface. 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 6 Select which virtual domain to add this VLAN subinterface to. See “Using virtual domains” on page 103 for information about virtual domains. 7 Configure the administrative access, and log settings. See “Interface settings” on page 123 for more descriptions of these settings. 8 Select OK. The FortiGate unit adds the new subinterface to the interface that you selected in step 4. 9 Select Bring up to activate the VLAN subinterface. To add firewall policies for a VLAN subinterface After you add a VLAN subinterface, you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface. 1 Go to Firewall > Address.

156

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Network

VLANs in Transparent mode

2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. See “About firewall addresses” on page 345. 3 Go to Firewall > Policy. 4 Add firewall policies as required.

Troubleshooting ARP Issues Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Normally ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router.

Duplicate ARP packets ARP traffic can cause problems such as duplicate ARP packets making the recipient device think the packets originated from two different device, which is generally an attempt to hack into the network. This is true especially in Transparent mode where ARP packets arriving on one interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network traffic to slow down.

ARP Forwarding One solution to the duplicate ARP packet problem is to enable ARP forwarding. When ARP forwarding is enabled, the Fortigate unit allows duplicate ARP packets that resolve the delivery problems caused by duplicate ARP packets. However, this also opens up your network to potential hacking attempts that spoof packets. For more secure solutions, see the FortiGate VLANs and VDOMs Guide.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

157

VLANs in Transparent mode

158

System Network

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Wireless

FortiWiFi wireless interfaces

System Wireless This section describes how to configure the Wireless LAN interfaces on FortiWiFi units. The majority of this section is applicable to all FortiWiFi units. If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and wireless monitor are configured separately for each virtual domain. System wireless settings are configured globally. For details, see “Using virtual domains” on page 103. This section describes: •

FortiWiFi wireless interfaces

•

Channel assignments

•

Wireless settings

•

Wireless MAC Filter

•

Wireless Monitor

•

Rogue AP detection

FortiWiFi wireless interfaces FortiWiFi units support up to four wireless interfaces and four different SSIDs. Each wireless interface should have a different SSID and each wireless interface can have different security settings. For details on adding wireless interfaces, see “Adding a wireless interface” on page 163. You can configure the FortiWiFi unit to: •

Provide an access point that clients with wireless network cards can connect to. This is called Access Point mode, which is the default mode. All FortiWiFi units can have up to 4 wireless interfaces.

or •

Connect the FortiWiFi unit to another wireless network. This is called Client mode. A FortiWiFi unit operating in client mode can also can only have one wireless interface.

or •

Monitor access points within radio range. This is called Monitoring mode. You can designate the detected access points as Accepted or Rogue for tracking purposes. No access point or client operation is possible in this mode. But, you can enable monitoring as a background activity while the unit is in Access Point mode.

FortiWiFi units support the following wireless network standards: •

IEEE 802.11a (5-GHz Band)

•

IEEE 802.11b (2.4-GHz Band)

•

IEEE 802.11g (2.4-GHz Band)

•

WEP64 and WEP128 Wired Equivalent Privacy (WEP)

•

Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or RADIUS servers

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

159

Channel assignments

System Wireless

Channel assignments Depending on the wireless protocol selected, you have specific channels available to you, depending on what region of the world you are in. Set the channel for the wireless network by going to System > Wireless > Settings. For more information see “Wireless settings” on page 162. The following tables list the channel assignments for wireless networks for each supported wireless protocol.

IEEE 802.11a channel numbers Table 10 lists IEEE 802.11a channels supported for FortiWiFi products that support the IEEE 802.11a wireless standard. 802.11a is only available on FortiWiFi-60B units. All channels are restricted to indoor usage except in the Americas, where both indoor and outdoor use is permitted on channels 52 through 64 in the United States. Table 10: IEEE 802.11a (5-GHz Band) channel numbers Channel number

Frequency (MHz)

Regulatory Areas

34

5170

36

5180

38

5190

40

5200

42

5210

44

5220

46

5230

48

5240

•

•

52

5260

•

•

•

56

5280

•

•

•

60

5300

•

•

•

64

5320

•

•

•

149

5745

153

5765

157

5785

161

5805

Americas

Europe

•

•

Taiwan

Singapore Japan

•

• •

• •

•

•

•

• •

•

• •

•

• •

IEEE 802.11b channel numbers Table 11 lists IEEE 802.11b channels. All FortiWiFi units support 802.11b. Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.

160

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Wireless

Channel assignments

Table 11: IEEE 802.11b (2.4-Ghz Band) channel numbers Channel number

Frequency (MHz)

Regulatory Areas Americas

EMEA

1

2412

•

•

•

2

2417

•

•

•

3

2422

•

•

4

2427

•

•

•

•

5

2432

•

•

•

•

6

2437

•

•

•

•

7

2442

•

•

•

•

8

2447

•

•

•

•

9

2452

•

•

•

•

10

2457

•

•

•

•

11

2462

•

•

•

12

2467

•

•

13

2472

•

•

14

2484

Israel

Japan

•

•

IEEE 802.11g channel numbers Table 12 lists IEEE 802.11b channels. All FortiWiFi products support 802.11g. Table 12: IEEE 802.11g (2.4-GHz Band) channel numbers Channel Frequency Regulatory Areas number (MHz) Americas EMEA

Israel

CCK

ODFM CCK

ODFM CCK

Japan ODFM CCK

ODFM

1

2412

•

•

•

•

•

•

2

2417

•

•

•

•

•

•

3

2422

•

•

•

•

•

•

4

2427

•

•

•

•

•

•

5

2432

•

•

•

•

•

•

•

•

6

2437

•

•

•

•

•

•

•

•

7

2442

•

•

•

•

•

•

•

•

8

2447

•

•

•

•

•

•

•

•

9

2452

•

•

•

•

•

•

10

2457

•

•

•

•

•

•

11

2462

•

•

•

•

•

•

12

2467

•

•

•

•

13

2472

•

•

•

•

14

2484

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

•

161

Wireless settings

System Wireless

Wireless settings To configure the wireless settings, go to System > Wireless > Settings. By default the FortiWiFi unit includes one wireless interface, called wlan. If you are operating your FortiWiFi unit in access point mode, you can add up to three virtual wireless interfaces. All wireless interfaces use the same wireless parameters. That is, you configure the wireless settings once, and all wireless interfaces use those settings. For details on adding more wireless interfaces, see “Adding a wireless interface” on page 163. When operating the FortiWiFi unit in Client mode, radio settings are not configurable. Figure 79: FortiWiFi wireless parameters - Access Point mode

Figure 80: FortiWiFi wireless parameters - Client mode

Figure 81: FortiWiFi wireless parameters - Monitoring mode

162

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Wireless

Wireless settings

Operation Mode

Select Change to switch operation modes. Access Point — The FortiWiFi unit acts as an access point for wireless users to connect to send and receive information over a wireless network. It enables multiple wireless network users access to the network without the need to connect to it physically. The FortiWiFi unit can connect to the internal network and act as a firewall to the Internet. Client — The FortiWiFi unit is set to receive transmissions from another access point. This enables you to connect remote users to an existing network using wireless protocols. Monitoring — Scan for other access points. These are listed in the Rogue AP list. See “Rogue AP detection” on page 168. Note: You cannot switch to Client mode or Monitoring mode if you have added virtual wireless interfaces. For these modes, there must be only one wireless interface, wlan.

Radio settings — Access Point mode only Band

Select the wireless frequency band. Be aware what wireless cards or devices your users have as it may limit their use of the wireless network. For example, if you configure the FortiWiFi unit for 802.11g and users have 802.11b devices, they may not be able to use the wireless network.

Geography

Select your country or region. This determines which channels are available. See “Channel assignments” on page 160 for channel information.

Channel

Select a channel for your wireless network or select Auto. The channels that you can select depend on the Geography setting. See “Channel assignments” on page 160 for channel information.

Tx Power

Set the transmitter power level. The higher the number, the larger the area the FortiWiFi will broadcast. If you want to keep the wireless signal to a small area, enter a smaller number.

Beacon Interval

Set the interval between beacon packets. Access Points broadcast Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. A higher value decreases the number of beacons sent, however it may delay some wireless clients from connecting if it misses a beacon packet. Decreasing the value will increase the number of beacons sent, while this will make it quicker to find and connect to the wireless network, it requires more overhead, slowing throughput.

Background Rogue AP Scan

Perform the Monitoring mode scanning function while the unit is in Access Point mode. Scanning occurs while the access point is idle. The scan covers all wireless channels. Background scanning can reduce performance if the access point is busy. See “Rogue AP detection” on page 168.

Wireless interface list — Access Point and Client modes Interface

The name of the wireless interface. To modify wireless interface settings, select the interface name. To add more wireless interfaces in Access Point mode, see “Adding a wireless interface” on page 163.

MAC Address

The MAC address of the Wireless interface.

SSID

The wireless service set identifier (SSID) or network name for the wireless interface. To communicate, an Access Point and its clients must use the same SSID.

SSID Broadcast

Green checkmark icon indicates that the wireless interface broadcasts its SSID. Broadcasting the SSID makes it possible for clients to connect to your wireless network without first knowing the SSID. This column is visible only in Access Point mode.

Security Mode

The wireless interface security mode: WEP64, WEP128, WPA, WPA2, WPA2 Auto or None.

Adding a wireless interface You can add up to three virtual wireless interfaces to your access point. These additional interfaces share the same wireless parameters configured for the WLAN interface for Band, Geography, Channel, Tx Power, and Beacon Interval. Ensure each wireless interface has a unique SSID. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

163

Wireless settings

System Wireless

Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client mode or Monitoring mode.

To add a wireless interface 1 Go to System > Network > Interface. 2 Select Create New. 3 Complete the following: Name

Enter a name for the wireless interface. The name cannot be the same as an existing interface, zone or VDOM.

Type

Select Wireless.

Address Mode

The wireless interface can only be set as a manual address. Enter a valid IP address and netmask. If the FortiWiFi is running in Transparent mode, this field does not appear. The interface will be on the same subnet as the other interfaces.

Administrative Access

Set the administrative access for the interface.

4 In the Wireless Settings section, complete the following and select OK: Figure 82: Wireless interface settings (WEP)

Figure 83: Wireless interface settings (WAP)

SSID

Enter the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to connect to your wireless network without first knowing the SSID. For better security, do not broadcast the SSID. If the interface is not broadcast, there is less chance of an unwanted user connecting to your wireless network. If you choose not to broadcast the SSID, you need to inform users of the SSID so they can configure their wireless devices.

164

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Wireless

Wireless MAC Filter

Security mode

Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. None — has no security. Any wireless user can connect to the wireless network. WEP64 — 64-bit web equivalent privacy (WEP). To use WEP64 you must enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless users of the key. WEP128 — 128-bit WEP. To use WEP128 you must enter a Key containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the key. WPA — Wi-Fi protected access (WPA) security. To use WPA you must select a data encryption method. You must also enter a pre-shared key containing at least eight characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. WPA2 — WPA with more security features. To use WPA2 you must select a data encryption method and enter a pre-shared key containing at least eight characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. WPA2 Auto — the same security features as WPA2, but also accepts wireless clients using WPA security. To use WPA2 Auto you must select a data encryption method You must also enter a pre-shared key containing at least 8 characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server.

Key

Enter the security key. This field appears when selecting WEP64 or WEP128 security.

Data Encryption Select a data encryption method to be used by WPA, WPA2, or WPA Auto. Select TKIP to use the Temporal Key Integrity Protocol (TKIP). Select AES to use Advanced Encryption Standard (AES) encryption. AES is considered more secure that TKIP. Some implementations of WPA may not support AES. Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA, WPA2, or WPA2 Auto security. RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. You can use WPA or WPA2 Radius security to integrate your wireless network configuration with a RADIUS or Windows AD server. Select a RADIUS server name from the list. You must configure the Radius server by going to User > RADIUS. For more information, see “RADIUS” on page 571. RTS Threshold Set the Request to Send (RTS) threshold. The RTS threshold is the maximum size, in bytes, of a packet that the FortiWiFi will accept without sending RTS/CTS packets to the sending wireless device. In some cases, larger packets being sent may cause collisions, slowing data transmissions. By changing this value from the default of 2346, you can configure the FortiWiFi unit to, in effect, have the sending wireless device ask for clearance before sending larger transmissions. There can still be risk of smaller packet collisions, however this is less likely. A setting of 2346 bytes effectively disables this option. Fragmentation Set the maximum size of a data packet before it is broken into smaller packets, reducing the chance of packet collisions. If the packet is larger than Threshold the threshold, the FortiWiFi unit will fragment the transmission. If the packet size less than the threshold, the FortiWiFi unit will not fragment the transmission. A setting of 2346 bytes effectively disables this option.

Wireless MAC Filter To improve the security of your wireless network, you can enable MAC address filtering on the FortiWiFi unit. By enabling MAC address filtering, you define the wireless devices that can access the network based on their system MAC address. When a user attempts to access the wireless network, the FortiWiFi unit checks the MAC address of the user to the list you created. If the MAC address is on the approved list, the user gains access to the network. If the user is not in the list, the user is rejected.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

165

Wireless MAC Filter

System Wireless

Alternatively, you can create a deny list. Similar to the allow list, you can configure the wireless interface to allow all connections except those in the MAC address list. Using MAC address filtering makes it more difficult for a hacker using random MAC addresses or spoofing a MAC address to gain access to your network. Note you can configure one list per WLAN interface. To allow or deny wireless access to wireless clients based on the MAC address of the client wireless cards, go to System > Wireless > MAC Filter.

Managing the MAC Filter list The MAC Filter list enables you to view the MAC addresses you have added to a wireless interface and their status; either allow or deny. It also enables you to edit and manage MAC Filter lists. Figure 84: Wireless MAC filter list

Interface

The name of the wireless interface.

MAC address

The list of MAC addresses in the MAC filter list for the wireless interface.

List Access

Allow or deny access to the listed MAC addresses for the wireless interface.

Enable

Select to enable MAC filtering for the wireless interface.

Edit icon

Edit the MAC address list for an interface.

To edit a MAC filter list 1 Go to System > Wireless > MAC Filter. 2 Select Edit for the wireless interface. Figure 85: Wireless interface MAC filter

3 Complete the following and select OK:

166

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Wireless

Wireless Monitor

List Access

Select to allow or deny the addresses in the MAC Address list from accessing the wireless network.

MAC Address

Enter the MAC address to add to the list.

Add

Add the entered MAC address to the list.

Remove

Select one or more MAC addresses in the list and select Remove to deleted the MAC addresses from the list.

Wireless Monitor Go to System > Wireless > Monitor to view information about your wireless network. In Access Point mode, you can see who is connected to your wireless LAN. In Client mode, you can see which access points are within radio range. Figure 86: Wireless monitor - AP mode

Figure 87: Wireless monitor - Client mode

Statistics

Statistical information about wireless performance for each wireless interface.

AP Name / Name

The name of the wireless interface.

Frequency

The frequency that the wireless interface is operating with. Should be around 5-GHz for 802.11a interfaces and around 2.4GHz for 802.11b and 802.11g networks.

Signal Strength (dBm)

The strength of the signal from the client.

Noise (dBm)

The received noise level.

S/N (dB)

The signal-to-noise ratio in deciBels calculated from signal strength and noise level.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

167

Rogue AP detection

System Wireless

Rx (KBytes)

The amount of data in kilobytes received this session.

Tx (KBytes)

The amount of data in kilobytes sent this session.

Clients list (AP mode)

Real-time details about the client wireless devices that can reach this FortiWiFi unit access point. Only devices on the same radio band are listed.

MAC Address

The MAC address of the connected wireless client.

IP Address

The IP address assigned to the connected wireless client.

AP Name

The name of the wireless interface that the client is connected to.

Neighbor AP list (Client mode)

Real-time details about the access points that the client can receive.

MAC Address

The MAC address of the connected wireless client.

SSID

The wireless service set identifier (SSID) that this access point broadcasts.

Channel

The wireless radio channel that the access point uses.

Rate (M)

The data rate of the access point in Mbits/s.

RSSI

The received signal strength indication, a relative value between 0 (minimum) and 255 (maximum).

Rogue AP detection Rogue Access Point Detection scans for wireless access points in Monitoring mode. You can also enable scanning in the background while the unit is in Access Point mode. To enable the monitoring mode 1 Go to System > Wireless > Settings. 2 Select Change beside the current operation mode. 3 Select Monitoring and then select OK. 4 Select OK to confirm the mode change. 5 Select Apply. To enable background scanning 1 While in Access Point mode, go to System > Wireless > Settings. 2 Enable Background Rogue AP Scan and then select Apply.

Viewing wireless access points Go to System > Wireless > Rogue AP to view detected access points. This is available in Monitoring mode, or in Access Point mode with Background Rogue AP Scan enabled. Access points are listed in the Unknown Access Points list until you mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points.

168

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Wireless

Rogue AP detection

Figure 88: Rogue Access Point list

Refresh Interval

Set time between information updates. none means no updates.

Refresh

Updates displayed information now.

Inactive Access Points Select which inactive access points to show: all, none, those detected less than one hour ago, or those detected less than one day ago. Online

A green checkmark indicates an active access point. A grey X indicates that the access point is inactive.

SSID

The wireless service set identifier (SSID) or network name for the wireless interface.

MAC Address

The MAC address of the Wireless interface.

Signal Strength /Noise The signal strength and noise level. Channel

The wireless radio channel that the access point uses.

Rate

The data rate of the access point.

First Seen

The data and time when the FortiWifi unit first detected the access point.

Last Seen

The data and time when the FortiWifi unit last detected the access point.

Mark as ‘Accepted AP’ Select the icon to move this entry to the Accepted Access Points list. Mark as ‘Rogue AP’

Select the icon to move this entry to the Rogue Access Points list.

Forget AP

Return item to Unknown Access Points list from Accepted Access Points list or Rogue Access Points list.

You can also enter information about accepted and rogue APs in the CLI without having to detect them first. See the system wireless ap-status command in the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

169

Rogue AP detection

170

System Wireless

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System DHCP

FortiGate DHCP servers and relays

System DHCP This section describes how to use DHCP to provide convenient automatic network configuration for your clients. DHCP is not available in Transparent mode. DHCP requests are passed through the FortiGate unit when it is in Transparent mode. If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured separately for each virtual domain. For details, see “Using virtual domains” on page 103. This section describes: •

FortiGate DHCP servers and relays

•

Configuring DHCP services

•

Viewing address leases

FortiGate DHCP servers and relays The DHCP protocol enables hosts to automatically obtain an IP address from a DHCP server. Optionally, they can also obtain default gateway and DNS server settings. A FortiGate interface or VLAN subinterface can provide the following DHCP services: •

Basic DHCP servers for non-IPSec IP networks

•

IPSec DHCP servers for IPSec (VPN) connections

•

DHCP relay for regular Ethernet or IPSec (VPN) connections

An interface cannot provide both a server and a relay for connections of the same type (regular or IPSec). Note: You can configure a Regular DHCP server on an interface only if the interface has a static IP address. You can configure an IPSec DHCP server on an interface that has either a static or a dynamic IP address.

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP. If an interface is connected to multiple networks via routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay. To configure a DHCP server, see “Configuring a DHCP server” on page 173. You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the FortiGate unit. To configure a DHCP relay see “Configuring an interface as a DHCP relay agent” on page 173. DHCP services can also be configured through the Command Line Interface (CLI). See the FortiGate CLI Reference for more information.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

171

Configuring DHCP services

System DHCP

Configuring DHCP services Go to System > DHCP > Service to configure DHCP services. On each FortiGate interface, you can configure a DHCP relay or add DHCP servers as needed. On FortiGate 50 and 60 series units, a DHCP server is configured, by default, on the Internal interface, as follows: IP Range

192.168.1.110 to 192.168.1.210

Netmask

255.255.255.0

Default gateway

192.168.1.99

Lease time

7 days

DNS Server 1

192.168.1.99

You can disable or change this default DHCP Server configuration. Note: You can not configure DHCP in Transparent mode. In Transparent mode DHCP requests pass through the FortiGate unit.

Note: An interface must have a static IP before you configure a DHCP server on it.

These settings are appropriate for the default Internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match. Figure 89: DHCP service list - FortiGate-200A shown

Edit Delete Add DHCP Server Interface

List of FortiGate interfaces. Expand each listed interface to view the Relay and Servers.

Server Name/ Relay IP

Name of FortiGate DHCP server or IP address of DHCP server accessed by relay.

Type

Type of DHCP relay or server: Regular or IPSec.

Enable

Green check mark icon indicates that server or relay is enabled.

Add DHCP Server Select to configure and add a DHCP server for this interface. icon

172

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System DHCP

Configuring DHCP services

Edit icon

Select to edit the DHCP relay or server configuration.

Delete icon

Select to delete the DHCP server.

Configuring an interface as a DHCP relay agent Go to System > DHCP > Service and select an edit icon to view or modify the DHCP relay configuration for an interface. Figure 90: Edit DHCP relay settings for an interface

Interface Name

The name of the interface.

DHCP Relay Agent Select to enable the DHCP relay agent on this interface. Type

Select the type of DHCP service required as either Regular or IPSEC.

DHCP Server IP

Enter the IP address of the DHCP server that will answer DHCP requests from computers on the network connected to the interface.

Configuring a DHCP server The System > DHCP > Service screen gives you access to existing DHCP servers. It is also where you configure new DHCP servers. To Configure a DHCP server 1 Go to System > DHCP > Service. 2 Select blue arrow for the interface. 3 Select the Add DHCP Server icon to create a new DHCP server, or select the Edit icon beside an existing DHCP server to change its settings. 4 Configure the DHCP server. 5 Select OK.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

173

Configuring DHCP services

System DHCP

Figure 91: DHCP Server options

174

Name

Enter a name for the DHCP server.

Enable

Enable the DHCP server.

Type

Select Regular or IPSEC DHCP server. You cannot configure a Regular DHCP server on an interface that has a dynamic IP address.

IP Range

Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients. These fields are greyed out when IP Assignment Mode is set to User-group defined method.

Network Mask

Enter the netmask of the addresses that the DHCP server assigns.

Default Gateway

Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

Domain

Enter the domain that the DHCP server assigns to DHCP clients.

Lease Time

Select Unlimited for an unlimited lease time or enter the interval in days, hours, and minutes after which a DHCP client must ask the DHCP server for new settings. The lease time can range from 5 minutes to 100 days.

Advanced

Select to configure advanced options. The remaining options in this table are advanced options.

IP Assignment Mode

Determines how the IP addresses for DHCP are assigned. Select: • Server IP Range - The server will assign the IP addresses as specified in IP Range, and Exclude Ranges. • User-group defined method - The IP addresses will be assigned via RADIUS through the user group used to authenticate the user. See “Dynamically assigning VPN client IP addresses from a RADIUS record” on page 573. When User-group defined method is selected, the IP Range fields are greyed out, and the Exclude Ranges table and controls are not visible.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System DHCP

Viewing address leases

DNS Server 1 DNS Server 2 DNS Server 3

Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients.

WINS Server 1 WINS Server 2

Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients.

Option 1 Option 2 Option 3

Enter up to three custom DHCP options that can be sent by the DHCP server. Code is the DHCP option code in the range 1 to 255. Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.

Exclude Ranges Add

Add an range of IP addresses to exclude. You can add up to 16 exclude ranges of IP addresses that the DHCP server cannot assign to DHCP clients. No range can exceed 65536 IP addresses.

Starting IP

Enter the first IP address of the exclude range.

End IP

Enter the last IP address of the exclude range.

Delete icon

Delete the exclude range.

Viewing address leases Go to System > DHCP > Address Leases to view the IP addresses that the DHCP servers have assigned and the corresponding client MAC addresses. Figure 92: Address leases list

Interface

Select interface for which to list leases.

Refresh

Select Refresh to update Address leases list.

IP

The assigned IP address.

MAC

The MAC address of the device to which the IP address is assigned.

Expire

Expiry date and time of the DHCP lease.

Reserving IP addresses for specific clients You can reserve an IP address for a specific client identified by the client device MAC address and the connection type, regular Ethernet or IPSec. The DHCP server always assigns the reserved address to that client. You can assign up to 200 IP addresses as reserved. For more information see the FortiGate Maximum Values for FortiOS 3.0 article on the Fortinet Knowledge Center. Use the CLI config system dhcp reserved-address command. For more information, see the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

175

Viewing address leases

176

System DHCP

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

HA

System Config This section describes the configuration of several non-network features, such as HA, SNMP, custom replacement messages, and Operation mode. If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and replacement messages are configured globally for the entire FortiGate unit. Changing operation mode is configured for each individual VDOM. For details, see “Using virtual domains” on page 103. This section describes: •

HA

•

SNMP

•

Replacement messages

•

Operation mode and VDOM management access

HA FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. This section contains a brief description of HA web-based manager configuration options, the HA cluster members list, HA statistics, and disconnecting cluster members. If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured globally for the entire FortiGate unit. For details, see “Using virtual domains” on page 103. For complete information about how to configure and operate FortiGate HA clusters see the FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet Knowledge Center. HA is not available on FortiGate models 50A and 50AM. HA is available on all other FortiGate models, including the FortiGate-50B. The following topics are included in this section: •

HA options

•

Cluster members list

•

Viewing HA statistics

•

Changing subordinate unit host name and device priority

•

Disconnecting a cluster unit from a cluster

HA options Configure HA options so that a FortiGate unit can join a cluster or to change the configuration of an operating cluster or cluster member. To configure HA options so that a FortiGate unit can join an HA cluster, go to System > Config > HA.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

177

HA

System Config

Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. FortiGate HA is also not compatible with DHCP. If one or more FortiGate unit interfaces is dynamically configured using DHCP or PPPoE you cannot switch to operate in HA mode. Also, you cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session synchronization.

If HA is already enabled, go to System > Config > HA to display the cluster members list. Select Edit for the FortiGate unit with Role of master (also called the primary unit). When you edit the HA configuration of the primary unit, all changes are synchronized to the other cluster units. Figure 93: FortiGate-3810A unit HA configuration

You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled by logging into the web-based manager as the global admin administrator and then going to System > Config > HA. Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual clustering. Most virtual cluster HA options are the same as normal HA options. However, virtual clusters include VDOM partitioning options. Other differences between configuration options for regular HA and for virtual clustering HA are described below and in the FortiGate HA Overview and the FortiGate HA Guide.

178

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

HA

Figure 94: FortiGate-5001SX HA virtual cluster configuration

Mode

Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. When configuring a cluster, you must set all members of the HA cluster to the same HA mode. You can select Standalone (to disable HA), Active-Passive, or Active-Active. If virtual domains are enabled you can select Active-Passive or Standalone.

Device Priority

Optionally set the device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the unit with the highest device priority usually becomes the primary unit. In a virtual cluster configuration, each cluster unit can have two device priorities, one for each virtual cluster. During HA negotiation, the unit with the highest device priority in a virtual cluster becomes the primary unit for that virtual cluster. Changes to the device priority are not synchronized. You can accept the default device priority when first configuring a cluster. When the cluster is operating you can change the device priority for different cluster units as required.

Group Name

Enter a name to identify the cluster. The maximum length of the group name is 32 characters. The group name must be the same for all cluster units before the cluster units can form a cluster. After a cluster is operating, you can change the group name. The group name change is synchronized to all cluster units. The default group name is FGT-HA. You can accept the default group name when first configuring a cluster. When the cluster is operating you can change the group name, if required. Two clusters on the same network cannot have the same group name.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

179

HA

System Config

Password

Enter a password to identify the cluster. The maximum password length is 15 characters. The password must be the same for all cluster units before the cluster units can form a cluster. The default is no password. You can accept the default password when first configuring a cluster. When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords.

Enable Session Select to enable session pickup so that if the primary unit fails, all sessions are picked up by the cluster unit that becomes the new primary unit. pickup Session pickup is disabled by default. You can accept the default setting for session pickup and then chose to enable session pickup after the cluster is operating. Port Monitor

Select to enable or disable monitoring FortiGate interfaces to verify that the monitored interfaces are functioning properly and connected to their networks. If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster unit that still has a connection to the network. This other cluster unit becomes the new primary unit. Port monitoring (also called interface monitoring) is disabled by default. Leave port monitoring disabled until the cluster is operating and then only enable port monitoring for connected interfaces. You can monitor up to 16 interfaces. This limit only applies to FortiGate units with more than 16 physical interfaces.

Heartbeat Interface

Select to enable or disable HA heartbeat communication for each interface in the cluster and set the heartbeat interface priority. The heartbeat interface with the highest priority processes all heartbeat traffic. If two or more heartbeat interfaces have the same priority, the heartbeat interface with the lowest hash map order value processes all heartbeat traffic. The web-based manager lists interfaces in alphanumeric order: • port1 • port2 through 9 • port10 Hash map order sorts interfaces in the following order: • port1 • port10 • port2 through port9 The default heartbeat interface configuration is different for each FortiGate unit. This default configuration usually sets the priority of two heartbeat interfaces to 50. You can accept the default heartbeat interface configuration if you connect one or both of the default heartbeat interfaces together. The heartbeat interface priority range is 0 to 512. The default priority when you select a new heartbeat interface is 0. You must select at least one heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. For more information about configuring heartbeat interfaces, see the FortiGate HA Overview. You can select up to 8 heartbeat interfaces. This limit only applies to FortiGate units with more than 8 physical interfaces.

VDOM partitioning

If you are configuring virtual clustering, you can set the virtual domains to be in virtual cluster 1 and the virtual domains to be in virtual cluster 2. The root virtual domain must always be in virtual cluster 1. For more information about configuring VDOM partitioning, see the FortiGate HA Overview.

Cluster members list You can display the cluster members list to view the status of an operating cluster and the status of the FortiGate units in the cluster. The cluster members list shows the FortiGate units in the cluster and for each FortiGate unit shows interface connections, the cluster unit and the device priority of the cluster unit. From the cluster members list you can disconnect a unit from the cluster, edit the HA configuration of primary unit, change the device priority and host name of subordinate units, and download a debug log for any cluster unit. You can also view HA statistics for the cluster.

180

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

HA

To display the cluster members list, log into an operating cluster and go to System > Config > HA. Figure 95: Example FortiGate-5001SX cluster members list

Up and Down Arrows

Download Debug Log Edit Disconnect from Cluster

If virtual domains are enabled, you can display the cluster members list to view the status of the operating virtual clusters. The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster. To display the virtual cluster members list for an operating cluster log in as the global admin administrator and go to System > Config > HA. Figure 96: Example FortiGate-5001SX virtual cluster members list

Up and Down Arrows

View HA Statistics

Download Debug Log Edit Disconnect from Cluster

Displays the serial number, status, and monitor information for each cluster unit. See “Viewing HA statistics” on page 182.

Up and down arrows Changes the order of cluster members in the list. The operation of the cluster or of the units in the cluster are not affected. All that changes is the order of the units on the cluster members list.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

181

HA

System Config

Cluster member

Illustrations of the front panels of the cluster units. If the network jack for an interface is shaded green, the interface is connected. Pause the mouse pointer over each illustration to view the cluster unit host name, serial number, how long the unit has been operating (up time), and the interfaces that are configured for port monitoring.

Hostname

The host name of the FortiGate unit. The default host name of the FortiGate unit is the FortiGate unit serial number. • To change the primary unit host name, go to System > Status and select Change beside the current host name. • To change a subordinate unit host name, from the cluster members list select the Edit icon for a subordinate unit.

Role

The status or role of the cluster unit in the cluster. • Role is MASTER for the primary (or master) unit • Role is SLAVE for all subordinate (or backup) cluster units

Priority

The device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the unit with the highest device priority becomes the primary unit. The device priority range is 0 to 255.

Disconnect from cluster

Select to disconnect a selected cluster unit from the cluster. See “Disconnecting a cluster unit from a cluster” on page 184.

Edit

Select to change a cluster unit HA configuration. • For a primary unit, select Edit to change the cluster HA configuration (including the device priority) of the primary unit. • For a primary unit in a virtual cluster, select Edit to change the virtual cluster HA configuration; including the virtual cluster 1 and virtual cluster 2 device priority of this cluster unit. • For a subordinate unit, select Edit to change the subordinate unit host name and device priority. See “Changing subordinate unit host name and device priority” on page 183. • For a subordinate unit in a virtual cluster, select Edit to change the subordinate unit host name and the device priority of the subordinate unit for the selected virtual cluster. See “Changing subordinate unit host name and device priority” on page 183.

Download debug log Select to download an encrypted debug log to a file. You can send this debug log file to Fortinet Technical Support (http://support.fortinet.com) to help diagnose problems with the cluster or with individual cluster units.

Viewing HA statistics From the cluster members list, you can select View HA Statistics to display the serial number, status, and monitor information for each cluster unit. To view HA statistics, go to System > Config > HA and select View HA Statistics.

182

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

HA

Figure 97: Example HA statistics (active-passive cluster)

Refresh every

Select to control how often the web-based manager updates the HA statistics display.

Back to HA monitor Select to close the HA statistics list and return to the cluster members list. Unit

The host name and serial number of the cluster unit.

Status

Indicates the status of each cluster unit. A green check mark indicates that the cluster unit is operating normally. A red X indicates that the cluster unit cannot communicate with the primary unit.

Up Time

The time in days, hours, minutes, and seconds since the cluster unit was last started.

Monitor

Displays system status information for each cluster unit.

CPU Usage

The current CPU status of each cluster unit. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

Memory Usage

The current memory status of each cluster unit. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

Active Sessions

The number of communications sessions being processed by the cluster unit.

Total Packets

The number of packets that have been processed by the cluster unit since it last started up.

Virus Detected

The number of viruses detected by the cluster unit.

Network Utilization

The total network bandwidth being used by all of the cluster unit interfaces.

Total Bytes

The number of bytes that have been processed by the cluster unit since it last started up.

Intrusion Detected

The number of intrusions or attacks detected by Intrusion Protection running on the cluster unit.

Changing subordinate unit host name and device priority To change the host name and device priority of a subordinate unit in an operating cluster, go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

183

HA

System Config

To change the host name and device priority of a subordinate unit in an operating cluster with virtual domains enabled, log in as the global admin administrator and go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list. You can change the host name (Peer) and device priority (Priority) of this subordinate unit. These changes only affect the configuration of the subordinate unit. Figure 98: Changing the subordinate unit host name and device priority

Peer

View and optionally change the subordinate unit host name.

Priority

View and optionally change the subordinate unit device priority. The device priority is not synchronized among cluster members. In a functioning cluster you can change device priority to change the priority of any unit in the cluster. The next time the cluster negotiates, the cluster unit with the highest device priority becomes the primary unit. The device priority range is 0 to 255. The default device priority is 128.

Disconnecting a cluster unit from a cluster You can disconnect a cluster unit if you need to use the disconnected FortiGate unit for another purpose, such as to act as a standalone firewall. You can go to System > Config > HA and select a Disconnect from cluster icon to disconnect a cluster unit from a functioning cluster without disrupting the operation of the cluster. Figure 99: Disconnect a cluster member

184

Serial Number

Displays the serial number of the cluster unit to be disconnected from the cluster.

Interface

Select the interface that you want to configure. You also specify the IP address and netmask for this interface. When the FortiGate unit is disconnected, all management access options are enabled for this interface.

IP/Netmask

Specify an IP address and netmask for the interface. You can use this IP address to connect to this interface to configure the disconnected FortiGate unit.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

SNMP

SNMP Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager is a typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. Another name for an SNMP manager is a host. A FortiManager unit can act as an SNMP manager, or host, to a FortiGate unit. Using an SNMP manager, you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access. Note: Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit, or be able to query it.

The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiGate system information through queries and can receive trap messages from the FortiGate unit. To monitor FortiGate system information and receive FortiGate traps, you must first compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide the information the SNMP manager needs to interpret the SNMP trap, event, and query messages of the FortiGate unit SNMP agent. The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernetlike MIB) and most of RFC 1213 (MIB II). For more information, see “Fortinet MIBs” on page 188. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414). SNMP traps alert you to events that happen, such as an a log disk being full or a virus being detected. For more information about SNMP traps, see “Fortinet and FortiGate traps” on page 189. SNMP fields contain information about your FortiGate unit. This information is useful to monitor the condition of the unit, both on an ongoing basis and to provide more information when a trap occurs. For more information about SNMP fields, see “Fortinet and FortiGate MIB fields” on page 192.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

185

SNMP

System Config

Configuring SNMP Go to System > Config > SNMP v1/v2c to configure the SNMP agent. Figure 100: Configuring SNMP

SNMP Agent

Enable the FortiGate SNMP agent.

Description

Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long.

Location

Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.

Contact

Enter the contact information for the person responsible for this FortiGate unit. The contact information can be up to 35 characters.

Apply

Save changes made to the description, location, and contact information.

Create New

Select Create New to add a new SNMP community. See “Configuring an SNMP community” on page 186.

Communities

The list of SNMP communities added to the FortiGate configuration. You can add up to 3 communities.

Name

The name of the SNMP community.

Queries

The status of SNMP queries for each SNMP community. The query status can be enabled or disabled.

Traps

The status of SNMP traps for each SNMP community. The trap status can be enabled or disabled.

Enable

Select Enable to activate an SNMP community.

Delete icon

Select Delete to remove an SNMP community.

Edit/View icon

Select to view or modify an SNMP community.

Configuring an SNMP community An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP community and a printer SNMP community. Add SNMP communities to your FortiGate unit so that SNMP managers can connect to view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community.

186

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

SNMP

Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. Traps cannot be sent over other interfaces. Figure 101: SNMP community options (part 1)

Figure 102: SNMP community options (part 2)

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

187

SNMP

System Config

Community Name

Enter a name to identify the SNMP community.

Hosts

Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.

IP Address

The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit. You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community.

Interface

Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. In virtual domain mode, the interface must belong to the management VDOM to be able to pass SNMP traps.

Delete

Select a Delete icon to remove an SNMP manager.

Add

Add a blank line to the Hosts list. You can add up to 8 SNMP managers to a single community.

Queries

Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.

Traps

Enter the Local and Remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Select the Enable check box to activate traps for each SNMP version.

SNMP Event

Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community. “CPU overusage” traps sensitivity is slightly reduced, by spreading values out over 8 polling cycles. This prevents sharp spikes due to CPU intensive shortterm events such as changing a policy. “Power Supply Failure” event trap is available only on FortiGate-3810A, and FortiGate-3016B units. “AMC interfaces enter bypass mode” event trap is available only on FortiGate models that support AMC modules.

To configure SNMP access (NAT/Route mode) Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections. 1 Go to System > Network > Interface. 2 Choose an interface that an SNMP manager connects to and select Edit. 3 In Administrative Access, select SNMP. 4 Select OK. To configure SNMP access (Transparent mode) 1 Go to System > Config > Operation Mode. 2 Enter the IP address that you want to use for management access and the netmask in the Management IP/Netmask field. 3 Select Apply.

Fortinet MIBs The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration.

188

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

SNMP

There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this section. You can obtain these MIB files from Fortinet technical support. To be able to communicate with the FortiGate SNMP agent, you must compile all of these MIBs into your SNMP manager. Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database. You need to obtain and compile the two MIBs for this release. Table 13: Fortinet MIBs MIB file name or RFC

Description

FORTINET-CORE-MIB.mib

The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products. Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent. For more information, see “Fortinet and FortiGate traps” on page 189 and “Fortinet and FortiGate MIB fields” on page 192.

FORTINET-FORTIGATE-MIB.mib

The proprietary FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units. Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate SNMP agent. FortiManager systems require this MIB to monitor FortiGate units. For more information, see “Fortinet and FortiGate traps” on page 189 and “Fortinet and FortiGate MIB fields” on page 192.

RFC-1213 (MIB II)

The FortiGate SNMP agent supports MIB II groups with the following exceptions. • No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). • Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all FortiGate traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB.

RFC-2665 (Ethernet-like MIB)

The FortiGate SNMP agent supports Ethernet-like MIB information with the following exception. No support for the dot3Tests and dot3Errors groups.

Fortinet and FortiGate traps An SNMP manager can request information from the Fortinet device’s SNMP agent, or that agent can send traps when an event occurs. Traps are a method used to inform the SNMP manager that something has happened or changed on the Fortinet device. Traps sent include the trap message as well as the FortiGate unit serial number (fnSysSerial) and hostname (sysName). FortiManager related traps are only sent if a FortiManager unit is configured to manage this FortiGate unit. To receive Fortinet device SNMP traps, you must load and compile the FORTINETCORE-MIB into your SNMP manager. The name of the table indicates if it is found in the Fortinet MIB or the FortiGate MIB. The Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate the information about the trap. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

189

SNMP

System Config

Table 14: Generic FortiGate traps (OID1.3.6.1.4.1.12356.1.3.0) Trap message

Description

ColdStart WarmStart LinkUp LinkDown

Standard traps as described in RFC 1215.

Table 15: FortiGate system traps (OID1.3.6.1.4.1.12356.1.3.0) Trap message

Description

CPU usage high (fnTrapCpuThreshold)

CPU usage exceeds 80%. This threshold can be set in the CLI using config system global.

Memory low (fnTrapMemThreshold)

Memory usage exceeds 90%. This threshold can be set in the CLI using config system global.

Log disk too full (fnTrapLogDiskThreshold)

Log disk usage has exceeded the configured threshold. Only available on devices with log disks.

Temperature too high (fnTrapTempHigh)

A temperature sensor on the device has exceeded its threshold. Not all devices have thermal sensors. See manual for specifications.

Voltage outside acceptable Power levels have fluctuated outside of normal levels. Not all range devices have voltage monitoring instrumentation. (fnTrapVoltageOutOfRange) Power supply failure (fnTrapPowerSupplyFailure)

Power supply failure detected. Not available on all models. Available on some devices which support redundant power supplies.

Interface IP change (fnTrapIpChange)

The IP address for an interface has changed. The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE.

Diagnostic trap (fnTrapTest)

This trap is sent for diagnostic purposes. It has an OID index of.999.

Table 16: FortiGate VPN traps Trap message

Description

VPN tunnel is up (fgTrapVpnTunUp)

An IPSec VPN tunnel has started.

VPN tunnel down (fgTrapVpnTunDown)

An IPSec VPN tunnel has shut down.

Local gateway address (fnVpnTrapLocalGateway)

Address of the local side of the VPN tunnel. This information is associated with both of the VPN tunnel traps.

Remote gateway address Address of remote side of the VPN tunnel. (fnVpnTrapRemoteGateway) This information is associated with both of the VPN tunnel traps. Table 17: FortiGate IPS traps

190

Trap message

Description

IPS Signature (fgTrapIpsSignature)

IPS signature detected.

IPS Anomaly (fgTrapIpsAnomaly)

IPS anomaly detected.

IPS Package Update (fgTrapIpsPkgUpdate)

The IPS signature database has been updated.

(fgIpsTrapSigId)

ID of IPS signature identified in trap.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

SNMP

Table 17: FortiGate IPS traps Trap message

Description

(fgIpsTrapSrcIp)

IP Address of the IPS signature trigger.

(fgIpsTrapSigMsg)

Message associated with IPS event.

Table 18: FortiGate antivirus traps Trap message

Description

Virus detected (fgTrapAvVirus)

The antivirus engine detected a virus in an infected file from an HTTP or FTP download or from an email message.

Oversize file/email detected The FortiGate unit antivirus scanner detected an oversized file. (fgTrapAvOversize) Filename block detected (fgTrapAvPattern)

The FortiGate unit antivirus scanner blocked a file that matched a known virus pattern.

Fragmented file detected (fgTrapAvFragmented)

The FortiGate unit antivirus scanner detected a fragmented file or attachment.

(fgTrapAvEnterConserve)

The AV engine entered conservation mode due to low memory conditions.

(fgTrapAvBypass)

The AV scanner has been bypassed due to conservation mode.

(fgTrapAvOversizePass)

An oversized file has been detected, but has been passed due to configuration.

(fgTrapAvOversizeBlock)

An oversized file has been detected, and has been blocked.

(fgAvTrapVirName)

The virus name that triggered the event.

Table 19: FortiGate HA traps Trap message

Description

HA switch (fgTrapHaSwitch)

The specified cluster member has transitioned from a slave role to a master role.

HA Heartbeat Failure (fgTrapHaHBFail)

The heartbeat failure count has exceeded the configured threshold.

(fgTrapHaMemberDown)

An HA member becomes unavailable to the cluster.

(fgTrapHaMemberUp)

An HA member becomes available to the cluster.

(fgTrapHaStateChange)

The trap sent when the HA cluster member changes its state. .

(fgHaTrapMemberSerial)

Serial number of an HA cluster member. Used to identify the origin of a trap when a cluster is configured.

Table 20: FortiGate MIB FortiManager related traps Trap message

Description

(fgFmTrapDeployComplete)

Indicates when deployment of a new configuration has been completed. Used for verification by FortiManager.

(fgFmTrapDeployInProgress)

Indicates that a configuration change was not immediate and that the change is currently in progress. Used for verification by FortiManager.

(fgFmTrapConfChange)

The FortiGate unit configuration has been changed by something other than the managing FortiManager device.

(fgFmTrapIfChange)

No message. Sent to monitoring FortiManager when an interface changes IP address.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

191

SNMP

System Config

Fortinet and FortiGate MIB fields The FortiGate MIB contains fields reporting current FortiGate unit status information. The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet and FortiGate MIB fields by compiling the FORTINET-CORE-MIB.mib and FORTINETFORTIGATE-MIB.mib files into your SNMP manager and browsing the MIB fields on your computer. Table 21: FortiGate HA MIB fields MIB field

Description

fgHaGroupId

HA cluster group ID.

fgHaPriority

HA clustering priority (default - 127).

fgHaOverride

Status of a master override flag.

fgHaAutoSync

Status of an automatic configuration synchronization.

fgHaSchedule

Load balancing schedule for cluster in Active-Active mode.

fgHaGroupName HA cluster group name. fgHaTrapMember Serial number of an HA cluster member. Serial fgHaStatsTable

Statistics for the individual FortiGate unit in the HA cluster. fgHaStatsIndex

The index number of the unit in the cluster.

fgHaStatsSerial

The FortiGate unit serial number.

fgHaStatsCpuUsage

The current FortiGate unit CPU usage (%).

fgHaStatsMemUsage

The current unit memory usage (%).

fgHaStatsNetUsage

The current unit network utilization (Kbps).

fgHaStatsSesCount

The number of active sessions.

fgHaStatsPktCount

The number of packets processed.

fgHaStatsByteCount

The number of bytes processed by the FortiGate unit

fgHaStatsIdsCount

The number of attacks that the IPS detected in the last 20 hours.

fgHaStatsAvCount

The number of viruses that the antivirus system detected in the last 20 hours.

fgHaStatsHostname

Hostname of HA Cluster's unit.

Table 22: FortiGate Administrator accounts MIB field

Description

fgAdminIdelTimeout

Idle period after which an administrator is automatically logged out of the system.

fgAdminLcdProtection Status of the LCD protection, either enabled or disabled. fgAdminTable

Table of administrators on this FortiGate unit. fgAdminVdom

192

The virtual domain the administrator belongs to.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

SNMP

Table 23: FortiGate Virtual domains MIB field

Description

fgVdInfo

FortiGate unit Virtual Domain related information. fgVdNumber

The number of virtual domains configured on this FortiGate unit.

fgVdMaxVdoms

The maximum number of virtual domains allowed on the FortiGate unit as allowed by hardware or licensing.

fgVdEnabled

Whether virtual domains are enabled on this FortiGate unit.

fgVdTable.fgV Table of information about each virtual domain—each virtual domain has an fgVdEntry. Each entry has the following fields. dEntry fgVdEntIndex Internal virtual domain index used to uniquely identify entries in this table. This index is also used by other tables referencing a virtual domain. fgVdEntName

The name of the virtual domain.

fgVdEntOpMode Operation mode of this virtual domain - either NAT or Transparent. Table 24: FortiGate Active IP sessions table MIB field

Description

fgIpSessIndex

The index number of the IP session within the table

fgIpSessProto

The IP protocol the session is using (IP, TCP, UDP, etc.).

fgIpSessFromAddr The source IPv4 address of the active IP session. fgIpSessFromPort

The source port of the active IP session (UDP and TCP only).

fgIpSessToAddr

The destination IPv4 address of the active IP session.

fgIpSessToPort

The destination port of the active IP session (UDP and TCP only).

fgIpSessExp

The number of seconds remaining until the sessions expires (if idle).

fgIpSessVdom

Virtual domain the session is part of. Corresponds to the index in fgVdTable.

fgIpSessStatsTable IP Session statistics table for the virtual domain. fgIpSessNumber

Total sessions on this virtual domain.

Table 25: FortiGate Firewall policy statistics table MIB field

Description

fgFwPolicyStatsVdomIndex Index that identifies the virtual domain. This is the same index used by fgVdTable. fgFwPolicyID

Firewall policy ID. Only enabled policies are available for querying. Policy IDs are only unique within a virtual domain.

fgFwPolicyPktCount

Number of packets matched to policy (passed or blocked, depending on policy action). Count is from the time the policy became active.

fgFwPolicyByteCount

Number of bytes matched to policy (passed or blocked, depending on policy action). Count is from the time the policy became active.

Table 26: FortiGate Dialup VPNs MIB field

Description

fgVpnDialupIndex

An index value that uniquely identifies an VPN dial-up peer in the table.

fgVpnDialupGateway

The remote gateway IP address on the tunnel.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

193

Replacement messages

System Config

Table 26: FortiGate Dialup VPNs MIB field

Description

fgVpnDialupLifetime

VPN tunnel lifetime in seconds.

fgVpnDialupTimeout

Time remaining until the next key exchange (seconds) for this tunnel.

fgVpnDialupSrcBegin

Remote subnet address of the tunnel.

fgVpnDialupSrcEnd

Remote subnet mask of the tunnel.

fgVpnDialupDstAddr

Local subnet address of the tunnel.

fgVpnDialupVdom

The virtual domain this tunnel is part of. This index corresponds to the index in fgVdTable.

Table 27: VPN Tunnel table MIB field

Description

fgVpnTunEntIndex

An index value that uniquely identifies a VPN tunnel within the VPN tunnel table.

fgVpnTunEntPhase1Name

The descriptive name of the Phase1 configuration for the tunnel.

fgVpnTunEntPhase2Name

The descriptive name of the Phase2 configuration for the tunnel.

fgVpnTunEntRemGwyIp

The IP of the remote gateway used by the tunnel.

fgVpnTunEntRemGwyPort

The port of the remote gateway used by the tunnel, if it is UDP.

fgVpnTunEntLocGwyIp

The IP of the local gateway used by the tunnel.

fgVpnTunEntLocGwyPort

The port of the local gateway used by the tunnel, if it is UDP.

fgVpnTunEntSelectorSrcBeginIp

Beginning of the address range of the source selector.

fgVpnTunEntSelectorSrcEndIp

Ending of the address range of the source selector.

fgVpnTunEntSelectorSrcPort

Source selector port.

fgVpnTunEntSelectorDstBeginIp

Beginning of the address range of the destination selector.

fgVpnTunEntSelectorDstEndIp

Ending of the address range of the destination selector.

fgVpnTunEntSelectorDstPort

Destination selector port.

fgVpnTunEntSelectorProto

Protocol number for the selector.

fgVpnTunEntLifeSecs

Lifetime of the tunnel in seconds, if time based lifetime is used.

fgVpnTunEntLifeBytes

Lifetime of the tunnel in bytes, if byte transfer based lifetime is used.

fgVpnTunEntTimeout

Timeout of the tunnel in seconds.

fgVpnTunEntInOctets

Number of bytes received on the tunnel.

fgVpnTunEntOutOctets

Number of bytes sent out on the tunnel.

fgVpnTunEntStatus

Current status of the tunnel - either up or down.

fgVpnTunEntVdom

Virtual domain the tunnel belongs to. This index corresponds to the index used in fgVdTable.

Replacement messages Go to System > Config > Replacement Messages to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions.

194

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

Replacement messages

The FortiGate unit adds replacement messages to a variety of content streams. For example, if a virus is found in an email message, the file is removed from the email and replaced with a replacement message. The same applies to pages blocked by web filtering and email blocked by spam filtering.

Note: Disclaimer replacement messages provided by Fortinet are examples only.

Replacement messages list To view the replacement messages list go to System > Config > Replacement Messages. You use the replacement messages list to view and customize replacement messages to your requirements. The list organizes replacement message into an number of types (for example, Mail, HTTP, and so on). Use the expand arrow beside each type to display the replacement messages for that category. Select the Edit icon beside each replacement message to customize that message for your requirements. Figure 103: Replacement messages list

Name

The replacement message category. Select the expand arrow to expand or collapse the category. Each category contains several replacement messages that are used by different FortiGate features. The replacement messages are described below.

Description

A description of the replacement message.

Edit or view icon

Select to change or view a replacement message.

Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the user can send whatever traffic is allowed by the firewall policy.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

195

Replacement messages

System Config

Changing replacement messages To change a replacement message list go to System > Config > Replacement Messages. Use the expand arrows to view the replacement message that you want to change. You can change the content of the replacement message by editing the text and HTML codes and by working with replacement message tags. For descriptions of the replacement message tags, see Table 38 on page 205. Figure 104: Sample HTTP virus replacement message

Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. Allowed Formats shows you which format to use in the replacement message. There is a limit of 8192 characters for each replacement message. The following fields and options are available when editing a replacement message. Different replacement messages have different sets of fields and options. Message Setup

The name of the replacement message.

Allowed Formats

The type of content that can be included in the replacement message. Allowed formats can be Text or HTML. You should not use HTML code in Text messages. You can include replacement message tags in text and HTML messages.

Size

The number of characters allowed in the replacement message. Usually size is 8192 characters.

Message Text

The editable text of the replacement message. The message text can include text, HTML codes (if HTML is the allowed format) and replacement message tags.

You can customize the following categories of replacement messages:

196

•

Mail replacement messages

•

HTTP replacement messages

•

FTP replacement messages

•

NNTP replacement messages

•

Alert Mail replacement messages

•

Spam replacement messages

•

Administration replacement message

•

Authentication replacement messages

•

FortiGuard Web Filtering replacement messages

•

IM and P2P replacement messages

•

Endpoint control replacement message FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

Replacement messages

•

NAC quarantine replacement messages

•

SSL VPN replacement message

Mail replacement messages The FortiGate unit sends the mail replacement messages listed in Table 28 to email clients and servers using IMAP, POP3, or SMTP when an event occurs such as antivirus blocking a file attached to an email that contains a virus. Email replacement messages are text messages. If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to IMAPS, POP3S, and SMTPS email messages. Table 28: Mail replacement messages Message name Description Virus message

Antivirus Virus Scan enabled for an email protocol in a protection profile deletes a infected file from an email message and replaces the file with this message.

File block message

When the antivirus File Filter enabled for an email protocol in a protection profile deletes a file that matches an entry in the selected file filter list, the file is blocked and the email is replaced with this message.

Oversized file message

When the antivirus Oversized File/Email is set to Block for an email protocol in a protection profile and removes an oversized file from an email message, the file is replaced with this message.

Fragmented email

In a protection profile, antivirus Pass Fragmented Emails is not enabled so a fragmented email is blocked. This message replaces the first fragment of the fragmented email.

Data leak prevention message

In a DLP sensor, a rule with action set to Block replaces a blocked email message with this message.

Subject of data leak prevention message

This message is added to the subject field of all email messages replaced by the DLP sensor Block, Ban, Ban Sender, Quarantine IP address, and Quarantine interface actions.

Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked email message leak prevention with this message. This message also replaces any additional email messages message that the banned user sends until they are removed from the banned user list. Sender banned by data leak prevention message

In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email message with this message. This message also replaces any additional email messages that the banned user sends until the user is removed from the banned user list.

Virus message (splice mode)

Splice mode is enabled and the antivirus system detects a virus in an SMTP email message. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message.

File block Splice mode is enabled and the antivirus file filter deleted a file from an SMTP message (splice email message. The FortiGate unit aborts the SMTP session and returns a 554 mode) SMTP error message to the sender that includes this replacement message. Oversized file Splice mode is enabled and antivirus Oversized File/Email set to Block and the message (splice FortiGate unit blocks an oversize SMTP email message. The FortiGate unit mode) aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message.

HTTP replacement messages The FortiGate unit sends the HTTP replacement messages listed in Table 29 to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. HTTP replacement messages are HTML pages.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

197

Replacement messages

System Config

If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile, these replacement messages can also replace web pages downloaded using the HTTPS protocol. Table 29: HTTP replacement messages Message name Description Virus message

Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes an infected file being downloaded using an HTTP GET and replaces the file with this web page that is displayed by the client browser.

Infection cache message

Client comforting is enabled in a protection profile and the FortiGate unit blocks a URL added to the client comforting URL cache and replaces the blocked URL with this web page. For more information about the client comforting URL cache, see “HTTP and FTP client comforting” on page 410.

File block message

Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a file being downloaded using an HTTP GET that matches an entry in the selected file filter list and replaces it with this web page that is displayed by the client browser.

Oversized file message

Antivirus Oversized File/Email set to Block for HTTP or HTTPS in a protection profile blocks an oversized file being downloaded using an HTTP GET and replaces the file with this web page that is displayed by the client browser.

Data leak prevention message

In a DLP sensor, a rule with action set to Block replaces a blocked web page or file with this web page.

Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file leak prevention with this web page. This web page also replaces any additional web pages or message files that the banned user attempts to access until the user is removed from the banned user list. Banned word message

Web content blocking enabled in a protection profile blocks a web page being downloaded with an HTTP GET that contains content that matches an entry in the selected Web Content Block list. The blocked page is replaced with this web page.

URL block message

Web URL filtering enabled in a protection profile blocks a web page with a URL that matches an entry in the selected URL Filter list. The blocked page is replaced with this web page.

Client block

Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a file being uploaded by an HTTP POST that matches an entry in the selected file filter list and replaces it with this web page that is displayed by the client browser.

Client anti-virus

Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes an infected file being uploaded using an HTTP PUT and replaces the file with this a web page that is displayed by the client browser.

Client filesize

In a protection profile, antivirus Oversized File/Email set to Block for HTTP or HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked and replaced with this web page.

Client banned word

Web content blocking enabled in a protection profile blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Block list. The client browser displays this web page.

POST block

HTTP POST Action is set to Block in a protection profile and the FortiGate unit blocks an HTTP POST and displays this web page.

FTP replacement messages The FortiGate unit sends the FTP replacement messages listed in Table 30 to FTP clients when an event occurs such as antivirus blocking a file that contains a virus in an FTP session. FTP replacement messages are text messages.

198

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

Replacement messages

Table 30: FTP replacement messages Message name Description Virus message

Antivirus Virus Scan enabled for FTP in a protection profile deletes an infected file being downloaded using FTP and sends this message to the FTP client.

Blocked message

Antivirus File Filter enabled for FTP in a protection profile blocks a file being downloaded using FTP that matches an entry in the selected file filter list and sends this message to the FTP client.

Oversized message

Antivirus Oversized File/Email set to Block for FTP in a protection profile blocks an oversize file from being downloaded using FTP and sends this message to the FTP client.

DLP message

In a DLP sensor, a rule with action set to Block replaces a blocked FTP download with this message.

DLP ban message

In a DLP sensor, a rule with action set to Ban blocks an FTP session and displays this message. This message is displayed whenever the banned user attempts to access until the user is removed from the banned user list.

NNTP replacement messages The FortiGate unit sends the NNTP replacement messages listed in Table 31 to NNTP clients when an event occurs such as antivirus blocking a file attached to an NNTP message that contains a virus. NNTP replacement messages are text messages. Table 31: FTP replacement messages Message name Description Virus message

Antivirus Virus Scan enabled for NTTP in a protection profile deletes an infected file attached to an NNTP message and sends this message to the FTP client.

Blocked message

Antivirus File Filter enabled for NNTP in a protection profile blocks a file attached to an NNTP message that matches an entry in the selected file filter list and sends this message to the FTP client.

Oversized message

Antivirus Oversized File/Email set to Block for NNTP in a protection profile removes an oversized file from an NNTP message and replaces the file with this message.

Data Leak prevention message

In a DLP sensor, a rule with action set to Block replaces a blocked NNTP message with this message.

Subject of data leak prevention message

This message is added to the subject field of all NNTP messages replaced by the DLP sensor Block, Ban, Quarantine IP address, and Quarantine interface actions.

Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked NNTP leak prevention message with this message. This message also replaces any additional NNTP message messages that the banned user sends until they are removed from the banned user list.

Alert Mail replacement messages The FortiGate unit adds the alert mail replacement messages listed in Table 32 to alert email messages sent to administrators. For more information about alert email, see “Alert Email” on page 670. Alert mail replacement messages are text messages. Table 32: Alert mail replacement messages Message name Description Virus message

Virus detected must be enabled for alert email. Antivirus Virus Scan must be enabled in a protection profile and detect a virus.

If you enable Send alert email for logs based on severity for alert email, whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

199

Replacement messages

System Config

Table 32: Alert mail replacement messages Message name Description Block message

Virus detected must be enabled for alert email. Antivirus File Filter must be enabled in a protection profile, and block a file that matches an entry in a selected file filter list.

Intrusion message

Intrusion detected enabled for alert email. An IPS Sensor or a DoS Sensor detects and attack.

Critical event message

Whenever a critical level event log message is generated, this replacement message is sent unless you configure alert email to enable Send alert email for logs based on severity and set the Minimum log level to Alert or Emergency.

Disk full message

Disk usage enabled and disk usage reaches the % configured for alert email.

If you enable Send alert email for logs based on severity for alert email, whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level.

Spam replacement messages The FortiGate unit adds the Spam replacement messages listed in Table 33 to SMTP server responses if the email message is identified as spam and the spam action is discard. If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to SMTPS server responses. Table 33: Spam replacement messages Message name Description Email IP

Spam Filtering IP address BWL check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message.

DNSBL/ORDBL From the CLI, spamrbl enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. HELO/EHLO domain

Spam Filtering HELO DNS lookup enabled for SMTP in a protection profile identifies an email message as spam and adds this replacement message. HELO DNS lookup is not available for SMTPS.

Email address

Spam Filtering E-mail address BWL check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message.

Mime header

From the CLI, spamhdrcheck enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message.

Returned email domain

Spam Filtering Return e-mail DNS check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message.

Banned word

Spam Filtering Banned word check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message.

Spam submission message

Any Spam Filtering option enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Spam Filtering adds this message to all email tagged as spam. The message describes a button that the recipient of the message can select to submit the email signatures to the FortiGuard Antispam service if the email was incorrectly tagged as spam (a false positive).

Administration replacement message If you enter the following CLI command the FortiGate unit displays the Administration Login disclaimer whenever an administrator logs into the FortiGate unit web-based manager or CLI.

200

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

Replacement messages

config system global set access-banner enable end The web-based manager administrator login disclaimer contains the text of the Login Disclaimer replacement message as well as Accept and Decline buttons. The administrator must select accept to login.

Authentication replacement messages The FortiGate unit uses the text of the authentication replacement messages listed in Table 34 for various user authentication HTML pages that are displayed when a user is required to authenticate because a firewall policy includes at least one identity-based policy that requires firewall users to authenticate. For more information about identitybased policies, see “Identity-based firewall policy options (non-SSL-VPN)” on page 328 and “Configuring SSL VPN identity-based firewall policies” on page 331. These pages are used for authentication using HTTP and HTTPS. Authentication replacement messages are HTML messages. You cannot customize the firewall authentication messages for FTP and Telnet. The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages. Users see the authentication login page when they use a VPN or a firewall policy that requires authentication. You can customize this page in the same way as you modify other replacement messages, Administrators see the authentication disclaimer page when logging into the FortiGate web-based manager or CLI. The disclaimer page makes a statement about usage policy to which the user must agree before the FortiGate unit permits access. You should change only the disclaimer text itself, not the HTML form code. There are some unique requirements for these replacement messages: •

The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST"

•

The form must contain the following hidden controls: • • •

•

The form must contain the following visible controls: • •

Example The following is an example of a simple authentication page that meets the requirements listed above. Firewall Authentication

You must authenticate to use this service.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

201

Replacement messages

System Config

Username:
Password:

Table 34: Authentication replacement messages Message name Description Disclaimer page User Authentication Disclaimer enabled in a firewall policy that also includes at least one identity-based policy. When a firewall user attempts to browse a network through the FortiGate unit using HTTP or HTTPS this disclaimer page is displayed. The CLI includes auth-disclaimer-page-1, authdisclaimer-page-3, and auth-disclaimer-page-3 that you can use to increase the size of the authentication disclaimer page replacement message. For more information, see the FortiGate CLI Reference. Declined The Disclaimer page replacement message does not re-direct the user to a disclaimer page redirect URL or the firewall policy does not include a redirect URL. When a firewall user selects the button on the disclaimer page to decline access through the FortiGate unit, the Declined disclaimer page is displayed. Login page

The authentication HTML page displayed when firewall users who are required to authenticate connect through the FortiGate unit using HTTP or HTTPS.

Login failed page

The HTML page displayed if firewall users enter an incorrect user name and password combination.

Login challenge The HTML page displayed if firewall users are required to answer a question to page complete authentication. The page displays the question and includes a field in which to type the answer. This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. Usually, challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example, “Please enter new PIN”). This message is displayed on the login challenge page. The user enters a response that is sent back to the RADIUS server to be verified. The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. The login challenge appears when the server needs the user to enter a new PIN. You can customize the replacement message to ask the user for a SecurID PIN. Keepalive page

The HTML page displayed with firewall authentication keepalive is enabled using the following command: config system global set auth-keepalive enable end Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. Go to User > Options to set the Authentication Timeout.

FortiGuard Web Filtering replacement messages The FortiGate unit sends the FortiGuard Web Filtering replacement messages listed in Table 35 to web browsers using the HTTP protocol when FortiGuard web filtering blocks a URL, provides details about blocked HTTP 4xx and 5xx errors, and for FortiGuard overrides. FortiGuard Web Filtering replacement messages are HTTP pages.

202

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

Replacement messages

If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile, these replacement messages can also replace web pages downloaded using the HTTPS protocol. Table 35: FortiGuard Web Filtering replacement messages Message name Description URL block message

Enable FortiGuard Web Filtering enabled in a protection profile for HTTP or HTTPS blocks a web page. The blocked page is replaced with this web page.

HTTP error message

Provide details for blocked HTTP 4xx and 5xx errors enabled in a protection profile for HTTP or HTTPS blocks a web page. The blocked page is replaced with this web page.

FortiGuard Web Override selected for a FortiGuard Web Filtering category and FortiGuard Web Filtering Filtering blocks a web page in this category and displays this web page. Using override form this web page users can authenticate to get access to the page. Go to UTM > Web Filter > Override to add override rules. For more information, see “Configuring administrative override rules” on page 489. The %%OVRD_FORM%% tag provides the form used to initiate an override if FortiGuard Web Filtering blocks access to a web page. Do not remove this tag from the replacement message.

IM and P2P replacement messages The FortiGate unit sends the IM and P2P replacement messages listed in Table 36 to IM and P2P clients using AIM, ICQ, MSN, or Yahoo! Messenger when an event occurs such as antivirus blocking a file attached to an email that contains a virus. IM and P2P replacement messages are text messages. Table 36: IM and P2P replacement messages Message name Description File block message

Antivirus File Filter enabled for IM in a protection profile deletes a file that matches an entry in the selected file filter list and replaces it with this message.

File name block Antivirus File Filter enabled for IM in a protection profile deletes a file with a message name that matches an entry in the selected file filter list and replaces it with this message. Virus message

Antivirus Virus Scan enabled for IM in a protection profile deletes a infected file from and replaces the file with this message.

Oversized file message

Antivirus Oversized File/Email set to Block for IM in a protection profile removes an oversized file and replaces the file with this message.

Data leak prevention message

In a DLP sensor, a rule with action set to Block replaces a blocked IM or P2P message with this message.

Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked IM or P2P leak prevention message with this message. This message also replaces any additional message messages that the banned user sends until they are removed from the banned user list. Voice chat block In an Application Control list, the Block Audio option is selected for AIM, ICQ, message MSN, or Yahoo! and the application control list is added to a protection profile. Photo share block message

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

In an Application Control list, the block-photo CLI keyword is enabled for MSN, or Yahoo and the application control list is added to a protection profile. You enable photo blocking from the CLI.

203

Replacement messages

System Config

Endpoint control replacement message The endpoint control download portal replacement message formats the FortiClient download portal page that appears if you enable endpoint control in a firewall policy and select Redirect Non-conforming Clients to Download Portal. The portal provides links to download a FortiClient application installer. The endpoint control replacement message is an HTML message. You can modify the appearance of the FortiClient Download Portal from System > Config > Replacement Messages > Endpoint Control by editing the Endpoint Control Download Portal. Be sure to retain the %%LINK%% tag which provides the download URL for the FortiClient installer. For more information about Endpoint control, see “Endpoint control” on page 641.

NAC quarantine replacement messages When a user is blocked by NAC quarantine or a DLP sensor with action set to Quarantine IP address or Quarantine Interface, if they attempt to start an HTTP session through the FortiGate unit using TCP port 80, the FortiGate unit connects them to one of the four NAC Quarantine HTML pages listed in Table 37. The page that is displayed for the user depends on whether NAC quarantine blocked the user because a virus was found, a DoS sensor detected an attack, an IPS sensor detected an attack, or a DLP rule with action set to Quarantine IP address or Quarantine Interface matched a session from the user. The default messages inform the user of why they are seeing this page and recommend they contact the system administrator. You can customize the pages as required, for example to include an email address or other contact information or if applicable a note about how long the user can expect to be blocked. For more information about NAC quarantine see “NAC quarantine and the Banned User list” on page 595. Table 37: NAC quarantine replacement messages Message name Description

204

Virus Message

Antivirus Quarantine Virus Sender enabled in a protection profile adds a source IP address or FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80.

DoS Message

For a DoS Sensor the CLI quarantine option set to attacker or interface and the DoS Sensor added to a DoS firewall policy adds a source IP, a destination IP, or FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. This replacement message is not displayed if quarantine is set to both.

IPS Message

Quarantine Attackers enabled in an IPS sensor filter or override and the IPS sensor added to a protection profile adds a source IP address, a destination IP address, or a FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. This replacement message is not displayed if method is set to Attacker and Victim IP Address.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

Replacement messages

Table 37: NAC quarantine replacement messages Message name Description DLP Message

Action set to Quarantine IP address or Quarantine Interface in a DLP sensor and the DLP sensor added to a protection profile adds a source IP address or a FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80.

SSL VPN replacement message The SSL VPN login replacement message is an HTML replacement message that formats the FortiGate SSL VPN portal login page. You can customize this replacement message according to your organization’s needs. The page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work. •

The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%" and METHOD="%%SSL_METHOD%%"

•

The form must contain the %%SSL_LOGIN%% tag to provide the login form.

•

The form must contain the %%SSL_HIDDEN%% tag.

Replacement message tags Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message. Table 38 lists the replacement message tags that you can add. Table 38: Replacement message tags Tag

Description

%%AUTH_LOGOUT%%

The URL that will immediately delete the current policy and close the session. Used on the auth-keepalive page.

%%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window which links to this tag. %%CATEGORY%%

The name of the content category of the web site.

%%DEST_IP%%

The IP address of the request destination from which a virus was received. For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of web page that sent the virus.

%%EMAIL_FROM%%

The email address of the sender of the message from which the file was removed.

%%EMAIL_TO%%

The email address of the intended receiver of the message from which the file was removed.

%%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page. %%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%FORTIGUARD_WF%%

The FortiGuard - Web Filtering logo.

%%FORTINET%%

The Fortinet logo.

%%LINK%%

The link to the FortiClient Host Security installs download for the Endpoint Control feature.

%%HTTP_ERR_CODE%%

The HTTP error code. “404” for example.

%%HTTP_ERR_DESC%%

The HTTP error description.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

205

Operation mode and VDOM management access

System Config

Table 38: Replacement message tags (Continued) Tag

Description

%%NIDSEVENT%%

The IPS attack message. %%NIDSEVENT%% is added to alert email intrusion messages.

%%OVERRIDE%%

The link to the FortiGuard Web Filtering override form. This is visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides.

%%OVRD_FORM%%

The FortiGuard web filter block override form. This tag must be present in the FortiGuard Web Filtering override form and should not be used in other replacement messages.

%%PROTOCOL%%

The protocol (http, ftp, pop3, imap, or smtp) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%QUARFILENAME%%

The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages. Quarantining is only available on FortiGate units with a local disk.

%%QUESTION%%

Authentication challenge question on auth-challenge page. Prompt to enter username and password on auth-login page.

%%SERVICE%%

The name of the web filtering service.

%%SOURCE_IP%%

The IP address of the request originator who would have received the blocked file. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.

%%TIMEOUT%%

Configured number of seconds between authentication keepalive connections. Used on the auth-keepalive page.

%%URL%%

The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages

Operation mode and VDOM management access You can change the operation mode of each VDOM independently of other VDOMs. This allows any combination of NAT/Route and Transparent operating modes on the FortiGate unit VDOMs. Management access to a VDOM can be restricted based on which interfaces and protocols can be used to connect to the FortiGate unit.

Changing operation mode You can set the operating mode for your VDOM and perform sufficient network configuration to ensure that you can connect to the web-based manager in the new mode. To switch from NAT/Route to Transparent mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain.

206

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Config

Operation mode and VDOM management access

2 From the Operation Mode list, select Transparent.

3 Enter the following information and select Apply. Management IP/Netmask

Enter the management IP address and netmask. This must be a valid IP address for the network from which you want to manage the FortiGate unit.

Default Gateway

Enter the default gateway required to reach other networks from the FortiGate unit.

To switch from Transparent to NAT/Route mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain. 2 From the Operation Mode list, select NAT.

3 Enter the following information and select Apply. Interface IP/Netmask

Enter a valid IP address and netmask for the network from which you want to manage the FortiGate unit.

Device

Select the interface to which the Interface IP/Netmask settings apply.

Default Gateway

Enter the default gateway required to reach other networks from the FortiGate unit.

Gateway Device

Select the interface to which the default gateway is connected.

Management access You can configure management access on any interface in your VDOM. See “Administrative access to an interface” on page 135. In NAT/Route mode, the interface IP address is used for management access. In Transparent mode, you configure a single management IP address that applies to all interfaces in your VDOM that permit management access. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see “Configuring FortiGuard Services” on page 264).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

207

Operation mode and VDOM management access

System Config

The system administrator (admin) can access all VDOMs, and create regular administrator accounts. A regular administrator account can access only the VDOM to which it belongs. The management computer must connect to an interface in that VDOM. It does not matter to which VDOM the interface belongs. In both cases, the management computer must connect to an interface that permits management access and its IP address must be on the same network. Management access can be via HTTP, HTTPS, telnet, or SSH sessions if those services are enabled on the interface. HTTPS and SSH are preferred as they are more secure. You can allow remote administration of the FortiGate unit. However, allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid this unless it is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet:

208

•

Use secure administrative user passwords.

•

Change these passwords regularly.

•

Enable secure administrative access to this interface using only HTTPS or SSH.

•

Use Trusted Hosts to limit where the remote access can originate from.

•

Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 228).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Administrators

System Admin This section describes how to configure administrator accounts on your FortiGate unit. Administrators access the FortiGate unit to configure its operation. The factory default configuration has one administrator, admin. After connecting to the web-based manager or the CLI, you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration. If you enable virtual domains (VDOMs) on the FortiGate unit, system administrators are configured globally for the entire FortiGate unit. For details, see “Using virtual domains” on page 103. Note: Always end your FortiGate session by logging out, in the CLI or the web-based manager. If you do not, the session remains open.

This section describes: •

Administrators

•

Admin profiles

•

Central Management

•

Settings

•

Monitoring administrators

•

FortiGate IPv6 support

•

Customizable web-based manager

Administrators There are two levels of administrator accounts: Regular administrators

An administrator with any admin profile other than super_admin. A regular administrator account has access to configuration options as determined by its Admin Profile. If virtual domains are enabled, the regular administrator is assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. For information about which options are global and which are per VDOM, see “VDOM configuration settings” on page 104 and “Global configuration settings” on page 107.

System administrators

Includes the factory default system administrator admin, any other administrators assigned to the super_admin profile, and any administrator that is assigned to the super_admin_readonly profile. Any administrator assigned to the super_admin admin profile, including the default administrator account admin, has full access to the FortiGate unit configuration and general system settings that includes the ability to: • enable VDOM configuration • create VDOMs • configure VDOMs • assign regular administrators to VDOMs • configure global options • customize the FortiGate web-based manager. The super_admin admin profile cannot be changed; it does not appear in the list of profiles in System > Admin > Admin Profile, but it is one of the selections in the Admin Profile drop-down list in System > Admin New/Edit Administrator dialog box.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

209

Administrators

System Admin

Figure 105: New Administrator dialog box displaying super_admin readonly option

Users assigned to the super_admin profile: •

cannot delete logged-in users who are also assigned the super_admin profile

•

can delete other users assigned the super_admin profile and/or change the configured authentication method, password, or admin profile, only if the other users are not logged in

•

can delete the default “admin” account only if the default admin user is not logged in.

By default, admin has no password. The password should be 32 characters or less. Note: The password of users with the super_admin admin profile can be reset in the CLI. If the password of a user who is logged in is changed, the user will be logged out and prompted to re-authenticate with the new password. Example: For a user ITAdmin with the admin profile super_admin, to set the password to 123456: config sys admin edit ITAdmin set password 123456 end Example: For a user ITAdmin with the admin profile super_admin, to reset the password from 123456 to the default ‘empty’: config sys admin edit ITAdmin unset password 123456 end

There is also an admin profile that allows read-only super admin privileges, super_admin_readonly. This profile cannot be deleted or changed, similar to the super_admin. The read-only super_admin profile is suitable in a situation where it is necessary for a system administrator to troubleshoot a customer configuration without being able to make changes. Other than being read-only, the super_admin_readonly profile can view all the FortiGate configuration tools.

210

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Administrators

You can authenticate an administrator by using a password stored on the FortiGate unit, an LDAP, RADIUS, or TACACS+ server, or by using PKI certificate-based authentication. To authenticate an administrator with an LDAP or TACACS+ server, you must add the server to an authentication list, include the server in a user group, and associate the administrator with the user group.The RADIUS server authenticates users and authorizes access to internal network resources based on the admin profile of the user. Users authenticated with the PKI-based certificate are permitted access to internal network resources based on the user group they belong to and the associated admin profile. A VDOM/admin profile override feature supports authentication of administrators via RADIUS. The admin user will have access depending on which VDOM and associated admin profile he or she is restricted to. This feature is available only to wildcard administrators, and can be set only through the FortiGate CLI. There can only be one VDOM override user per system. For more information, see the FortiGate CLI Reference.

Viewing the administrators list You need to use the default ”admin” account, an account with the super_admin admin profile, or an administrator with read-write access control to add new administrator accounts and control their permission levels. If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will show only the administrators for the current virtual domain. To view the list of administrators, go to System > Admin > Administrators. Figure 106: Administrators list Change password Delete

Edit Create New

Add an administrator account.

Name

The login name for an administrator account.

Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can log in. For more information, see “Using trusted hosts” on page 221. Profile

The admin profile for the administrator.

Type

The type of authentication for this administrator, one of:

Local

Authentication of an account with a local password stored on the FortiGate unit.

Remote

Authentication of a specific account on a RADIUS, LDAP, or TACACS+ server.

Remote+ Authentication of any account on an LDAP, RADIUS, or TACACS+ server. Wildcard PKI

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

PKI-based certificate authentication of an account.

211

Administrators

System Admin

Delete icon

Delete the administrator account. You cannot delete the original “admin” account until you create another user with the super_admin profile, log out of the “admin” account, and log in with the alternate user that has the super_admin profile.

Edit or View icon

Edit or view the administrator account.

Change Password icon

Change the password for the administrator account.

To change an administrator password, go to System > Admin > Administrators, and select the Change Password icon next to the administrator account you want to change the password for. Enter and confirm the new password, and select OK to save the changes.

Configuring an administrator account You need to use the default “admin” account, an account with the super_admin admin profile, or an administrator with read-write access control to create a new administrator. To create a new administrator, go to System > Admin > Administrators and select Create New. To configure the settings for an existing administrator, select the Edit icon beside the administrator. Figure 107: Administrator account configuration - Regular (local) authentication

Figure 108: Administrator account configuration - Remote authentication

212

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Administrators

Figure 109: Administrator account configuration - PKI authentication

Administrator

Enter the login name for the administrator account. The name of the administrator should not contain the characters ()#"'. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability.

Type

Select the type of administrator account:

Regular

Select to create a Local administrator account. For more information, see “Configuring regular (password) authentication for administrators” on page 214.

Remote

Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. For more information, see “Configuring remote authentication for administrators” on page 214.

PKI

Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled. For more information, see “Configuring PKI certificate authentication for administrators” on page 220.

User Group

Select the administrator user group that includes the Remote server/PKI (peer) users as members of the User Group. The administrator user group cannot be deleted once the group is selected for authentication. This is available only if Type is Remote or PKI.

Wildcard

Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators. This is available only if Type is Remote. Only one wildcard user is permitted per VDOM.

Password

Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This is not available if Wildcard is selected or when Type is PKI. See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log in to your FortiGate unit.

Confirm Password Type the password for the administrator account a second time to confirm that you have typed it correctly. This is not available if Wildcard is selected or when PKI authentication is selected. Trusted Host #1 Trusted Host #2 Trusted Host #3

Enter the trusted host IP address and netmask that administrator login is restricted to on the FortiGate unit. You can specify up to three trusted hosts. These addresses all default to 0.0.0.0/0 or 0.0.0.0/0.0.0.0. For more information, see “Using trusted hosts” on page 221.

Admin Profile

Select the admin profile for the administrator. You can also select Create New to create a new admin profile. For more information on admin profiles, see “Configuring an admin profile” on page 225.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

213

Administrators

System Admin

Configuring regular (password) authentication for administrators You can use a password stored on the local FortiGate unit to authenticate an administrator. To configure an administrator to authenticate with a password stored on the FortiGate unit 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter the following information: Administrator

A name for the administrator.

Type

Regular.

Password

A password for the administrator to use to authenticate.

Confirm Password

The password entered in Password.

Admin Profile

The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an administrator account” on page 212. 5 Select OK. When you select Type > Regular, you will see Local as the entry in the Type column when you view the list of administrators. For more information, see “Viewing the administrators list” on page 211. Note: If you forget or lose an administrator account password and cannot log in to your FortiGate unit, see the Fortinet Knowledge Center article Recovering lost administrator account passwords.

Configuring remote authentication for administrators You can authenticate administrators using RADIUS, LDAP, or TACACS+ servers. In order to do this, you must configure the server, include the server as a user in a user group, and create the administrator account to include in the user group.

Configuring RADIUS authentication for administrators Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. FortiGate units use the authentication and authorization functions of the RADIUS server. To use the RADIUS server for authentication, you must configure the server before you configure the FortiGate users or user groups that will need it. If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit sends the user’s credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user, the FortiGate unit refuses the connection. If you want to use a RADIUS server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator accounts. To do this you need to:

214

•

configure the FortiGate unit to access the RADIUS server

•

create a user group with the RADIUS server as its only member.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Administrators

Note: Access to the FortiGate unit depends on the VDOM associated with the administrator account.

The following instructions assume that there is a RADIUS server on your network populated with the names and passwords of your administrators. For information on how to set up a RADIUS server, see the documentation for your RADIUS server. To view the RADIUS server list, go to User > Remote > RADIUS. Figure 110: Example RADIUS server list Delete

Edit Create New

Add a new RADIUS server.

Name

The name that identifies the RADIUS server on the FortiGate unit.

Server Name/IP

The domain name or IP address of the RADIUS server.

Delete icon

Delete a RADIUS server configuration. You cannot delete a RADIUS server that has been added to a user group.

Edit icon

Edit a RADIUS server configuration.

To configure the FortiGate unit to access the RADIUS server 1 Go to User > Remote > RADIUS. 2 Select Create New, or select the Edit icon beside an existing RADIUS server. 3 Enter a name that identifies the RADIUS server. Use this name when you create the user group. 4 For Primary Server Name/IP, enter the domain name or IP address of the RADIUS server. 5 For Primary Server Secret, enter the RADIUS server secret. The RADIUS server administrator can provide this information. 6 Optionally, provide information regarding a secondary RADIUS server, custom authentication scheme, and a NAS IP/Called Station ID. 7 Optionally, configure the RADIUS server to be included in every user group in the associated VDOM. 8 Select OK. For further information about RADIUS authentication, see “Configuring a RADIUS server” on page 572. To create the user group (RADIUS) 1 Go to User > User Group. 2 Select Create New or select the Edit icon beside an existing RADIUS group. 3 Enter the name that identifies the user group. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

215

Administrators

System Admin

4 For Type, enter Firewall. 5 In the Available Users/Groups list, select the RADIUS server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with a RADIUS server 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter the following information: Name

A name that identifies the administrator.

Type

Remote.

User Group

The user group that includes the RADIUS server as a member.

Password

The password the administrator uses to authenticate.

Confirm Password

The re-entered password that confirms the original entry in Password.

Admin Profile

The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an administrator account” on page 212. 5 Select OK. For more information about using a RADIUS server to authenticate system administrators, see Fortinet Knowledge Centre article #3849 Using RADIUS for Admin Access and Authorization. •

Admin profiles

•

Configuring a RADIUS server

•

Configuring a user group

Configuring LDAP authentication for administrators Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, printers, etc. If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. If the LDAP server cannot authenticate the administrator, the FortiGate unit refuses the connection. If you want to use an LDAP server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator accounts. To do this you need to: •

configure the LDAP server

•

configure the FortiGate unit to access the LDAP server

•

create a user group with the LDAP server as a member.

To view the LDAP server list, go to User > Remote > LDAP.

216

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Administrators

Figure 111: Example LDAP server list Delete

Edit Create New

Add a new LDAP server.

Name

The name that identifies the LDAP server on the FortiGate unit.

Server Name/IP

The domain name or IP address of the LDAP server.

Port

The TCP port used to communicate with the LDAP server.

Common Name Identifier The common name identifier for the LDAP server. Distinguished Name

The distinguished name used to look up entries on the LDAP server.

Delete icon

Delete the LDAP server configuration.

Edit icon

Edit the LDAP server configuration.

To configure an LDAP server 1 Go to User > Remote > LDAP. 2 Select Create New or select the Edit icon beside an existing LDAP server. 3 Enter or select the following and select OK. Name

The name that identifies the LDAP server on the FortiGate unit.

Server Name/IP

The domain name or IP address of the LDAP server.

Server Port

The TCP port used to communicate with the LDAP server.

Common Name Identifier

The common name identifier for the LDAP server.

Distinguished Name

The base distinguished name for the server in the correct X.500 or LDAP format.

Query icon

View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross-reference to the Distinguished Name. For more information, see “Using Query” on page 577.

Bind Type

The type of binding for LDAP authentication.

Anonymous

Bind using anonymous user search.

Regular

Bind using a user name/password and then search.

Simple

Bind using a simple password authentication without a search.

Filter

Filter used for group searching. Available only if Bind Type is Anonymous or Regular.

User DN

Distinguished name of user to be authenticated. Available only if Bind Type is Regular.

Password

Password of user to be authenticated. Available only if Bind Type is Regular.

Secure Connection

A check box that enables a secure LDAP server connection for authentication.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

217

Administrators

System Admin

Protocol

The secure LDAP protocol to use for authentication. Available only if Secure Connection is selected.

Certificate

The certificate to use for authentication. Available only if Secure Connection is selected.

For further information about LDAP authentication, see “Configuring an LDAP server” on page 575. To create the user group (LDAP) 1 Go to User > User Group. 2 Select Create New or select the Edit icon beside an existing user group. 3 Enter a Name that identifies the user group. 4 For Type, enter Firewall. 5 In the Available Users/Groups list, select the LDAP server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with an LDAP server 1 Go to System > Admin. 2 Select Create New or select the Edit icon beside an existing administrator account. 3 Enter or select the following: Administrator

A name that identifies the administrator.

Type

Remote.

User Group

The user group that includes the LDAP server as a member.

Wildcard

A check box that allows all accounts on the LDAP server to be administrators.

Password

The password the administrator uses to authenticate. Not available if Wildcard is enabled.

Confirm Password

The re-entered password that confirms the original entry in Password. Not available if Wildcard is enabled.

Admin Profile

The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an administrator account” on page 212. 5 Select OK.

Configuring TACACS+ authentication for administrators Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiGate unit contacts the TACACS+ server for authentication. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiGate unit. If you want to use an TACACS+ server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator accounts. To do this you need to:

218

•

configure the TACACS+ server

•

configure the FortiGate unit to access the TACACS+ server FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Administrators

•

create a user group with the TACACS+ server as a member.

To view the TACACS+ server list, go to User > Remote > TACACS+. Figure 112: Example TACACS+ server list Delete

Edit

Create New

Add a new TACACS+ server.

Server

The server domain name or IP address of the TACACS+ server.

Authentication Type

The supported authentication method. TACACS+ authentication methods include: Auto, ASCII, PAP, CHAP, and MSCHAP.

Delete icon

Delete this TACACS+ server

Edit icon

Edit this TACACS+ server.

To configure the FortiGate unit to access the TACACS+ server 1 Go to User > Remote > TACACS+. 2 Select Create New, or select the Edit icon beside an existing TACACS+ server. 3 Enter the Name that identifies the TACACS+ server. 4 For Server Name/IP, enter the server domain name or IP address of the TACACS+ server. 5 For Server Key, enter the key to access the TACACS+ server. The maximum number is 16. 6 For Authentication Type, enter one of Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using PAP, MSCHAP, and CHAP (in that order). 7 Select OK. For further information about TACACS+ authentication, see “Configuring TACACS+ servers” on page 578. To create the user group (TACACS+) 1 Go to User > User Group. 2 Select Create New, or select the Edit icon beside an existing user group. 3 Enter a Name that identifies the user group. 4 For Type, select Firewall. 5 In the Available Users/Groups list, select the TACACS+ server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with a TACACS+ server 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

219

Administrators

System Admin

3 Enter or select the following: Administrator

A name that identifies the administrator.

Type

Remote.

User Group

The user group that includes the TACACS+ server as a member.

Wildcard

Select to allow all accounts on the TACACS+ server to be administrators.

Password

The password the administrator uses to authenticate. Not available if Wildcard is enabled.

Confirm Password

The re-entered password that confirms the original entry in Password. Not available if Wildcard is enabled.

Admin Profile

The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an administrator account” on page 212. 5 Select OK.

Configuring PKI certificate authentication for administrators Public Key Infrastructure (PKI) authentication uses a certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Users only need a valid certificate for successful authentication; no username or password is necessary. If you want to use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. To do this you need to: •

configure a PKI administrator to be included in the user group

•

create a user group.

To view the PKI user list, go to User > PKI. Figure 113: Example PKI user list Delete

Edit

Create New

Add a new PKI user.

Name

The name of the PKI user.

Subject

The text string that appears in the subject field of the certificate of the authenticating user.

CA

The CA certificate that is used to authenticate this user.

Delete icon

Delete this PKI user.

Edit icon

Edit this PKI user.

To configure a PKI user 1 Go to User > PKI. 2 Select Create New, or select the Edit icon beside an existing PKI user.

220

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Administrators

3 Enter the Name of the PKI user. 4 For Subject, enter the text string that appears in the subject field of the certificate of the authenticating user. 5 Select the CA certificate used to authenticate this user. 6 Select OK. To create the user group (PKI) 1 Go to User > User Group. 2 Select Create New, or select the Edit icon beside an existing user group. 3 Enter the Name that identifies the user group. 4 For Type, enter Firewall. 5 In the Available Users/Groups list, select the PKI user name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with a PKI certificate 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter or select the following: Administrator

A name that identifies the administrator.

Type

PKI.

User Group

The user group that includes the PKI user as a member.

Admin Profile

The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an administrator account” on page 212. 5 Select OK.

Using trusted hosts Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255. When you set trusted hosts for all administrators, the FortiGate unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access. The trusted hosts you define apply both to the web-based manager and to the CLI when accessed through Telnet or SSH. CLI access through the console connector is not affected. The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the 0.0.0.0/0.0.0.0 addresses to a non-zero address, the other 0.0.0.0/0.0.0.0 will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

221

Admin profiles

System Admin

Admin profiles Each administrator account belongs to an admin profile. The admin profile separates FortiGate features into access control categories for which an administrator with read/write access can enable none (deny), read only, or read/write access. The following table lists the web-based manager pages to which each category provides access: Table 39: Admin profile control of access to Web-based manager pages Access control

Affected web-based manager pages

Admin Users

System > Admin System > Admin > Central Management System > Admin > Settings

Antivirus Configuration

UTM > AntiVirus

Auth Users

User

Firewall Configuration

Firewall

FortiGuard Update

System > Maintenance > FortiGuard

IM, P2P & VoIP Configuration

IM, P2P & VoIP > Statistics IM, P2P & VoIP > User > Current Users IM, P2P & VoIP > User > User List IM, P2P & VoIP > User > Config

IPS Configuration

UTM > Intrusion Protection

Log&Report

Log&Report

Maintenance

System > Maintenance

Network Configuration

System > Network > Interface System > Network > Zone System > DHCP

Router Configuration

Router

Spamfilter Configuration

UTM > AntiSpam

System Configuration

System > Status, including Session info System > Config System > Hostname System > Network > Options System > Admin > Central Management System > Admin > Settings System > Status > System Time

VPN Configuration

VPN

Webfilter Configuration

UTM > Web Filter

Read-only access enables the administrator to view the web-based manager page. The administrator needs write access to change the settings on the page. You can expand the firewall configuration access control to enable more granular control of access to the firewall functionality. You can control administrator access to policy, address, service, schedule, profile, and other virtual IP (VIP) configurations. Note: When Virtual Domain Configuration is enabled (see “Settings” on page 228), only the administrators with the admin profile super_admin have access to global settings. Other administrator accounts are assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. For information about which settings are global, see “VDOM configuration settings” on page 104.

222

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Admin profiles

The admin profile has a similar effect on administrator access to CLI commands. The following table shows which command types are available in each Access Control category. You can access “get” and “show” commands with Read Only access. Access to “config” commands requires Read-Write access. Table 40: Admin profile control of access to CLI commands Access control

Available CLI commands

Admin Users (admingrp)

system admin system accprofile

Antivirus Configuration (avgrp)

antivirus

Auth Users (authgrp)

user

Firewall Configuration (fwgrp)

firewall Use the set fwgrp custom and config fwgrppermission commands to set some firewall permissions individually. You can make selections for policy, address, service, schedule, profile, and other (VIP) configurations. For more information, see FortiGate CLI Reference.

FortiProtect Update (updategrp)

system autoupdate execute update-av execute update-ips execute update-now

IPS Configuration (ipsgrp)

ips

Log & Report (loggrp)

alertemail log system fortianalyzer execute log

Maintenance (mntgrp)

execute execute execute execute execute

Network Configuration (netgrp)

system arp-table system dhcp system interface system zone execute dhcp lease-clear execute dhcp lease-list execute clear system arp table execute interface

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

formatlogdisk restore backup batch usb-disk

223

Admin profiles

System Admin

Table 40: Admin profile control of access to CLI commands (Continued) Access control

Available CLI commands

Router Configuration (routegrp)

router execute router execute mrouter

Spamfilter Configuration (spamgrp)

spamfilter

System Configuration (sysgrp)

system except accprofile, admin, arp-table, autoupdate, fortianalyzer, interface, and zone. execute date execute ha execute ping execute ping-options execute ping6 execute time execute traceroute execute cfg execute factoryreset execute reboot execute shutdown execute deploy execute set-next-reboot execute ssh execute telnet execute disconnect-admin-session execute usb

VPN Configuration (vpngrp)

vpn execute vpn

Webfilter Configuration (webgrp)

webfilter

To add admin profiles for FortiGate administrators, go to System > Admin > Admin Profile. Each administrator account belongs to an admin profile. An administrator with read/write access can create admin profiles that deny access to, allow read-only, or allow both readand write-access to FortiGate features. When an administrator has read-only access to a feature, the administrator can access the web-based manager page for that feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display only the View ( ) icon instead of icons for Edit, Delete or other modification commands.

Viewing the admin profiles list You need to use the admin account or an account with Admin Users read/write access to create or edit admin profiles. To view the admin profiles list, go to System > Admin > Admin Profile. Figure 114: Admin profile list Delete

Edit

224

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Admin profiles

Create New

Add a new admin profile.

Profile Name

The name of the admin profile.

Delete icon

Select to delete the admin profile. You cannot delete an admin profile that has administrators assigned to it.

Edit icon

Select to modify the admin profile.

Configuring an admin profile You need to use the admin account or an account with Admin Users read/write access to edit an admin profile. To configure an admin profile, go to System > Admin > Admin Profile. Select Create New or select the Edit icon beside an existing profile. Enter or select the following, and select OK. Figure 115: Admin profile options

Profile Name

Enter the name of the admin profile.

Access Control

List of the items that can customize access control settings if configured.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

225

Central Management

System Admin

None

Deny access to all Access Control categories.

Read Only

Enable Read access in all Access Control categories.

Read-Write

Select to allow read/write access in all Access Control categories.

Access Control (categories)

Make specific control selections as required. For detailed information about the Access Control categories, see “Admin profiles” on page 222.

GUI Control

Select Standard to use the default FortiGate web-based manager. Select Customize to create a custom web-based manager configuration for the administrators who login with this admin profile. For more information, see “Customizable web-based manager” on page 231.

Central Management The Central Management tab provides the option of remotely managing your FortiGate unit by either a FortiManager unit or the FortiGuard Analysis and Management Service. From System > Admin > Central Management, you can configure your FortiGate unit to back up or restore configuration settings automatically to the specified central management server. The central management server is the type of service you enable, either a FortiManager unit or the FortiGuard Analysis and Management Service. If you have a subscription for FortiGuard Analysis and Management Service, you can also remotely upgrade the firmware on the FortiGate unit. Figure 116: Central Management using FortiManager

Figure 117: Central Management using the FortiGuard Analysis and Management Service

226

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Central Management

Enable Central Management

Enables the Central Management feature on the FortiGate unit.

Type

Select the type of central management for this FortiGate unit. You can select FortiManager or the FortiGuard Analysis and Management Service.

FortiManager

Select to use FortiManager as the central management service for the FortiGate unit. Enter the IP address or name of the FortiManager unit in the IP/Name field. If your organization is operating a FortiManager cluster, add the IP address or name of the primary FortiManager unit to the IP/Name field and add the IP address or name of the backup FortiManager units to the Trusted FortiManager list. Status indicates whether or not the FortiGate unit can communicate wit the FortiManager unit added to the IP/Name field. Select Register to include the FortiManager unit in the Trusted FortiManager List. A red arrow-down indicates that there is no connection enabled; a green arrow-up indicates that there is a connection. A yellow caution symbol appears when your FortiGate unit is considered an unregistered device by the FortiManager unit.

FortiGuard Analysis and Management Service

Select to use the FortiGuard Analysis Management Service as the central management service for the FortiGate unit. Enter the Account ID in the Account ID field. If you do not have an account ID, register for the FortiGuard Analysis and Management Service on the FortiGuard Analysis and Management Service website. Select Change to go directly to System > Maintenance > FortiGuard. Under Analysis and Management Service Options, enter the account ID in the Account ID field.

When you are configuring your FortiGate unit to connect to and communicate with a FortiManager unit, the following steps must be taken because of the two different deployment scenarios. •

•

FortiGate is directly reachable from FortiManager: •

In the FortiManager GUI, add the FortiGate unit to the FortiManager database in the Device Manager module

•

Change the FortiManager IP address

•

Change the FortiGate IP address

FortiGate behind NAT •

In System > Admin > Central Management, choose FortiManager

•

Add the FortiManager unit to the Trusted FortiManager List, if applicable

•

Change the FortiManager IP address

•

Change the FortiGate IP address

•

Contact the FortiManager administrator to verify the FortiGate unit displays in the Device list in the Device Manager module

Revision control The Revision Control tab displays a list of the backed up configuration files. The list displays only when your FortiGate unit is managed by a central management server. For more information, see “Managing configuration revisions” on page 261.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

227

Settings

System Admin

Settings The Settings tab includes the following features that you can configure: •

ports for HTTP/HTTPS administrative access and SSL VPN login

•

the idle timeout setting

•

settings for the language of the web-based manager and the number of lines displayed in generated reports

•

PIN protection for LCD and control buttons (LCD-equipped models only)

•

SCP capability for users logged in via SSH

•

IPv6 support on the web based manager.

To configure settings, go to System > Admin > Settings, enter or select the following and select OK. Figure 118: Administrators Settings

Web Administration Ports

228

HTTP

TCP port to be used for administrative HTTP access. The default is 80.

HTTPS

TCP port to be used for administrative HTTPS access. The default is 443.

SSLVPN Login Port

An alternative HTTPS port number for remote client web browsers to connect to the FortiGate unit. The default port number is 10443.

Telnet Port

TCP port to be used for administrative telnet access. The default is 23.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Monitoring administrators

SSH Port

TCP port to be used for administrative SSH access. The default is 22.

Enable SSH v1 compatibility

Enable compatibility with SSH v1 in addition to v2. (Optional)

Timeout Settings Idle Timeout

The number of minutes that an administrative connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To improve security, keep the idle timeout at the default value of 5 minutes.

Display Settings Language

The language the web-based manager uses. Choose from English, Simplified Chinese, Japanese, Korean, Spanish, Traditional Chinese or French. You should select the language that the management computer operating system uses.

Lines per Page

Number of lines per page to display in table lists. The default is 50. Range is from 20 - 1000.

IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy, route, address and address group). Default allows configuration from CLI only. Note: IPv6 is not supported in Transparent mode. LCD Panel (LCD-equipped models only) PIN Protection Enable SCP

Select and enter a 6-digit PIN. Administrators must enter the PIN to use the control buttons and LCD. Enable users logged in through the SSH to be able to use the SCP to copy the configuration file.

Note: If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is unique.

Monitoring administrators To see the number of logged-in administrators, go to System > Status. Under System Information, you will see Current Administrators. Select Details to view information about the administrators currently logged in to the FortiGate unit. Figure 119: System Information displaying current administrators

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

229

FortiGate IPv6 support

System Admin

Figure 120: Detailed view of Administrators logged in monitor window

Disconnect

Select to disconnect the selected administrators. This is available only if your admin profile gives you System Configuration write permission.

Refresh

Select to update the list.

Close

Select to close the window. Select and then select Disconnect to log off this administrator. This is available only if your admin profile gives you System Configuration write access. You cannot log off the default “admin” user.

User Name

The administrator account name.

Type

The type of access: http, https, jsconsole, sshv2.

From

If Type is jsconsole, the value in From is N/A. Otherwise, Type contains the administrator’s IP address.

Time

The date and time that the administrator logged on.

See also

FortiGate IPv6 support IPv6 is version 6 of the Internet Protocol. It can provide billions more unique IP addresses than the previous standard, IPv4. The internet is currently in transition from IPv4 to IPv6 addressing. IPv6 hosts and routers maintain interoperability with the existing IPv4 infrastructure in two ways: •

implementing dual IP layers to support both IPv6 and IPv4

•

using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers to carry them over IPv4 infrastructure.

FortiGate units are dual IP layer IPv6/IPv4 nodes. They support IPv6 overIPv4 tunneling, routing, firewall policies and IPSec VPN. You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit—the interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. For more information, see the FortiGate IPv6 Support Technical Note available from the Fortinet Knowledge Center. Before you can work with IPv6 on the web-based manager, you must enable IPv6 support.

Note: IPv6 is not supported in Transparent mode.

To enable IPv6 support, go to System > Admin > Settings, then under Display Settings, select IPv6 Support on GUI. After you enable IPv6 support in the web-based manager, you can:

230

•

create IPv6 static routes (see Router Static)

•

monitor IPv6 routes (see Router Monitor)

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Customizable web-based manager

•

create IPv6 firewall addresses (see Firewall Address)

•

create IPv6 firewall address groups (see Firewall Address)

•

create IPv6 firewall policies (see Firewall Policy)

•

create VPNs that use IPv6 addressing (see IPSec VPN)

Once IPv6 support is enabled, you can configure the IPv6 options using the web-based manager or the CLI. See the FortiGate CLI Reference for information on configuring IPv6 support using the CLI.

Customizable web-based manager In addition to configuring administrators with varying levels of access to different parts of the FortiGate unit configuration, you can customize the FortiGate web-based manager (or GUI) to show, hide, and arrange widgets/menus/items according to your specific requirements. In standard operation mode, the display is static. Customizing the display allows you to vary or limit the GUI layout—to fulfill different administrator roles. There are also several configuration widgets which you can enable for CLI-only options that are not displayed by default. Only administrators with the super_admin admin profile may create and edit GUI layouts. The customized GUI layouts are stored as part of the administrator admin profile. New admin profiles are based on the default layout. The FortiGate default layout cannot be modified. Terms used in this section include: •

Dialog box - HTML-layer pop-up window. Displayed via HTML with grayed-out background (see Figure 124).

•

GUI layout - web-based manager layout configured for a specific Admin Profile (see Figure 135).

•

Page layout - arrangement of widgets on a screen of the web-based manager (see Figure 132).

•

Tier 1 menu item - top-level menu item in web-based manager layout (see “To create Tier-1 and Tier-2 menu items” on page 235).

•

Tier 2 menu item - submenu item in web-based manager layout (see “To create Tier-1 and Tier-2 menu items” on page 235). Tip: Increase the timeout settings before creating or editing a GUI layout. See “Settings” on page 228.

GUI layout customization example The following example illustrates the basic steps to customize the display. The example assumes that you are an administrator with a super_admin profile performing the customization. The super_admin will create a profile called Report Profile for a regular admin user. This protection profile will allow the regular admin user read-only access to logs and reports produced by the FortiGate unit, and also prevent him or her from viewing additional FortiGate features. Before customizing the GUI layout, you need to configure the administrative admin profile. To configure the profile, go to System > Admin > Admin Profile and select Create New.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

231

Customizable web-based manager

System Admin

Figure 121: Admin profile dialog box (default settings)

Note: The current administrator Access Control settings apply only to the fixed components of the layout (default), not to the customized items. If you want to create a completely customized layout profile, you must set access for all fixed components to None and also set all the standard menu items to Hide from within the GUI layout dialog box (see Figure 124).

The following configuration will set up read-only administrative access to Log&Report items for the Report Profile profile, and prevent access to the default layout.

232

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Customizable web-based manager

Figure 122: Admin Profile dialog box - Log & Report access

Access denied to other layout items

Read-only access selected for Log & Report Standard GUI Control Menu Layout selection

To configure the admin profile 1 Enter the name Report Profile (see Figure 122). 2 To prevent access to the default layout items, set Access Control to None for all items except Log & Report. 3 Under GUI Control > Menu Layout, select Standard. 4 Select OK to save the settings. The admin profiles list reappears. 5 From the list, select the Edit icon beside Report Profile. 6 Under GUI Control > Menu Layout, select Customize, and then select OK. (see Figure 123 and Figure 124).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

233

Customizable web-based manager

System Admin

Figure 123: Selection of Customize GUI Control option for Report Profile ]

Select Customize to access the layout dialog box Figure 124: Customize GUI layout dialog box for Report Profile Customization drop-down menu icon

Edit Layout

Show Preview Add Content

Customization drop-down menu

Save layout Cancel layout changes

Layout preview icon Create new Tier-1 menu item Reset menu to default layout configuration

In the GUI layout dialog box, select the customization drop-down menu icon beside System and select hide (see Figure 124). Repeat for each menu item except Log&Report.

234

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Customizable web-based manager

To start the configuration of customized menu items, select the Create New (Tier-1 menu item) icon in the FortiGate menu. You will need to: •

configure Tier-1 and Tier-2 menu items

•

add tabs to each of these items as required

•

add content to the page layout.

To create Tier-1 and Tier-2 menu items 1 Select the Create New Tier-1 icon. The first Tier-1 menu item with the default name custom menu will appear, with an additional Create New Tier-1 icon below it (1). 2 Select and rename the default name to Custom Log Report (2). 3 Press Enter to save your change. The Create New Tier-2 icon will appear, with the default name custom menu. 4 Select the Create New Tier-2 icon (3). 5 The first Tier-2 menu item with the default name custom menu will appear, with an additional Create New Tier-2 icon below it (4). 6 Select and rename the default name to Custom Log Menu1 (5). 7 Press Enter to save your change. 8 Repeat steps 4 to 7 to create a second Tier-2 menu item called Custom Log Menu2 (5) and (6). Figure 125: Creating Tier-1 and Tier-2 menu items in FortiGate menu 1

Creation of new Tier-1 menu item Custom Log Report

3

2

4 Creation of new Tier-2 menu item Custom Log Menu1

5

6 Creation of new Tier-2 menu item Custom Log Menu2

After you create Tier-1 and Tier-2 menu items, you need to create the subset of tab items across the page layout. The Create New tab icon is not available until you have created the Tier-1 and Tier-2 menu items. To create a new tab 1 Select the Create New tab item icon (see Figure 5). A tab is created with the default name custom menu, and an additional Create New icon appears beside it.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

235

Customizable web-based manager

System Admin

2 Select and rename the default name to Custom Log Report Tab1 (see Figure 127). 3 Press Enter to save your change. 4 Repeat steps 1 to 3 to create a second tab called Custom Log Report Tab2. 5 To save your customized layout, select Save in the GUI layout dialog box (see Figure 124). Figure 126: Create New tab

Create New tab item icon

Figure 127: Creating tabs in page layout Creation of tab Custom Log Report Tab1

Creation of tab Custom Log Report Tab2 To modify the configuration of the current page 1 Select the required tab, then select Edit Layout. The Edit this tab dialog box appears (see Figure 128). You may configure the page layout to display only one widget (Full page), a page layout with one column that displays up to 8 widgets (1 column), or a page layout with two columns (2 columns) that displays up to 8 widgets. 2 For the Custom Log Report Tab1, select 2 columns. 3 To save your modified configuration, select Save in the Edit this tab dialog box.

236

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Customizable web-based manager

Figure 128: Edit this tab dialog box

To add content to the page layout, select Add Content (see Figure 124). The Add content to the Custom Log Report Tab1 dialog box appears (see Figure 129). Figure 129: Add content dialog box

Search text box

The Add content dialog box includes a search feature that you can use to find widgets. This search employs a real-time filtering mechanism with a “contains” type search on the widget names. For example, if you search on “use”, you will be shown User Group, IM User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 130).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

237

Customizable web-based manager

System Admin

Figure 130: Search mechanism - results for “use” Search on “use”

Search results

For Custom Log Report Tab1, select the Log&Report category. All the items related to the Log&Report menu item are listed (see Figure 131). Select Add next to an item that you want to include in the tab. The item is placed in the page layout behind the Custom Log Report Tab1 dialog box. You will see the configured layout when you close the Add content to the Custom Log Report Tab1 dialog box. The maximum number of items that can be placed in a page layout is 8. For the Custom Log Report Tab1, select the following items for inclusion in the layout: •

Alert E-mail

•

Schedule.

Close the Edit Layout dialog box. Figure 131: Log&Report category selection for Custom Log Report Tab1

238

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Customizable web-based manager

Figure 132: Custom Log Report Tab1 page layout preview

For the Custom Log Report Tab2, select the following items for inclusion in the layout: •

Event Log

•

Log Setting.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

239

Customizable web-based manager

System Admin

Figure 133: Log&Report category selection for Custom Log Report Tab2

Figure 134: Custom Log Report Tab2 page layout preview

To preview a customized layout in the custom GUI layout dialog box, select Show Preview (see Figure 135). When you have completed the configuration selections for the page layout, select Save to close the custom GUI layout dialog box (see Figure 135). To abandon the configuration, select Reset menus (see Figure 135). To exit the GUI layout dialog box without saving your changes, select Cancel (see Figure 135).

240

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Admin

Customizable web-based manager

Figure 135: Report Profile customized GUI layout dialog box - complete Cancel Show Preview Save

Reset menus

When you complete the customization, close the dialog box to return to the Admin Profile dialog box in which you configured the custom GUI. To save the configuration, select OK to close the Admin Profile dialog box (see Figure 121). To view the web-based manager configuration created in Report Profile, you must log out of the FortiGate unit, then log back in using the name and password of an administrator assigned the Report Profile administrative profile. The FortiGate web-based manager reflects the customized configuration of Report Profile (see Figure 136). Figure 136: Customized FortiGate web-based manager page

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

241

Customizable web-based manager

242

System Admin

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Certificates

System Certificates This section explains how to manage X.509 security certificates using the FortiGate webbased manager. Certificate authentication allows administrators to generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys. Authentication is the process of determining if a remote host can be trusted with access to network resources. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA). The FortiGate unit can then use certificate authentication to reject or allow administrative access via HTTPS, and to authenticate IPSec VPN peers or clients, as well as SSL VPN user groups or clients. If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates are configured globally for the entire FortiGate unit. For details, see “Using virtual domains” on page 103. There are several certificates on the FortiGate unit that have been automatically generated: Table 41: Automatically generated FortiGate certificates Fortinet_Firmware

Embedded inside the firmware. Signed by Fortinet_CA. Same on all FortiGate units. Used so FortiGate units without Fortinet_Factory2 certificates have a built-in certificate signed by a FortiGate CA. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local.

Fortinet_Factory

Embedded inside BIOS. Signed by Fortinet_CA. Unique to each FortiGate unit. Used for FortiGate/FortiManager tunnel, HTTPS administrative access if Fortinet_Factory2 is not available. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local.

Fortinet_Factory2

Embedded inside BIOS. Signed by Fortinet_CA2. Unique to each FortiGate unit. Used for FortiGate/FortiManager tunnel and HTTPS administrative access. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local. Found only on units shipped at the end of 2008 onward.

Fortinet_CA

Embedded inside firmware and BIOS. Fortinet’s CA certificate. Used to verify certificates that claim to be signed by Fortinet, for example with a FortiGate/FortiManager tunnel or an SSL connection to a FortiGuard server. Listed under Certificates > CA, or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp.

Fortinet_CA2

Embedded inside BIOS. Fortinet’s CA certificate. Will eventually replace Fortinet_CA, as Fortinet_CA will expire in 2020. Listed under Certificates > CA, or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. Found only on units shipped at the end of 2008 onward.

System administrators can use these certificates wherever they may be required, for example, with SSL VPN, IPSec, LDAP, and PKI. For additional background information on certificates, see the FortiGate Certificate Management User Guide.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

243

Local Certificates

System Certificates

This section describes: •

Local Certificates

•

Remote Certificates

•

CA Certificates

•

CRL

Local Certificates Certificate requests and installed server certificates are displayed in the Local Certificates list. After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and send it to you to install on the FortiGate unit. To view certificate requests and/or import signed server certificates, go to System > Certificates > Local Certificates. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate. Figure 137: Local Certificates list Download View Certificate Detail

Delete

244

Generate

Generate a local certificate request. For more information, see “Generating a certificate request” on page 245.

Import

Import a signed local certificate. For more information, see “Importing a signed server certificate” on page 247.

Name

The names of existing local certificates and pending certificate requests.

Subject

The Distinguished Names (DNs) of local signed certificates.

Comments

A description of the certificate.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Certificates

Local Certificates

Status

The status of the local certificate. PENDING designates a certificate request that needs to be downloaded and signed.

View Certificate Detail icon

Display certificate details such as the certificate name, issuer, subject, and valid certificate dates.

Delete icon

Delete the selected certificate request or installed server certificate from the FortiGate configuration. This is available only if the certificate has PENDING status.

Download icon

Save a copy of the certificate request to a local computer. You can send the request to your CA to obtain a signed server certificate for the FortiGate unit (SCEP-based certificates only).

For detailed information and step-by-step procedures related to obtaining and installing digital certificates, see the FortiGate Certificate Management User Guide.

Generating a certificate request The FortiGate unit generates a certificate request based on the information you enter to identify the FortiGate unit. Generated requests are displayed in the Local Certificates list with a status of PENDING. After you generate a certificate request, you can download the request to a computer that has management access to the FortiGate unit and then forward the request to a CA. To fill out a certificate request, go to System > Certificates > Local Certificates, select Generate, and complete the fields in the table below. To download and send the certificate request to a CA, see “Downloading and submitting a certificate request” on page 246. Figure 138: Generate Certificate Signing Request

Remove/Add OU

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

245

Local Certificates

System Certificates

Certification Name

Enter a certificate name. Typically, this would be the name of the FortiGate unit. To enable the export of a signed certificate as a PKCS12 file later on if required, do not include spaces in the name.

Subject Information

Enter the information needed to identify the FortiGate unit:

Host IP

If the FortiGate unit has a static IP address, select Host IP and enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or domain name if available) instead.

Domain Name

If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service, use a domain name if available to identify the FortiGate unit. If you select Domain Name, enter the fully qualified domain name of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names. If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an “unable to verify certificate” message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes.

E-Mail

If you select E-mail, enter the email address of the owner of the FortiGate unit.

Optional Information

Complete as described or leave blank.

Organization Unit

Enter the name of your department or departments. You can enter a maximum of 5 Organization Units. To add or remove a unit, use the plus (+) or minus (-) icon.

Organization

Enter the legal name of your company or organization.

Locality (City)

Enter the name of the city or town where the FortiGate unit is installed.

State/Province

Enter the name of the state or province where the FortiGate unit is installed.

Country

Select the country where the FortiGate unit is installed.

e-mail

Enter the contact email address.

Key Type

Only RSA is supported.

Key Size

Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but they provide better security.

Enrollment Method

Select one of the following methods:

File Based

Select to generate the certificate request.

Online SCEP

Select to obtain a signed SCEP-based certificate automatically over the network. CA Server URL: Enter the URL of the SCEP server from which to retrieve the CA certificate. Challenge Password: Enter the CA server challenge password.

Downloading and submitting a certificate request You have to fill out a certificate request and generate the request before you can submit the results to a CA. For more information, see “Generating a certificate request” on page 245. To download and submit a certificate request 1 Go to System > Certificates > Local Certificates. 2 In the Local Certificates list, select the Download icon in the row that corresponds to the generated certificate request. 3 In the File Download dialog box, select Save to Disk. 4 Name the file and save it to the local file system.

246

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Certificates

Local Certificates

5 Submit the request to your CA as follows: • Using the web browser on the management computer, browse to the CA web site. • Follow the CA instructions to place a base-64 encoded PKCS#12 certificate request and upload your certificate request. • Follow the CA instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client (refer to the browser documentation). 6 When you receive the signed certificate from the CA, install the certificate on the FortiGate unit. See “Importing a signed server certificate” on page 247.

Importing a signed server certificate Your CA will provide you with a signed server certificate to install on the FortiGate unit. When you receive the signed certificate from the CA, save the certificate on a computer that has management access to the FortiGate unit. To install the signed server certificate, go to System > Certificates > Local Certificates and select Import. The certificate file can be in either PEM or DER format. The other dialog boxes are for importing previously exported certificates and private keys. Figure 139: Upload Local Certificate

Certificate File

Enter the full path to and file name of the signed server certificate.

Browse

Alternatively, browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.

Importing an exported server certificate and private key . The file is associated with a password, which you will need to know in order to import the file. Before you begin, save a copy of the file on a computer that has management access to the FortiGate unit. For more information, see the FortiGate Certificate Management User Guide. To import the PKCS12 file, go to System > Certificates > Local Certificates and select Import. Figure 140: Upload PKCS12 Certificate

Certificate with key Enter the full path to and file name of the previously exported PKCS12 file. file

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

247

Remote Certificates

System Certificates

Browse

Alternatively, browse to the location on the management computer where the PKCS12 file has been saved, select the file, and then select OK.

Password

Type the password needed to upload the PKCS12 file.

Importing separate server certificate and private key files You need to use the Upload Certificate dialog box to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer. Figure 141: Upload Certificate

Certificate file

Enter the full path to and file name of the previously exported certificate file.

Browse

Alternatively, browse to the location of the previously exported certificate file, select the file, and then select OK.

Key file

Enter the full path to and file name of the previously exported key file.

Browse

Alternatively, browse to the location of the previously exported key file, select the file, and then select OK.

Password

If a password is required to upload and open the files, type the password.

Remote Certificates Note: The certificate file must not use 40-bit RC2-CBC encryption.

For dynamic certificate revocation, you need to use an Online Certificate Status Protocol (OCSP) server. Remote certificates are public certificates without a private key. The OCSP is configured in the CLI only. For more information, see the FortiGate CLI Reference. Installed Remote (OCSP) certificates are displayed in the Remote Certificates list. To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate, go to System > Certificates > Remote. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.

Note: There is one OCSP per VDOM.

248

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Certificates

CA Certificates

Figure 142: Remote certificate list

Import

Import a public OCSP certificate. See “Importing CA certificates” on page 250.

Name

The names of existing Remote (OCSP) certificates. The FortiGate unit assigns unique names (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so on) to the Remote (OCSP) certificates when they are imported.

Subject

Information about the Remote (OCSP) certificate.

Delete icon

Delete a Remote (OCSP) certificate from the FortiGate configuration.

View Certificate Detail icon

Display certificate details.

Download icon

Save a copy of the Remote (OCSP) certificate to a local computer.

Importing Remote (OCSP) certificates To import a Remote (OCSP) certificate, go to System > Certificates > Remote and select Import. Figure 143: Upload Remote Certificate

Local PC

Enter the location in a management PC to upload a public certificate.

Browse

Alternatively, browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.

The system assigns a unique name to each Remote (OCSP) certificate. The names are numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so on).

CA Certificates When you apply for a signed personal or group certificate to install on remote clients, you must obtain the corresponding root certificate and CRL from the issuing CA. When you receive the certificate, install it on the remote clients according to the browser documentation. Install the corresponding root certificate and CRL from the issuing CA on the FortiGate unit. Installed CA certificates are displayed in the CA Certificates list. You cannot delete the Fortinet_CA certificate. To view installed CA root certificates or import a CA root certificate, go to System > Certificates > CA Certificates. To view root certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

249

CA Certificates

System Certificates

Figure 144: CA Certificates list

View Certificate Detail Download

Import

Import a CA root certificate. See “Importing CA certificates” on page 250.

Name

The names of existing CA root certificates. The FortiGate unit assigns unique names (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on) to the CA certificates when they are imported.

Subject

Information about the issuing CA.

Delete icon

Delete a CA root certificate from the FortiGate configuration.

View Certificate Detail icon

Display certificate details.

Download icon

Save a copy of the CA root certificate to a local computer.

For detailed information and step-by-step procedures related to obtaining and installing digital certificates, see the FortiGate Certificate Management User Guide.

Importing CA certificates After you download the root certificate of the CA, save the certificate on a PC that has management access to the FortiGate unit. To import a CA root certificate, go to System > Certificates > CA Certificates and select Import. Figure 145: Import CA Certificate

SCEP

Select to use an SCEP server to access CA certificate for user authentication. Enter the URL of the SCEP server from which to retrieve the CA certificate. Optionally, enter identifying information of the CA, such as the file name. Select OK.

Local PC

Select to use a local administrator’s PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.

If you choose SCEP, the system starts the retrieval process as soon as you select OK. The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).

250

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Certificates

CRL

CRL A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid. To view installed CRLs, go to System > Certificates > CRL. Figure 146: Certificate revocation list View Certificate Detail

Download

Import

Import a CRL. For more information, see “Importing a certificate revocation list” on page 251.

Name

The names of existing certificate revocation lists. The FortiGate unit assigns unique names (CRL_1, CRL_2, CRL_3, and so on) to certificate revocation lists when they are imported.

Subject

Information about the certificate revocation lists.

Delete icon

Delete the selected CRL from the FortiGate configuration.

View Certificate Detail icon

Display CRL details such as the issuer name and CRL update dates.

Download icon

Save a copy of the CRL to a local computer.

Importing a certificate revocation list Certificate revocation lists from CA web sites must be kept updated on a regular basis to ensure that clients having revoked certificates cannot establish a connection with the FortiGate unit. After you download a CRL from the CA web site, save the CRL on a computer that has management access to the FortiGate unit. Note: When the CRL is configured with an LDAP, HTTP, and/or SCEP server, the latest version of the CRL is retrieved automatically from the server when the FortiGate unit does not have a copy of it or when the current copy expires.

To import a certificate revocation list, go to System > Certificates > CRL and select Import.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

251

CRL

System Certificates

Figure 147: Import CRL

HTTP

Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP server.

LDAP

Select to use an LDAP server to retrieve the CRL, then select the LDAP server from the list.

SCEP

Select to use an SCEP server to retrieve the CRL, then select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved.

Local PC

Select to use a local administrator’s PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.

The system assigns a unique name to each CRL. The names are numbered consecutively (CRL_1, CRL_2, CRL_3, and so on).

252

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

About the Maintenance menu

System Maintenance This section describes how to maintain your system configuration as well as how to enable and update FDN services. This section also explains the types of FDN services that are available for your FortiGate unit. If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance is configured globally for the entire FortiGate unit. For more information, see “Using virtual domains” on page 103. This section includes the following topics: •

About the Maintenance menu

•

Managing configuration revisions

•

Using script files

•

Configuring FortiGuard Services

•

Troubleshooting FDN connectivity

•

Updating antivirus and attack definitions

•

Enabling push updates

•

Adding VDOM Licenses

About the Maintenance menu The maintenance menu provides help with maintaining and managing firmware, configuration revisions, script files, and FortiGuard subscription-based services. From this menu, you can upgrade or downgrade the firmware, view historical backups of configuration files, or update FortiGuard services. The maintenance menu has the following tabs: •

Backup & Restore - allows you to back up and restore your system configuration file, remotely upgrade firmware, and import CLI commands.

•

Revision Control - displays all system configuration backups with the date and time of when they were backed up. Before you can use revision control, a Central Management server must be configured and enabled.

•

Scripts - displays script history execution and provides a way to upload script files to the FortiGuard Analysis and Management Service portal web site

•

FortiGuard - displays all FDN subscription services, such as antivirus and IPS definitions as well as the FortiGuard Analysis and Management Service. This tab also provides configuration options for antivirus, IPS, web filtering, and antispam services.

•

License - allows you to increase the maximum number of VDOMs (on some FortiGate models).

When backing up the system configuration, web content files and spam filtering files are also included. You can save the configuration to the management computer or to a USB disk if your FortiGate unit includes a USB port (see “Formatting USB Disks” on page 261). You can also restore the system configuration from previously downloaded backup files in the Backup & Restore menu.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

253

Backing up and restoring

System Maintenance

When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that created it. A backup of the system configuration from the super_admin account contains global settings and the settings included in each VDOM. Only the super_admin can restore the configuration from this file. When you back up the system configuration from a regular administrator account, the backup file contains the global settings and the settings for the VDOM that the regular administrator belongs to. A regular administrator is the only user account that can restore the configuration from this file. Some FortiGate models support FortiClient by storing a FortiClient image that users can download. The FortiClient section of Backup & Restore is available if your FortiGate model supports FortiClient. This feature is currently available on FortiGate-1000A, 3600A, and 5005FA2 models.

For

Tip: For simplified procedures on managing firmware, including backup and restore options, and on uploading and downloading firmware for your FortiGate unit, see “Managing firmware versions” on page 91. Note: The Firmware section is available only on FortiGate-100A units and higher. If you have a FortiGate-60B unit or lower, you can upgrade or downgrade the firmware by going to System > Status and selecting the Update link that appears beside Firmware Version.

Backing up and restoring The Backup & Restore tab allows you to back up and restore your FortiGate configuration to your management PC, a central management server, or a USB disk. You can back up and restore your configuration to a USB disk if the FortiGate unit includes a USB port and if you have connected a USB disk to the USB port. FortiGate units support most USB disks including USB keys and external USB hard disks (see “Formatting USB Disks” on page 261). The central management server is whatever remote management service the FortiGate unit is connected to. For example, if the current configuration on a FortiGate-60 is backed up to a FortiManager unit, the central management server is the FortiManager unit. You must configure central management in System > Admin > Central Management before these options are available in the Backup & Restore section. For more information, see “Central Management” on page 226. To view the backup and restore options, go to System > Maintenance > Backup and Restore.

254

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Backing up and restoring

Figure 148: Backup and restore page on a FortiGate-1000A unit

Basic backup and restore options This section of the Backup & Restore page provides the option of backing up the current configuration file to several different locations, including encryption for added security. You can also restore a backed-up configuration file. To view the backup and restore options, go to System > Maintenance > Backup & Restore. Figure 149: Backup & Restore options with FortiGuard services option enabled

Backup Backup configuration to: The options available for backing up your current configuration. Select one of the displayed options: Local PC

Back up the configuration to the management computer the FortiGate unit is connected to. Local PC is always displayed regardless of whether a USB disk is available, FortiGuard Analysis and Management Service is enabled, or the FortiGate unit is connected to a FortiManager unit.

FortiGuard | Management Station

Back up the configuration to the FortiGuard Analysis and Management Service. If the service is not enabled, Management Station is displayed.

USB Disk

Back up the configuration file to the USB disk connected to the FortiGate unit. USB Disk is displayed only if the FortiGate unit includes a USB port. If you do not connect a USB disk, this option is grayed out. For more information, see “Formatting USB Disks” on page 261.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

255

Backing up and restoring

System Maintenance

FortiManager

Back up the configuration to the configured FortiManager unit. If the FortiGate unit is not connected to a FortiManager unit, this option is not displayed.

Encrypt configuration Select to encrypt the backup file. file Encryption must be enabled to save VPN certificates with the configuration. This option is not available for configurations backed up to a FortiManager unit. Password

Enter a password to encrypt the configuration file. You will need this password to restore the configuration file.

Confirm

Enter the password again to confirm the password.

Filename

Enter the name of the backup file or select Browse to locate the file. The Filename field is available only when you choose to back up the configuration to a USB disk.

Backup

Select to back up the configuration. If you are backing up to a FortiManager device, a confirmation message is displayed after successfully completion of the backup.

Restore Restore configuration from:

The options available for restoring the configuration from a specific file. Select one of the displayed options:

Local PC

Restore a configuration file from the management computer the FortiGate unit is connected to. Local PC is always displayed regardless of whether a USB disk is available, FortiGuard Analysis and Management Service is enabled, or the FortiGate unit is connected to a FortiManager unit.

USB disk

Restore a configuration file from the USB disk connected to the FortiGate unit. USB Disk is displayed only if the FortiGate unit includes a USB port. If you do not connect a USB disk, this option is grayed out. See “Formatting USB Disks” on page 261.

FortiGuard

Restore a configuration from the FortiGuard Analysis and Management Service. If the FortiGuard Analysis and Management Service is not enabled, this option is not displayed and instead displays Management Station.

FortiManager

Restore a configuration from the configured FortiManager unit. If the FortiGate unit is not connected to a FortiManager unit, this option is not displayed.

Filename

Select the configuration file name from the Browse list if you are restoring the configuration from a USB disk. Enter the configuration file name or select Browse if you are restoring the configuration from a file on the management computer.

Password

Enter the password you entered when backing up the configuration file.

Restore

Select to restore the configuration.

Note: When central management is disabled, Management Station appears. FortiGuard appears when the FortiGuard Analysis and Management Service is enabled.

Remote FortiManager backup and restore options Your FortiGate unit can be remotely managed by a FortiManager unit. The FortiGate unit connects using the FortiGuard-FortiManager protocol. This protocol provides communication between a FortiGate unit and a FortiManager unit, and runs over SSL using IPv4/TCP port 541. For detailed instructions on how to install a FortiManager unit, see the FortiManager Install Guide.

256

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Backing up and restoring

After successfully connecting to the FortiManager unit from your FortiGate unit, you can back up your configuration to the FortiManager unit. You can also restore your configuration. The automatic configuration backup is available only in local mode on the FortiManager unit. A list of revisions is displayed when restoring the configuration from a remote location. The list allows you to choose the configuration to restore. To view the basic backup and restore options, go to System > Maintenance > Backup & Restore. Figure 150: Backup & Restore options with FortiManager option enabled \

Backup

The options available for backing up your current configuration to a FortiManager unit.

Backup configuration Select FortiManager to upload the configuration to the FortiManager unit. to: The Local PC option is always available. Comments:

Enter a description or information about the file in the Comments field. This is optional.

Backup

Select to back up the configuration file to the FortiManager unit. A confirmation message appears after successful completion of the backup.

Restore

The options for restoring a configuration file.

Restore configuration Select the FortiManager option to download and restore the configuration from the FortiManager unit. from: Please Select:

Select the configuration file you want to restore from the list. This list includes the comments you included in the Comment field before it was uploaded to the FortiManager unit. The list is in numerical order, with the recent uploaded configuration first.

Restore

Select to restore the configuration from the FortiManager unit.

Remote FortiGuard backup and restore options Your FortiGate unit can be remotely managed by a central management server, which is available when you register for the FortiGuard Analysis and Management Service. The FortiGuard Analysis and Management Service is a subscription-based service and is purchased by contacting support. Additional information, including how to register you FortiGate unit for the FortiGuard Analysis and Management Service, is available in the FortiGuard Analysis and Management Service Users Guide.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

257

Backing up and restoring

System Maintenance

After registering, you can back up or restore your configuration. The FortiGuard Analysis and Management Service is useful when administering multiple FortiGate units without having a FortiManager unit. You can also upgrade the firmware on your FortiGate unit using the FortiGuard Analysis and Management Service. Upgrading the firmware is available in the Firmware Upgrade section of the backup and restore menu. See “Upgrading and downgrading firmware through FortiGuard” on page 259 for more information about upgrading firmware from the backup and restore menu. Tip: For simplified procedures on managing firmware, including backup and restore options, and on uploading and downloading firmware for your FortiGate unit, see “Managing firmware versions” on page 91.

For

When restoring the configuration from a remote location, a list of revisions is displayed so that you can choose the configuration file to restore. To view the basic backup and restore options, go to System > Maintenance > Backup & Restore. Figure 151: Backup & Restore Central Management options

Backup

The options available for backing up your current configuration to the FortiGuard Analysis and Management Service.

Backup configuration Select the FortiGuard option to upload the configuration to the FortiGuard Analysis and Management Service. to: The Local PC option is always available. Comments:

Enter a description or information about the file in the Comments field. This is optional.

Backup

Select to back up the configuration file to the FortiGuard Analysis and Management Service. A confirmation message appears after successful completion of the backup.

Restore

The options for restoring a configuration file.

Restore configuration Select the FortiGuard option to download the configuration file from the FortiGuard Analysis and Management Service. from:

258

Please Select:

Select the configuration file you want to restore from the list. This list includes the comments you included in the Comment field before it was uploaded to the FortiGuard Analysis and Management Service. The list is in numerical order, with the recent uploaded configuration first.

Restore

Select to restore the configuration from the FortiGuard Analysis and Management Service.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Backing up and restoring

Note: The FortiGuard-FortiManager protocol is used when connecting to the FortiGuard Analysis and Management Service. This protocol runs over SSL using IPv4/TCP port 541 and includes the following functions: • • •

detects FortiGate unit dead or alive status detects management service dead or alive status notifies the FortiGate units about configuration changes, AV/IPS database update and firewall changes.

Upgrading and downgrading firmware The firmware section displays the current version of firmware installed on your FortiGate unit, as well as the firmware version currently in use if there is more than one firmware image saved on the FortiGate unit. To view the firmware options, go to System > Maintenance > Backup & Restore. Figure 152: Two firmware images displayed on a FortiGate-1000A unit

Partition

A partition can contain one version of the firmware and the system configuration. FortiGate-100A units and higher have two partitions. One partition is active and the other is used as a backup.

Active

A green check mark indicates the partition currently in use.

Last upgrade

The date and time of the last update to this partition.

Firmware Version

The version and build number of the FortiGate firmware. If your FortiGate model has a backup partition, you can: • Select Upload to replace with firmware from the management computer or a USB disk. The USB disk must be connected to the FortiGate unit USB port. See “Formatting USB Disks” on page 261. • Select Upload and Reboot to replace the existing firmware and make this the active partition.

Boot alternate firmware

Restart the FortiGate unit using the backup firmware. This is available only for FortiGate-100 units or higher.

Upgrading and downgrading firmware through FortiGuard The Firmware Upgrade section of the backup and restore page displays options for upgrading to a new version using the FortiGuard Analysis and Management Service if that option is available to you. Using the FortiGuard Analysis and Management Service to upgrade the firmware on your FortiGate unit is only available on certain FortiGate units. You must register for the service by contacting customer support. Detailed firmware version information is provided if you have subscribed for the FortiGuard Analysis and Management Service. To view the firmware options, go to System > Maintenance > Backup & Restore.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

259

Backing up and restoring

System Maintenance

Figure 153: Firmware Upgrade section of the Backup & Restore page

Upgrade from FortiGuard Select one of the available firmware versions. The list contains the following information for each available firmware release: network to firmware • continent (for example, North America) version: [Please Select] • maintenance release number • patch release number • build number. For example, if you are upgrading to FortiOS 3.0 MR6 and the FortiGate unit is located in North America, the firmware version available is v3.0 MR6-NA (build 0700). Allow firmware downgrade

Select to allow installation of older versions than the one currently installed. This is useful if the current version changed functionality you need and you have to revert to an older firmware image.

Upgrade by File

Select Browse to locate a file on your local PC to upload to the FortiGate unit.

OK

Select OK to enable your selection.

Configuring advanced options The Advanced section on the backup and restore page includes the USB Auto Install feature and the debug log. The USB settings are available only if the FortiGate unit includes a USB port. You must connect a USB disk to the FortiGate unit USB port to use the USB auto-install feature. See “Formatting USB Disks” on page 261. To view the advanced options, go to System > Maintenance > Backup & Restore. Figure 154: Options available in the Advanced section

260

On system restart, automatically update FortiGate configuration...

Automatically update the configuration on restart. Ensure that the default configuration file name matches the configuration file name on the USB disk. If the configuration file on the disk matches the currently installed configuration, the FortiGate unit skips the configuration update process.

On system restart, automatically update FortiGate firmware...

Automatically update the firmware on restart. Ensure that the default image name matches the firmware file name on the USB disk. If the firmware image on the disk matches the currently installed firmware, the FortiGate unit skips the firmware update process.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Managing configuration revisions

Apply Download Debug Log

Select to apply the selected settings. Download an encrypted debug log to a file. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit.

Formatting USB Disks FortiGate units with USB ports support USB disks for backing up and restoring configurations. FortiUSB and generic USB disks are supported, but the generic USB disk must be formatted as a FAT16 disk. No other partition type is supported. Caution: Formatting the USB disk deletes all information on the disk. Back up the information on the USB disk before formatting to ensure all information on the disk is recoverable.

There are two ways that you can format the USB disk, either by using the CLI or a Windows system. You can format the USB disk in the CLI using the command syntax, exe usb-disk format. When using a Windows system to format the disk, at the command prompt type, “format : /FS:FAT /V:” where is the letter of the connected USB drive you want to format, and is the name you want to give the USB drive for identification.

Managing configuration revisions The Revision Control tab enables you to manage multiple versions of configuration files. Revision control requires a configured central management server. This server can either be a FortiManager unit or the FortiGuard Analysis and Management Service. If central management is not configured on your FortiGate unit, a message appears to tell you to do one of the following: •

enable central management (see “Central Management” on page 226)

•

obtain a valid license.

When revision control is enabled on your FortiGate unit, and configurations have been backed up, a list of saved revisions of those backed-up configurations appears. To view the configuration revisions, go to System > Maintenance > Revision Control. Figure 155: Revision Control page displaying system configuration backups

Current Page

Diff Revert Download

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

261

Using script files

System Maintenance

Current Page

The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of system configuration backups. For more information, see “Using page controls on web-based manager lists” on page 57.

Revision

An incremental number indicating the order in which the configurations were saved. These may not be consecutive numbers if configurations are deleted. The most recent, and highest, number is first in the list.

Date/Time

The date and time this configuration was saved on the FortiGate unit.

Administrator

The administrator account that was used to back up this revision.

Comments

Any relevant information saved with the revision, such as why the revision was saved, who saved it, and if there is a date when it can be deleted to free up space.

Diff icon

Select to compare two revisions. A window will appear, from which you can view and compare the selected revision to one of: • the current configuration • a selected revision from the displayed list including revision history and templates • a specified revision number.

Download icon

Download this revision to your local PC.

Revert icon

Restore the previous selected revision. You will be prompted to confirm this action.

Using script files Scripts are text files containing CLI command sequences. These can be uploaded and executed to run complex command sequences easily. Scripts can be used to deploy identical configurations to many devices. For example, if all of your devices use identical administrator admin profiles, you can enter the commands required to create the admin profiles in a script, and then deploy the script to all the devices which should use those same settings. If you are using a FortiGate unit without a FortiManager unit or the FortiGuard Analysis and Management Service, the scripts you upload are executed and discarded. If you want to execute a script more than once, you must keep a copy on your management PC. If your FortiGate unit is configured to use a FortiManager unit, you can upload your scripts to the FortiManager unit, and run them from any FortiGate unit configured to use the FortiManager unit. If you upload a script directly to a FortiGate unit, it is executed and discarded. If your FortiGate unit is configured to use the FortiGuard Analysis and Management Service, scripts you upload are executed and stored. You can run uploaded scripts from any FortiGate unit configured with your FortiGuard Analysis and Management Service account. The uploaded script files appear on the FortiGuard Analysis and Management Service portal web site. After executing scripts, you can view the script execution history on the script page. The list displays the last 10 executed scripts. To view the script options, go to System > Maintenance > Scripts.

262

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Using script files

Figure 156: Script execution history

Execute Script from

Scripts can be uploaded directly to the FortiGate unit from the management PC. If you have configured either a FortiManager unit or the FortiGuard Analysis and Management Service, scripts that have been stored remotely can also be run on the FortiGate unit.

Upload Bulk CLI Command File

Select Browse to locate the script file and then select Apply to upload and execute the file. If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service, the script will be saved on the server for later use.

Select From remote management station

Select to execute a script from the FortiManager unit or the FortiGuard Analysis and Management Service. Choose the script you want to run from the list of all scripts stored remotely.

Script Execution History (past 10 scripts)

A list of the 10 most recently executed scripts.

Name

The name of the script file.

Type

The source of the script file. A local file is uploaded directly to the FortiGate unit from the management PC and executed. A remote file is executed on the FortiGate unit after being sent from a FortiManager unit or the FortiGuard Analysis and Management Service.

Time

The date and time the script file was executed.

Status

The status of the script file, if its execution succeeded or failed.

Delete icon

Delete the script entry from the list.

Creating script files Script files are text files with CLI command sequences. When a script file is uploaded to a FortiGate unit, the commands are executed in sequence. To create a script file 1 Open a text editor application. Notepad on Windows, GEdit on Linux, Textedit on the Mac, or any editor that will save plain text can create a script file. 2 Enter the CLI commands you want to run. The commands must be entered in sequence, with one command per line. 3 Save the file to your maintenance PC. Tip: An unencrypted configuration file uses the same structure and syntax as a script file. You can save a configuration file and copy the required parts to a new file, making any edits you require. You can generate script files more quickly this way.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

263

Configuring FortiGuard Services

System Maintenance

Uploading script files After you have created a script file, you can then upload it through System > Maintenance > Scripts. When a script is uploaded, it is automatically executed. Caution: Commands that require the FortiGate unit to reboot when entered on the command line will also force a reboot if included in a script.

To execute a script 1 Go to System > Maintenance > Scripts. 2 Verify that Upload Bulk CLI Command File is selected. 3 Select Browse to locate the script file. 4 Select Apply. If the FortiGate unit is not configured for remote management, or if it is configured to use a FortiManager unit, uploaded scripts are discarded after execution. Save script files to your management PC if you want to execute them again later. If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service, the script file is saved to the remote server for later reuse. You can view the script or run it from the FortiGuard Analysis and Management Service portal web site. For more information about viewing or running an uploaded script on the portal web site, see the FortiGuard Analysis and Management Service Users Guide.

Configuring FortiGuard Services Go to System > Maintenance > FortiGuard to configure your FortiGate unit to use the FortiGuard Distribution Network (FDN) and FortiGuard Services. The FDN provides updates to antivirus definitions, IPS definitions, and the Antispam rule set. FortiGuard Services include FortiGuard web filtering and the FortiGuard Analysis and Management Service.

FortiGuard Distribution Network The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). The FDN provides updates to antivirus (including grayware) definitions, IPS definitions, and the antispam rule set. When the FortiGate unit contacts the FDN, it connects to the nearest FDS based on the current time zone setting. The FortiGate unit supports the following update options: •

user-initiated updates from the FDN

•

hourly, daily, or weekly scheduled antivirus definition, IPS definition, and antispam rule set updates from the FDN

•

push updates from the FDN

•

update status including version numbers, expiry dates, and update dates and times

•

push updates through a NAT device.

Registering your FortiGate unit on the Fortinet Support web page provides a valid license contract and connection to the FDN. On the Fortinet Support web page, go to Product Registration and follow the instructions.

264

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Configuring FortiGuard Services

The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to receive scheduled updates. For more information, see “To enable scheduled updates” on page 272. You can also configure the FortiGate unit to receive push updates. When the FortiGate unit is receiving push updates, the FDN must be able to route packets to the FortiGate unit using UDP port 9443. For more information, see “Enabling push updates” on page 273. If the FortiGate unit is behind a NAT device, see “Enabling push updates through a NAT device” on page 274.

FortiGuard services Worldwide coverage of FortiGuard services is provided by FortiGuard service points. When the FortiGate unit is connecting to the FDN, it is connecting to the closest FortiGuard service point. Fortinet adds new service points as required. If the closest service point becomes unreachable for any reason, the FortiGate unit contacts another service point and information is available within seconds. By default, the FortiGate unit communicates with the service point via UDP on port 53. Alternately, you can switch the UDP port used for service point communication to port 8888 by going to System > Maintenance > FortiGuard. If you need to change the default FortiGuard service point host name, use the hostname keyword in the system fortiguard CLI command. You cannot change the FortiGuard service point name using the web-based manager. For more information about FortiGuard services, see the FortiGuard Center web page.

FortiGuard Antispam service FortiGuard Antispam is an antispam system from Fortinet that includes an IP address black list, a URL black list, spam filtering tools, contained in an antispam rule set that is downloaded to the FortiGate unit. The IP address black list contains IP addresses of email servers known to generate spam. The URL black list contains URLs that are found in spam email. FortiGuard Antispam processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiGuard Antispam is always current. You can either enable or disable FortiGuard Antispam in the Firewall menu in a protection profile. For more information, see “Spam Filtering options” on page 416. Every FortiGate unit comes with a free 30-day FortiGuard Antispam trial license. FortiGuard Antispam license management is performed by Fortinet servers; there is no need to enter a license number. The FortiGate unit automatically contacts a FortiGuard Antispam service point when enabling FortiGuard Antispam. Contact Fortinet Technical support to renew the FortiGuard Antispam license after the free trial expires. You can globally enable FortiGuard Antispam in System > Maintenance > FortiGuard and then configure Spam Filtering options in each firewall protection profile in Firewall > Protection Profile. For more information, see “Spam Filtering options” on page 416.

FortiGuard Web Filtering service FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet. FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Web Filtering service point to determine the category of a requested web page, then follows the firewall policy configured for that user or interface.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

265

Configuring FortiGuard Services

System Maintenance

Every FortiGate unit comes with a free 30-day FortiGuard Web Filtering trial license. FortiGuard license management is performed by Fortinet servers. There is no need to enter a license number. The FortiGate unit automatically contacts a FortiGuard service point when enabling FortiGuard category blocking. Contact Fortinet Technical Support to renew a FortiGuard license after the free trial. You can globally enable FortiGuard Web Filtering in System > Maintenance > FortiGuard and then configure FortiGuard Web Filtering options for each profile in Firewall > Protection Profiles. For more information, see “FortiGuard Web Filtering options” on page 413.

FortiGuard Analysis and Management Service FortiGuard Analysis and Management Service is a subscription-based service that provides remote management services, including logging and reporting capabilities for all FortiGate units. These services were previously available only on FortiAnalyzer and FortiManager units. The subscription-based service is available from the FortiGuard Analysis and Management Service portal web site, which provides a central location for configuring logging and reporting and remote management, and for viewing subscription contract information, such as daily quota and the expiry date of the service.

Configuring the FortiGate unit for FDN and FortiGuard subscription services FDN updates, as well as FortiGuard services, are configured in System > Maintenance > FortiGuard. The FDN page contains four sections of FortiGuard services: •

Support Contract and FortiGuard Subscription Services

•

Downloading antivirus and IPS updates

•

Configuring Web Filtering and AntiSpam Options

•

Configuring Analysis and Management Service Options

Support Contract and FortiGuard Subscription Services The Support Contract and FortiGuard Subscription Services sections are displayed in abbreviated form on the System Status page. See “Viewing system status” on page 63. To view the FortiGuard options, go to System > Maintenance > FortiGuard.

266

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Configuring FortiGuard Services

Figure 157: Support Contract and FortiGuard Subscription Services section

License status icon License expiry Valid license Support Contract

[Register]

FortiGuard Subscription Services

The availability or status of your FortiGate unit support contract. The status displays can be one of the following: Unreachable, Not Registered or Valid Contract. If Valid Contract is shown, the FortiOS firmware version and contract expiry date appear. A green checkmark also appears. Select to register your FortiGate unit support contract. This option is available only when the support contract is not registered. Availability and status information for each of the FortiGuard subscription services including: • AntiVirus • Intrusion Protection • Web Filtering • AntiSpam • Analysis and Management Service

[Availability]

The availability of this service on this FortiGate unit, dependent on your service subscription. The status can be Unreachable, Not Registered, Valid License, or Valid Contract. The option Subscribe appears if Availability is Not Registered. The option Renew appears if Availability has expired.

[Update]

Select to manually update this service on your FortiGate unit. This will prompt you to download the update file from your local computer. Select Update Now to immediately download current updates from FDN directly.

[Register]

Select to register the service. This is displayed in Analysis and Management Service.

Status Icon

Indicates the status of the subscription service. The icon corresponds to the availability description. Gray (Unreachable) – FortiGate unit is not able to connect to service. Orange (Not Registered) – FortiGate unit can connect, but is not subscribed to this service. Yellow (Expired) – FortiGate unit had a valid license that has expired. Green (Valid license) – FortiGate unit can connect to FDN and has a registered support contract. If the Status icon is green, the expiry date is displayed.

[Version]

The version number of the definition file currently installed on the FortiGate unit for this service.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

267

Configuring FortiGuard Services

System Maintenance

[Last update date and The date of the last update and method used for last attempt to download definition updates for this service. method] [Date]

Local system date when the FortiGate unit last checked for updates for this service.

Downloading antivirus and IPS updates In the Antivirus and IPS Options section, you can schedule antivirus and IPS updates, configure an override server, or allow push updates. You can access these options by selecting the expand arrow. The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. Use the Use override push IP option when your FortiGate unit is behind a NAT device. The FortiGate unit sends the FDS the IP and port numbers of the NAT device to the FDS. The NAT device must also be configured to forward the FDS traffic to the FortiGate unit on port 9443. For more information, see “Enabling push updates through a NAT device” on page 274. Figure 158: AntiVirus and IPS Options section

Expand arrow

Allow Push Update Status

Use override server address

Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. When selected, enter the IP address or domain name of a FortiGuard server and select Apply. If the FDN Status still indicates no connection to the FDN, see “Troubleshooting FDN connectivity” on page 271.

Allow Push Update

Select to allow push updates. Updates are then sent automatically to your FortiGate unit when they are available, eliminating any need for you to check if they are available.

Allow Push Update status icon

268

The status of the FortiGate unit for receiving push updates: Gray (Unreachable) - theFortiGate unit is not able to connect to push update service Yellow (Not Available) - the push update service is not available with current support license Green (Available) - the push update service is allowed. See “Enabling push updates” on page 273. If the icon is gray or yellow, see “Troubleshooting FDN connectivity” on page 271.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Configuring FortiGuard Services

Use override push IP

Available only if both Use override server address and Allow Push Update are enabled. Select to allow you to create a forwarding policy that redirects incoming FDS push updates to your FortiGate unit. Enter the IP address of the NAT device in front of your FortiGate unit. FDS will connect to this device when attempting to reach the FortiGate unit. The NAT device must be configured to forward the FDS traffic to the FortiGate unit on UDP port 9443. See “Enabling push updates through a NAT device” on page 274.

Port

Select the port on the NAT device that will receive the FDS push updates. This port must be forwarded to UDP port 9443 on the FortiGate unit. Available only if Use override push is enabled.

Schedule Updates

Select this check box to enable scheduled updates.

Every

Attempt to update once every 1 to 23 hours. Select the number of hours between each update request.

Daily

Attempt to update once a day. You can specify the hour of the day to check for updates. The update attempt occurs at a randomly determined time within the selected hour.

Weekly

Attempt to update once a week. You can specify the day of the week and the hour of the day to check for updates. The update attempt occurs at a randomly determined time within the selected hour.

Update Now

Select to manually initiate an FDN update.

Submit attack characteristics… (recommended)

Fortinet recommends that you select this check box. It helps to improve the quality of IPS signature.

Configuring Web Filtering and AntiSpam Options You can access this section by selecting the expand arrow to view Web Filtering and AntiSpam Options. Figure 159: Web Filtering and AntiSpam Options section

Enable Web Filter

Select to enable the FortiGuard Web Filter service.

Enable Cache

Select to enable caching of web filter queries. This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6 percent of the FortiGate memory. When the cache is full, the least recently used IP address or URL is deleted. Available if Enable Web Filter is selected.

TTL

Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.TTL must be between 300 and 86400 seconds. Available only if both Enable Web Filter and Enable Cache are selected.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

269

Configuring FortiGuard Services

System Maintenance

Enable AntiSpam

Select to enable the FortiGuard AntiSpam service.

Enable Cache

Select to enable caching of antispam queries. This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6 percent of the FortiGate memory. When the cache is full, the least recently used IP address or URL is deleted. Available only if Enable AntiSpam is selected.

TTL

Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.TTL must be between 300 and 86400 seconds.

Port Section

Select one of the following ports for your web filtering and antispam requirements:

Use Default Port (53)

Select to use port 53 for transmitting with FortiGuard Antispam servers.

Use Alternate Port (8888)

Select to use port 8888 for transmitting with FortiGuard Antispam servers.

Test Availability

Select to test the connection to the servers. Results are shown below the button and on the Status indicators.

To have a URL's category Select to re-evaluate a URL’s category rating on the FortiGuard Web rating re-evaluated, please Filter service. click here. Account ID:

Enter your FortiGuard Analysis and Management Service account ID.

To launch the service portal, please click here.

Select to log into the FortiGuard Analysis and Management Service web portal.

Configuring Analysis and Management Service Options The Analysis and Management Service Options section contains the Account ID and other options regarding the FortiGuard Analysis and Management Service. You can access this section by selecting the expand arrow. Figure 160: FortiGuard Analysis and Management Service options

270

Account ID

Enter the name for the Analysis and Management Service that identifies the account. The account ID that you entered in the Account ID field when registering is used in this field.

To launch the service portal, please click here

Select to go directly to the FortiGuard Analysis and Management Service portal web site to view logs or configuration. You can also select this to register your FortiGate unit with the FortiGuard Analysis and Management Service.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Troubleshooting FDN connectivity

To configure FortiGuard Select the link please click here to configure and enable logging to the Analysis Service options, FortiGuard Analysis & Management server. The link redirects you to Log&Report > Log Config > Log Setting. please click here This appears only after registering for the service. To purge logs older than n Select the number of months from the list that will remove those logs months, please click here from the FortiGuard Analysis & Management server and select the link please click here. For example, if you select 2 months, the logs from the past two months will be removed from the server. You can also use this option to remove logs that may appear on a current report. This appears only after logging is enabled and log messages are sent to the FortiGuard Analysis server.

Troubleshooting FDN connectivity If your FortiGate unit is unable to connect to the FDN, check your configuration. For example, you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet. You might have to connect to an override FortiGuard server to receive updates. For more information, see “To add an override server” on page 272. If this is not successful, check your configuration to make sure you can connect to the override FortiGuard server from the FortiGate unit. Push updates might be unavailable if: •

you have not registered the FortiGate unit (go to Product Registration and follow the instructions on the web site if you have not already registered your FortiGate unit)

•

there is a NAT device installed between the FortiGate unit and the FDN (see “Enabling push updates through a NAT device” on page 274)

•

your FortiGate unit connects to the Internet using a proxy server (see “To enable scheduled updates through a proxy server” on page 273).

Updating antivirus and attack definitions Use the following procedures to configure the FortiGate unit to connect to the FDN to update the antivirus (including grayware) definitions and IPS attack definitions. Note: Updating antivirus and IPS attack definitions can cause a very short disruption in traffic scanning while the FortiGate unit applies the new signature definitions. Fortinet recommends scheduling updates when traffic is light to minimize disruption. To make sure the FortiGate unit can connect to the FDN 1 Go to System > Status and select Change on the System Time line in the System Information section. Verify that the time zone is set correctly, corresponding to the region where your FortiGate unit is located. 2 Go to System > Maintenance > FortiGuard. 3 Select the expand arrow beside Web Filtering and AntiSpam Options to reveal the available options.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

271

Updating antivirus and attack definitions

System Maintenance

4 Select Test Availability. The FortiGate unit tests its connection to the FDN. The test results displays at the top of the FortiGuard page. To update antivirus and attack definitions 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside Antivirus and IPS Options to reveal the available options. 3 Select Update Now to update the antivirus and attack definitions. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update. After a few minutes, if an update is available, the FortiGuard page lists new version information for antivirus definitions and IPS attack definitions. The page also displays new dates and version numbers for the updated definitions and engines. Messages are recorded to the event log, indicating whether the update was successful or not. To enable scheduled updates 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. 3 Select the Scheduled Update check box. 4 Select one of the following: Every

Once every 1 to 23 hours. Select the number of hours and minutes between each update request.

Daily

Once a day. You can specify the time of day to check for updates.

Weekly

Once a week. You can specify the day of the week and the time of day to check for updates.

5 Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recorded in the FortiGate event log. If you cannot connect to the FDN, or if your organization provides antivirus and IPS attack updates using its own FortiGuard server, you can use the following procedure to add the IP address of an override FortiGuard server. To add an override server 1 Go to System > Maintenance > FortiGuard. 2 Select the Use override server address check box. 3 Type the fully qualified domain name or IP address of the FortiGuard server.

272

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Enabling push updates

4 Select Apply. The FortiGate unit tests the connection to the override server. If the FortiGuard Distribution Network availability icon changes from gray to green, the FortiGate unit has successfully connected to the override server. If the FortiGuard Distribution Network availability icon stays gray, the FortiGate unit cannot connect to the override server. Check the FortiGate configuration and network configuration for settings that may prevent the FortiGate unit from connecting to the override FortiGuard server. To enable scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server, you can use the config system autoupdate tunneling command syntax to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. For more information, see the FortiGate CLI Reference.

Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates. Register your FortiGate unit by going to the Fortinet Support web site, Product Registration, and following the instructions. When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN. The next time new antivirus or IPS attack definitions are released, the FDN notifies all FortiGate units that are configured for push updates, that a new update is available. Within 60 seconds of receiving a push notification, the FortiGate unit requests the update from the FDN. When the network configuration permits, configuring push updates is recommended in addition to scheduled updates. Scheduled updates ensure that the FortiGate unit receives current updates, but if push updates are also enabled, the FortiGate unit will usually receive new updates sooner. Fortinet does not recommend enabling push updates as the only method for obtaining updates. The FortiGate unit might not receive the push notification. When the FortiGate unit receives a push notification, it makes only one attempt to connect to the FDN and download updates.

Enabling push updates when a FortiGate unit IP address changes The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. The interface used for push updates is the interface configured in the default route of the static routing table. The FortiGate unit sends the SETUP message if you: •

change the IP address of this interface manually

•

have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address.

The FDN must be able to connect to this IP address so that your FortiGate unit can receive push update messages. If your FortiGate unit is behind a NAT device, see “Enabling push updates through a NAT device” on page 274.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

273

Enabling push updates

System Maintenance

If you have redundant connections to the Internet, the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to another Internet connection. In transparent mode, if you change the management IP address, the FortiGate unit also sends the SETUP message to notify the FDN of the address change.

Enabling push updates through a NAT device If the FDN connects only to the FortiGate unit through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Port forwarding enables the FDN to connect to the FortiGate unit using UDP on either port 9443 or an override push port that you specify. If the external IP address of the NAT device is dynamic (PPPoE or DHCP), the FortiGate unit is unable to receive push updates through a NAT device. The following procedures configure the FortiGate unit to push updates through a NAT device. These procedures also include adding port forwarding virtual IP and a firewall policy to the NAT device. Figure 161: Example network: Push updates through a NAT device Internal network

172.16.35.144 (external interface)

Virtual IP 10.20.6.135 (external interface)

Internet NAT Device

FDN Server

The overall process is: 1 Register the FortiGate unit on the internal network so that it has a current support license and can receive push updates. For more information, see “Registering your Fortinet product” on page 25. 2 Configure the following FortiGuard options on the FortiGate unit on the internal network. • Enable Allow push updates. • Enable Use override push IP and enter the IP address. Usually this is the IP address of the external interface of the NAT device. • If required, change the override push update port. 3 Add a port forwarding virtual IP to the NAT device. • Set the external IP address of the virtual IP to match the override push update IP. Usually this is the IP address of the external interface of the NAT device. Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP. Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. See “To enable scheduled updates through a proxy server” on page 273 for more information.

274

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

System Maintenance

Enabling push updates

To configure FortiGuard options on the FortiGate unit on the internal network 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. 3 Select the Allow Push Update check box. 4 Select the Use override push IP check box. 5 Enter the IP address of the external interface of the NAT device. UDP port 9943 is changed only if it is blocked or in use. 6 Select Apply. You can change to the push override configuration if the external IP address of the external service port changes; select Apply to have the FortiGate unit send the updated push information to the FDN. When the FortiGate unit sends the override push IP address and port to the FDN, the FDN uses this IP address and port for push updates to the FortiGate unit. However, push updates will not actually work until a virtual IP is added to the NAT device so that the NAT device accepts push update packets and forwards them to the FortiGate unit on the internal network. If the NAT device is also a FortiGate unit, the following procedure, To add a port forwarding virtual IP to the FortiGate NAT device, allows you to configure the NAT device to use port forwarding to push update connections from the FDN to the FortiGate unit on the internal network. To add a port forwarding virtual IP to the FortiGate NAT device 1 Go to Firewall > Virtual IP. 2 Select Create New. 3 Enter the appropriate information for the following: Name

Enter a name for the Virtual IP.

External Interface

Select an external interface from the list. This is the interface that connects to the Internet.

External IP Address/Range

Enter the IP address and/or range. This is the IP address to which the FDN sends the push updates. This is usually the IP address of the external interface of the NAT device. This IP address must be the same as the IP address in User override push update for the FortiGate unit on the internal network.

Mapped IP Address/Range

Enter the IP address and/or range of the FortiGate unit on the internal network.

Port Forwarding

Select Port Forwarding. When you select Port Forwarding, the options Protocol, External Services Port and Map to Port appear.

Protocol

Select UDP.

External Service Port

Enter the external service port. The external service port is the port that the FDN connects to. The external service port for push updates is usually 9443. If you changed the push update port in the FortiGuard configuration of the FortiGate unit on the internal network, you must set the external service port to the changed push update port.

Map to Port

Enter 9443. This is the port number to which the NAT FortiGate unit will send the push update after it comes through the virtual IP. FortiGate units expect push update notifications on port 9443.

4 Select OK.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

275

Adding VDOM Licenses

System Maintenance

To add a firewall policy to the FortiGate NAT device 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the external to internal firewall policy. Source Interface/Zone

Select the name of the interface that connects to the Internet.

Source Address

Select All

Destination Interface/Zone

Select the name of the interface of the NAT device that connects to the internal network.

Destination Address

Select the virtual IP added to the NAT device.

Schedule

Select Always.

Service

Select ANY.

Action

Select Accept.

NAT

Select NAT.

4 Select OK. Verify that push updates to the FortiGate unit on the internal network are working by going to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering and AntiSpam Options. The Push Update indicator should change to green.

Adding VDOM Licenses If you have you can increase the maximum number of VDOMs on your FortiGate unit you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate units support a maximum of 10 VDOMs. The license key is a 32-character string supplied by Fortinet. Fortinet requires the serial number of the FortiGate unit to generate the license key. The license key is entered in System > Maintenance > License in the Input License Key field. This appears only on high-end FortiGate models. Figure 162: License key for additional VDOMs

Current License

The current maximum number of virtual domains.

Input License key

Enter the license key supplied by Fortinet and select Apply.

Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.

276

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Static

Routing concepts

Router Static This section explains some general routing concepts, and how to define static routes and route policies. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network. A static route causes packets to be forwarded to a destination other than the factory configured default gateway. The factory configured static default route provides you with a starting point to configure the default gateway. You must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. For more information, see “Default route and default gateway” on page 281. You define static routes manually. Static routes control traffic exiting the FortiGate unit— you can specify through which interface the packet will leave and to which device the packet should be routed. As an option, you can define route policies. Route policies specify additional criteria for examining the properties of incoming packets. Using route policies, you can configure the FortiGate unit to route packets based on the IP source and destination addresses in packet headers and other criteria such as on which interface the packet was received and which protocol (service) and port are being used to transport the packet. If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is configured separately for each virtual domain. For more information, see “Using virtual domains” on page 103. This section describes: •

Routing concepts

•

Static Route

•

Policy Route

Routing concepts The FortiGate unit works as a security device on a network and packets must pass through it. You need to understand a number of basic routing concepts in order to configure the FortiGate unit appropriately. Whether you administer a small or large network, this module will help you understand how the FortiGate unit performs routing functions. The following topics are covered in this section: •

How the routing table is built

•

How routing decisions are made

•

Multipath routing and determining the best routeRoute priority

•

Route priority

•

Blackhole Route

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

277

Routing concepts

Router Static

How the routing table is built In the factory default configuration, the FortiGate routing table contains a single static default route. You can add routing information to the routing table by defining additional static routes. The table may include several different routes to the same destination—the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary. The FortiGate unit selects the “best” route for a packet by evaluating the information in the routing table. The best route to a destination is typically associated with the shortest distance between the FortiGate unit and the closest next-hop router. In some cases, the next best route may be selected if the best route is unavailable. The FortiGate unit installs the best available routes in the unit’s forwarding table, which is a subset of the unit’s routing table. Packets are forwarded according to the information in the forwarding table.

How routing decisions are made Whenever a packet arrives at one of the FortiGate unit’s interfaces, the unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate unit drops the packet as it is likely a hacking attempt. If the destination address can be matched to a local address (and the local configuration permits delivery), the FortiGate unit delivers the packet to the local network. If the packet is destined for another network, the FortiGate unit forwards the packet to a next-hop router according to a policy route and the information stored in the FortiGate forwarding table. For more information, see “Policy Route” on page 285.

Multipath routing and determining the best route Multipath routing occurs when more than one entry to the same destination is present in the routing table. When multipath routing happens, the FortiGate unit may have several possible destinations for an incoming packet, forcing the FortiGate unit to decide which next-hop is the best one. Two methods to manually resolve multiple routes to the same destination are to lower the administrative distance of one route or to set the priority of both routes. For the FortiGate unit to select a primary (preferred) route, manually lower the administrative distance associated with one of the possible routes. Administrative distance is based on the expected reliability of a given route. It is determined through a combination of the number of hops from the source and the protocol used. More hops from the source means more possible points of failure. The administrative distance can be from 1 to 255, with lower numbers being preferred. A distance of 255 is seen as infinite and will not be installed in the routing table. Here is an example to illustrate how administration distance works—if there are two possible routes traffic can take between 2 destinations with administration distances of 5 (always up) and 31 (sometimes not available), the traffic will use the route with an administrative distance of 5. Different routing protocols have different default administrative distances. The default administrative distances for any of these routing protocols are configurable.

278

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Static

Routing concepts

Table 42: Default administrative distances for routing protocols Routing protocol

Default administrative distance

Direct physical connection

1

Static

10

EBGP

20

OSPF

110

RIP

120

IBGP

200

Another method is to manually change the priority of both of the routes. If the next-hop administrative distances of two routes on the FortiGate unit are equal, it may not be clear which route the packet will take. Configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. You can set the priority for a route only from the CLI. Lower priorities are preferred. For more information, see the FortiGate CLI Reference. All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate forwarding table contains only those routes having the lowest distances to every possible destination. For information about how to change the administrative distance associated with a static route, see “Adding a static route to the routing table” on page 284.

Route priority After the FortiGate unit selects static routes for the forwarding table based on their administrative distances, the priority field of those routes determines routing preference. You configure the priority field through the CLI. The route with the lowest value in the priority field is considered the best route, and it is also the primary route. The command to set the priority field is: set priority under the config route static command. For more information, see the FortiGate CLI Reference. In summary, because you can use the CLI to specify which sequence numbers or priority field settings to use when defining static routes, you can prioritize routes to the same destination according to their priority field settings. For a static route to be the preferred route, you must create the route using the config router static CLI command and specify a low priority for the route. If two routes have the same administrative distance and the same priority, then they are equal cost multipath (ECMP) routes. Since this means there is more than one route to the same destination, it can be confusing which route or routes to install and use. However, if you have enabled load balancing with ECMP routes, then different sessions will resolve this problem by using different routes to the same address. For more information, see load balancing in “Configuring virtual IPs” on page 370.

Blackhole Route A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in Linux programming. Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator will not discover any information from the target network.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

279

Static Route

Router Static

Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in use, traffic to those addresses (traffic which may be valid or malicious) can be directed to a blackhole for added security and to reduce traffic on the subnet. The loopback interface, a virtual interface that does not forward traffic, was added to enable easier configuration of blackhole routing. Similar to a normal interface, this loopback interface has fewer parameters to configure, and all traffic sent to it stops there. Since it cannot have hardware connection or link status problems, it is always available, making it useful for other dynamic routing roles. Once configured, you can use a loopback interface in firewall policies, routing, and other places that refer to interfaces. You configure this feature only from the CLI. For more information, see the system chapter of the FortiGate CLI Reference.

Static Route You configure static routes by defining the destination IP address and netmask of packets that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address for those packets. The gateway address specifies the next-hop router to which traffic will be routed. Note: You can use the config router static6 CLI command to add, edit, or delete static routes for IPv6 traffic. For more information, see the “router” chapter of the FortiGate CLI Reference.

Working with static routes The Static Route list displays information that the FortiGate unit compares to packet headers in order to route packets. Initially, the list contains the factory configured static default route. For more information, see “Default route and default gateway” on page 281. You can add new entries manually. When you add a static route to the Static Route list, the FortiGate unit performs a check to determine whether a matching route and destination already exist in the FortiGate routing table. If no match is found, the FortiGate unit adds the route to the routing table. When IPv6 is enabled in the GUI, IPv6 routes are visible on the Static Route list. Otherwise, IPv6 routes are not displayed. For more information on IPv6, see “FortiGate IPv6 support” on page 230. Note: Unless otherwise specified, static route examples and procedures are for IPv4 static routes.

To view the static route list, go to Router > Static > Static Route. Figure 163 shows the static route list belonging to a FortiGate unit that has interfaces named “port1” and “port2”. The names of the interfaces on your FortiGate unit may be different.

280

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Static

Static Route

Figure 163: Static Route list when IPv6 is enabled in the GUI

Expand Arrow

Delete Edit

Create New

Add a static route to the Static Route list. For more information, see “Adding a static route to the routing table” on page 284. Select the down arrow to create an IPv6 static Route.

Route

Select the Expand Arrow to display or hide the IPv4 static routes. By default these routes are displayed. This is displayed only when IPv6 is enabled in the GUI.

IPv6 Route

Select the Expand Arrow to display or hide the IPv6 static routes. By default these routes are hidden. This is displayed only when IPv6 is enabled in the GUI.

IP/Mask

The destination IP addresses and network masks of packets that the FortiGate unit intercepts.

Gateway

The IP addresses of the next-hop routers to which intercepted packets are forwarded.

Device

The names of the FortiGate interfaces through which intercepted packets are received and sent.

Distance

The administrative distances associated with each route. The values represent distances to next-hop routers.

Delete and Edit icons

Delete or edit an entry in the list.

Default route and default gateway In the factory default configuration, entry number 1 in the Static Route list is associated with a destination address of 0.0.0.0/0.0.0.0, which means any/all destinations. This route is called the “static default route”. If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiGate unit, the factory configured static default route causes the FortiGate unit to forward the packet to the default gateway. To prevent this you must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. Note: For network traffic to pass, even with the correct routes configured, you must have the appropriate firewall policies. For details, see “Configuring firewall policies” on page 323.

For example, Figure 164 shows a FortiGate unit connected to a router. To ensure that all outbound packets destined to any network beyond the router are routed to the correct destination, you must edit the factory default configuration and make the router the default gateway for the FortiGate unit.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

281

Static Route

Router Static

Figure 164: Making a router the default gateway

Internet

Gateway Router 192.168.10.1 external

FortiGate_1 internal

Internal network 192.168.20.0/24

To route outbound packets from the internal network to destinations that are not on network 192.168.20.0/24, you would edit the default route and include the following settings: •

Destination IP/mask: 0.0.0.0/0.0.0.0

•

Gateway: 192.168.10.1

•

Device: Name of the interface connected to network 192.168.10.0/24 (for example “external”).

•

Distance: 10

The Gateway setting specifies the IP address of the next-hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network. For example, in Figure 165, the FortiGate unit must be configured with static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and Network_2 respectively.

282

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Static

Static Route

Figure 165: Destinations on networks behind internal routers

Internet

FortiGate_1 internal 192.168.10.1

dmz 192.168.11.1 Gateway Router_2

Gateway Router_1

Network_1 192.168.20.0/24

Network_2 192.168.30.0/24

To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24 Gateway: 192.168.11.1 Device: dmz Distance: 10 To route packets from Network_2 to Network_1, Router_2 must be configured to use the FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.20.0/24 Gateway: 192.168.10.1 Device: internal Distance: 10

Changing the gateway for the default route The default gateway determines where packets matching the default route will be forwarded. Note: If you are using DHCP or PPPoE FortiGate over a modem interface on your FortiGate unit, you may have problems configuring a static route. After trying to either Renew your DHCP license, or Reconnect the PPPoE connection, go to the CLI and enable dynamic-gateway under config system interface for the modem interface. Doing this will remove the need to specify a gateway for this interface’s route. For more information see FortiGate CLI Reference.

To change the gateway for the default route 1 Go to Router > Static > Static Route. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

283

Static Route

Router Static

2 Select the Edit icon in row 1. 3 If the FortiGate unit reaches the next-hop router through an interface other than the interface that is currently selected in the Device field, select the name of the interface from the Device field. 4 In the Gateway field, type the IP address of the next-hop router to which outbound traffic may be directed. 5 In the Distance field, optionally adjust the administrative distance value. 6 Select OK.

Adding a static route to the routing table A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination. A static route causes packets to be forwarded to a destination other than the default gateway. You define static routes manually. Static routes control traffic exiting the FortiGate unit— you can specify through which interface the packet will leave and to which device the packet should be routed. To add a static route entry 1 Go to Router > Static > Static Route. 2 Select Create New. 3 Enter the IP address and netmask. For example, 172.1.2.0/255.255.255.0 would be a route for all addresses on the subnet 172.1.2.x. 4 Enter the FortiGate unit interface closest to this subnet, or connected to it. 5 Enter the gateway IP address. Continuing with the example, 172.1.2.3 would be a valid address. 6 Enter the administrative distance of this route. The administrative distance allows you to weight one route to be preferred over another. This is useful when one route is unreliable. For example, if route A has an administrative distance of 30 and route B has an administrative distance of 10, the preferred route is route A with the smaller administrative distance of 10. If you discover that route A is unreliable, you can change the administrative distance for route A from 10 to 40, which will make the route B the preferred route. 7 Select OK to confirm and save your new static route. When you add a static route through the web-based manager, the FortiGate unit assigns the next unassigned sequence number to the route automatically and adds the entry to the Static Route list. Figure 166 shows the Edit Static Route dialog box belonging to a FortiGate unit that has an interface named “internal”. The names of the interfaces on your FortiGate unit may be different.

284

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Static

Policy Route

Figure 166: Edit Static Route

Destination IP/Mask

Type the destination IP address and network mask of packets that the FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved for the default route.

Gateway

Type the IP address of the next-hop router to which the FortiGate unit will forward intercepted packets.

Device

Select the name of the FortiGate interface through which the intercepted packets may be routed to the next-hop router.

Distance

Type an administrative distance from 1 to 255 for the route. The distance value is arbitrary and should reflect the distance to the next-hop router. A lower value indicates a more preferred route.

Policy Route A routing policy allows you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. You can use incoming traffic’s protocol, source address or interface, destination address, or port number to determine where to send the traffic. For example, generally network traffic would go to the router of a subnet, but you might want to direct SMTP or POP3 traffic addressed to that subnet directly to the mail server. If you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table. Note: Most policy settings are optional, so a matching policy alone might not provide enough information for forwarding the packet. The FortiGate unit may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit looks up the IP address of the next-hop router in the routing table. This situation could happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify the IP address of the next-hop router.

Policy route options define which attributes of a incoming packet cause policy routing to occur. If the attributes of a packet match all the specified conditions, the FortiGate unit routes the packet through the specified interface to the specified gateway. Figure 167 shows the policy route list belonging to a FortiGate unit that has interfaces named “external” and “internal”. The names of the interfaces on your FortiGate unit may be different. To edit an existing policy route, see “Adding a policy route” on page 286.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

285

Policy Route

Router Static

Figure 167: Policy Route list

Delete Edit Move To Create New

Add a policy route. See “Adding a policy route” on page 286.

#

The ID numbers of configured route policies. These numbers are sequential unless policies have been moved within the table.

Incoming

The interfaces on which packets subjected to route policies are received.

Outgoing

The interfaces through which policy routed packets are routed.

Source

The IP source addresses and network masks that cause policy routing to occur.

Destination

The IP destination addresses and network masks that cause policy routing to occur.

Delete icon

Delete a policy route.

Edit icon

Edit a policy route.

Move To icon

After selecting this icon, enter the destination position in the window that appears, and select OK. For more information, see “Moving a policy route” on page 287.

Adding a policy route To add a policy route, go to Router > Static > Policy Route and select Create New. Figure 168 shows the New Routing Policy dialog box belonging to a FortiGate unit that has interfaces named “external” and “internal”. The names of the interfaces on your FortiGate unit may be different. Figure 168: New Routing Policy

Protocol

To perform policy routing based on the value in the protocol field of the packet, enter the protocol number to match. The Internet Protocol Number is found in the IP packet header, and RFC 5237 includes a list of the assigned protocol numbers. The range is from 0 to 255. A value of 0 disables the feature.

Incoming Interface Select the name of the interface through which incoming packets subjected to the policy are received.

286

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Static

Policy Route

Source Address / Mask

To perform policy routing based on the IP source address of the packet, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.

Destination Address / Mask

To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature.

Destination Ports

To perform policy routing based on the port on which the packet is received, type the same port number in the From and To fields. To apply policy routing to a range of ports, type the starting port number in the From field and the ending port number in the To field. A value of 0 disables this feature. The Destination Ports fields are only used for TCP and UDP protocols. The ports are skipped over for all other protocols.

Type of Service

Use a two digit hexadecimal bit pattern to match to define the service, or use a two digit hexadecimal bit mask to mask out. For example if you want the policy to apply to service 14 you would use a bit pattern of 0E. If you wanted to ignore all odd numbered services you would use a bit mask of 01.

Outgoing Interface Select the name of the interface through which packets affected by the policy will be routed. Gateway Address

Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. A value of 0.0.0.0 is not valid.

Moving a policy route A routing policy is added to the bottom of the routing table when it is created. If you prefer to use one policy over another, you may want to move it to a different location in the routing policy table. The option to use one of two routes happens when both routes are a match, for example 172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these routes are in the policy table, both can match a route to 172.20.120.112 but you consider the second one as a better match. In that case the best match route should be positioned before the other route in the policy table. In the case of two matches in the routing table, alternating sessions will use both routes in a load balancing configuration. You can also manually assign priorities to routes. For two matches in the routing table, the priority will determine which route is used. This feature is available only through the CLI. For details, see FortiGate CLI Reference. To change the position of a policy route in the table, go to Router > Static > Policy Route and select Move To for the policy route you want to move. Figure 169: Moving a policy route

Before/After

Select Before to place the selected Policy Route before the indicated route. Select After to place it following the indicated route.

Policy route ID

Enter the Policy route ID of the route in the Policy route table to move the selected route before or after.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

287

Policy Route

288

Router Static

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

RIP

Router Dynamic This section explains how to configure dynamic protocols to route traffic through large or complex networks. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by them. The FortiGate unit supports these dynamic routing protocols: •

Routing Information Protocol (RIP)

•

Open Shortest Path First (OSPF)

•

Border Gateway Protocol (BGP).

The FortiGate unit selects routes and updates its routing table dynamically based on the rules you specify. Given a set of rules, the unit can determine the best route or path for sending packets to a destination. You can also define rules to suppress the advertising of routes to neighboring routers and change FortiGate routing information before it is advertised. If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is configured separately for each virtual domain. For details, see “Using virtual domains” on page 103. Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations.

Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to quickly discover routers on the network that cannot be contacted, and to re-route traffic accordingly until those routers can be contacted. A useful part of the FortiOS web-based management interface is the customizable menus and widgets. These widgets include the following routing widgets: access list, distribute list, key chain, offset list, prefix list, and route map. For more information on these routing widgets, see “Customizable routing widgets” on page 309. This section describes: •

RIP

•

OSPF

•

BGP

•

Multicast

•

Bi-directional Forwarding Detection (BFD)

•

Customizable routing widgets

RIP Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small, relatively homogeneous networks. The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

289

RIP

Router Dynamic

How RIP works When RIP is enabled, the FortiGate unit broadcasts requests for RIP updates from each of its RIP-enabled interfaces. Neighboring routers respond with information from their routing tables. The FortiGate unit adds routes from neighbors to its own routing table only if those routes are not already recorded in the routing table. When a route already exists in the routing table, the unit compares the advertised route to the recorded route and chooses the shortest route for the routing table. RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents a network that is connected directly to the unit, while a hop count of 16 represents a network that the FortiGate unit cannot reach. Each network that a packet travels through to reach its destination usually counts as one hop. When the FortiGate unit compares two routes to the same destination, it adds the route having the lowest hop count to the routing table. Similarly, when RIP is enabled on an interface, the FortiGate unit sends RIP responses to neighboring routers on a regular basis. The updates provide information about the routes in the FortiGate routing table, subject to the rules that you specify for advertising those routes. You can specify how often the FortiGate unit sends updates, how long a route can be kept in the routing table without being updated, and, for routes that are not updated regularly, how long the unit advertises the route as unreachable before it is removed from the routing table.

Viewing and editing basic RIP settings When you configure RIP settings, you have to specify the networks that are running RIP and specify any additional settings needed to adjust RIP operation on the FortiGate interfaces that are connected to the RIP-enabled network. To view and edit RIP settings go to Router > Dynamic > RIP. Figure 170 shows the basic RIP settings on a FortiGate unit that has interfaces named “dmz” and “external”. The names of the interfaces on your FortiGate unit may be different.

290

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

RIP

Figure 170: Basic RIP settings

Expand Arrow

Delete Edit RIP Version

Select the level of RIP compatibility needed at the FortiGate unit. You can enable global RIP settings on all FortiGate interfaces connected to RIP-enabled networks: 1 — send and receive RIP version 1 packets. 2 — send and receive RIP version 2 packets. You can override the global settings for a specific FortiGate interface if required. For more information, see “Configuring a RIP-enabled interface” on page 293.

Advanced Options

Select the Expand Arrow to view or hide advanced RIP options. For more information, see “Selecting advanced RIP options” on page 292.

Networks

The IP addresses and network masks of the major networks (connected to the FortiGate unit) that run RIP. When you add a network to the Networks list, the FortiGate interfaces that are part of the network are advertised in RIP updates. You can enable RIP on all FortiGate interfaces whose IP addresses match the RIP network address space.

IP/Netmask

Enter the IP address and netmask that defines the RIP-enabled network.

Add

Select to add the network information to the Networks list.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

291

RIP

Router Dynamic

Interfaces

Any additional settings needed to adjust RIP operation on a FortiGate interface.

Create New

Add new RIP operating parameters for an interface. These parameters will override the global RIP settings for that interface. For more information, see “Configuring a RIP-enabled interface” on page 293.

Interface

The name of the unit RIP interface.

Send Version

The version of RIP used to send updates through each interface: 1, 2, or both.

Receive Version

The versions of RIP used to listen for updates on each interface: 1, 2, or both.

Authentication

The type of authentication used on this interface: None, Text or MD5.

Passive

Permissions for RIP broadcasts on this interface. A green checkmark means the RIP broadcasts are blocked.

Delete and Edit icons

Delete or edit a RIP network entry or a RIP interface definition.

Selecting advanced RIP options With advanced RIP options, you can specify settings for RIP timers and define metrics for redistributing routes that the FortiGate unit learns through some means other than RIP updates. For example, if the unit is connected to an OSPF or BGP network or you add a static route to the FortiGate routing table manually, you can configure the unit to advertise those routes on RIP-enabled interfaces. To select advanced RIP options, go to Router > Dynamic > RIP and expand Advanced Options. After you select the options, select Apply. Note: You can configure additional advanced options through customizable GUI widgets, and the CLI. For example, you can filter incoming or outgoing updates by using a route map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add the specified offset to the metric of a route. For more information on customizable GUI widgets, see “Customizable routing widgets” on page 309. For more information on CLI routing commands, see the “router” chapter of the FortiGate CLI Reference. Figure 171: Advanced Options (RIP)

Expand Arrow

292

Rip Version

Select the version of RIP packets to send and receive.

Advanced Options

Select the Expand Arrow to view or hide advanced options.

Default Metric

Enter the default hop count that the FortiGate unit should assign to routes that are added to the FortiGate routing table. The range is from 1 to 16. This metric is the hop count, with 1 being best or shortest. This value also applies to Redistribute unless otherwise specified.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

RIP

Default-information- Select to generate and advertise a default route into the FortiGate unit’s RIPenabled networks. The generated route may be based on routes learned originate through a dynamic routing protocol, routes in the routing table, or both. RIP Timers

Enter new values to override the default RIP timer settings. The default settings are effective in most configurations — if you change these settings, ensure that the new settings are compatible with local routers and access servers. If the Update timer is smaller than Timeout or Garbage timers, you will get an error.

Update

Enter the amount of time (in seconds) that the FortiGate unit will wait between sending RIP updates.

Timeout

Enter the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. This is the maximum time the FortiGate unit will keep a reachable route in the routing table while no updates for that route are received. If the FortiGate unit receives an update for the route before the timeout period expires, the timer is restarted. The Timeout period should be at least three times longer than the Update period.

Garbage

Enter the amount of time (in seconds) that the FortiGate unit will advertise a route as being unreachable before deleting the route from the routing table. The value determines how long an unreachable route is kept in the routing table.

Redistribute

Select one or more of the options to redistribute RIP updates about routes that were not learned through RIP. The FortiGate unit can use RIP to redistribute routes learned from directly connected networks, static routes, OSPF, and BGP.

Connected

Select to redistribute routes learned from directly connected networks. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The valid hop count range is from 1 to 16.

Static

Select to redistribute routes learned from static routes. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16.

OSPF

Select to redistribute routes learned through OSPF. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16.

BGP

Select to redistribute routes learned through BGP. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16.

Configuring a RIP-enabled interface You can use RIP interface options to override the global RIP settings that apply to all FortiGate unit interfaces connected to RIP-enabled networks. For example, if you want to suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled network, you can set the interface to operate passively. Passive interfaces listen for RIP updates but do not respond to RIP requests. If RIP version 2 is enabled on the interface, you can optionally choose password authentication to ensure that the FortiGate unit authenticates a neighboring router before accepting updates from that router. The unit and the neighboring router must both be configured with the same password. Authentication guarantees the authenticity of the update packet, not the confidentiality of the routing information in the packet. To set specific RIP operating parameters for a RIP-enabled interface, go to Router > Dynamic > RIP and select Create New. Note: Additional options such as split-horizon and key-chains can be configured per interface through the CLI. For more information, see the “router” chapter of the FortiGate CLI Reference or the Fortinet Knowledge Center.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

293

OSPF

Router Dynamic

Figure 172 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that has an interface named “internal”. The names of the interfaces on your FortiGate unit may be different. Figure 172: New/Edit RIP Interface

Interface

Select the name of the FortiGate interface to which these settings apply. The interface must be connected to a RIP-enabled network. The interface can be a virtual IPSec or GRE interface.

Send Version, Receive Version

Select to override the default RIP-compatibility setting for sending and receiving updates through the interface: RIP version 1, version 2 or Both.

Authentication

Select an authentication method for RIP exchanges on the specified interface: None — Disable authentication. Text — Select if the interface is connected to a network that runs RIP version 2. Type a password (up to 35 characters) in the Password field. The FortiGate unit and the RIP updates router must both be configured with the same password. The password is sent in clear text over the network. MD5 — Authenticate the exchange using MD5.

Passive Interface

Select to suppress the advertising of FortiGate unit routing information over the specified interface. Clear the check box to allow the interface to respond normally to RIP requests.

OSPF Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in large heterogeneous networks to share routing information among routers in the same Autonomous System (AS). FortiGate units support OSPF version 2 (see RFC 2328). The main benefit of OSPF is that it advertises routes only when neighbors change state instead of at timed intervals, so routing overhead is reduced.

How OSPF works An OSPF network consists of one or more Autonomous Systems (ASes). An OSPF AS is typically divided into logical areas linked by Area Border Routers. A group of contiguous networks form an area. An Area Border Router (ABR) links one or more ASes to the OSPF network backbone (area ID 0). For information on configuring an OSPF AS, see “Defining an OSPF AS—Overview” on page 295. When a FortiGate unit interface is connected to an OSPF area, that unit can participate in OSPF communications. FortiGate units use the OSPF Hello protocol to acquire neighbors in an area. A neighbor is any router that directly connected to the same area as the FortiGate unit. After initial contact, the FortiGate unit exchanges Hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached.

294

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

OSPF

OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. As long as the OSPF network is stable, LSAs between OSPF neighbors do not occur. An LSA identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination. All LSA exchanges between OSPF-enabled routers are authenticated. The FortiGate unit maintains a database of link-state information based on the advertisements that it receives from OSPF-enabled routers. To calculate the best route (shortest path) to a destination, the FortiGate unit applies the Shortest Path First (SPF) algorithm to the accumulated link-state information. OSPF uses relative path cost metric for choosing the best route. The path cost can be any metric, but is typically the speed of the path—how fast traffic will get from one point to another. The path cost, similar to “distance” for RIP, imposes a penalty on the outgoing direction of a FortiGate interface. The path cost of a route is calculated by adding together all of the costs associated with the outgoing interfaces along the path to a destination. The lowest overall path cost indicates the best route, and generally the fastest route. Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully adjacent neighbor in the backbone area. In this situation, the router considers summaryLSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).

The FortiGate unit dynamically updates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. Depending on the network topology, the entries in the FortiGate routing table may include: •

the addresses of networks in the local OSPF area (to which packets are sent directly)

•

routes to OSPF area border routers (to which packets destined for another area are sent)

•

if the network contains OSPF areas and non-OSPF domains, routes to AS boundary routers, which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS.

The number of routes that a FortiGate unit can learn through OSPF depends on the network topology. A single unit can support tens of thousands of routes if the OSPF network is configured properly.

Defining an OSPF AS—Overview Defining an OSPF Autonomous System (AS), involves: •

defining the characteristics of one or more OSPF areas

•

creating associations between the OSPF areas that you defined and the local networks to include in the OSPF AS

•

if required, adjusting the settings of OSPF-enabled interfaces.

If you are using the web-based manager to perform these tasks, follow the procedures summarized below. To define an OSPF AS 1 Go to Router > Dynamic > OSPF. 2 Under Areas, select Create New. 3 Define the characteristics of one or more OSPF areas. See “Defining OSPF areas” on page 299. 4 Under Networks, select Create New. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

295

OSPF

Router Dynamic

5 Create associations between the OSPF areas that you defined and the local networks to include in the OSPF AS. See “Specifying OSPF networks” on page 300. 6 If you need to adjust the default settings of an OSPF-enabled interface, select Create New under Interfaces. 7 Select the OSPF operating parameters for the interface. See “Selecting operating parameters for an OSPF interface” on page 301. Repeat steps 6 and 7 for any additional OSPF-enabled interfaces. 8 Optionally select advanced OSPF options for the OSPF AS. See “Selecting advanced OSPF options” on page 298. 9 Select Apply.

Configuring basic OSPF settings When you configure OSPF settings, you have to define the AS in which OSPF is enabled and specify which of the FortiGate interfaces participate in the AS. As part of the AS definition, you specify the AS areas and specify which networks to include those areas. You may optionally adjust the settings associated with OSPF operation on the FortiGate interfaces. To view and edit OSPF settings, go to Router > Dynamic > OSPF. Figure 173 shows the basic OSPF settings on a FortiGate unit that has an interface named “port1”. The names of the interfaces on your FortiGate unit may be different. Figure 173: Basic OSPF settings

Expand Arrow

Router ID

Enter a unique router ID to identify the FortiGate unit to other OSPF routers. By convention, the router ID is the numerically highest IP address assigned to any of the FortiGate interfaces in the OSPF AS. If you change the router ID while OSPF is configured on an interface, all connections to OSPF neighbors will be broken temporarily. The connections will re-establish themselves. If Router ID is not explicitly set, the highest IP address of the VDOM or unit will be used.

Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more information, see “Selecting advanced OSPF options” on page 298.

296

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

OSPF

Areas

Information about the areas making up an OSPF AS. The header of an OSPF packet contains an area ID, which helps to identify the origination of a packet inside the AS.

Create New

Define and add a new OSPF area to the Areas list. For more information, see “Defining OSPF areas” on page 299.

Area

The unique 32-bit identifiers of areas in the AS, in dotted-decimal notation. Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or deleted.

Type

The types of areas in the AS: • Regular - a normal OSPF area • NSSA - a not so stubby area • Stub - a stub area. For more information, see “Defining OSPF areas” on page 299.

Authentication

The methods for authenticating OSPF packets sent and received through all FortiGate interfaces linked to each area: None — authentication is disabled Text — text-based authentication is enabled MD5 — MD5 authentication is enabled. A different authentication setting may apply to some of the interfaces in an area, as displayed under Interfaces. For example, if an area employs simple passwords for authentication, you can configure a different password for one or more of the networks in that area.

Networks

The networks in the OSPF AS and their area IDs. When you add a network to the Networks list, all FortiGate interfaces that are part of the network are advertised in OSPF link-state advertisements. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF network address space. For more information, see “Specifying OSPF networks” on page 300.

Create New

Add a network to the AS, specify its area ID, and add the definition to the Networks list.

Network

The IP addresses and network masks of networks in the AS on which OSPF runs. The FortiGate unit may have physical or VLAN interfaces connected to the network.

Area

The area IDs that have been assigned to the OSPF network address space.

Interfaces

Any additional settings needed to adjust OSPF operation on a FortiGate interface. For more information, see “Selecting operating parameters for an OSPF interface” on page 301.

Create New

Create additional/different OSPF operating parameters for a unit interface and add the configuration to the Interfaces list.

Name

The names of OSPF interface definitions.

Interface

The names of FortiGate physical or VLAN interfaces having OSPF settings that differ from the default values assigned to all other interfaces in the same area.

IP

The IP addresses of the OSPF-enabled interfaces having additional/different settings.

Authentication

The methods for authenticating LSA exchanges sent and received on specific OSPF-enabled interfaces. These settings override the area Authentication settings.

Delete and Edit icons

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Delete or edit an OSPF area entry, network entry, or interface definition. Icons are visible only when there are entries in Areas, Networks, and Interfaces sections.

297

OSPF

Router Dynamic

Selecting advanced OSPF options By selecting advanced OSPF options, you can specify metrics for redistributing routes that the FortiGate unit learns through some means other than OSPF link-state advertisements. For example, if the FortiGate unit is connected to a RIP or BGP network or you add a static route to the FortiGate routing table manually, you can configure the unit to advertise those routes on OSPF-enabled interfaces. To select advanced RIP options, go to Router > Dynamic > RIP and expand Advanced Options. After you select the options, select Apply. Figure 174: Advanced Options (OSPF)

Expand Arrow

Router ID

Enter a unique router ID to identify the FortiGate unit to other OSPF routers.

Expand Arrow

Select to view or hide Advanced Options.

Default Information Generate and advertise a default (external) route to the OSPF AS. You may base the generated route on routes learned through a dynamic routing protocol, routes in the routing table, or both. None

Prevent the generation of a default route.

Regular

Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing table.

Always

Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems unconditionally, even if the route is not stored in the FortiGate routing table.

Redistribute

298

Select one or more of the options listed to redistribute OSPF link-state advertisements about routes that were not learned through OSPF. The FortiGate unit can use OSPF to redistribute routes learned from directly connected networks, static routes, RIP, and BGP.

Connected

Select to redistribute routes learned from directly connected networks. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214.

Static

Select to redistribute routes learned from static routes. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214.

RIP

Select to redistribute routes learned through RIP. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214.

BGP

Select to redistribute routes learned through BGP. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

OSPF

Note: You can configure additional advanced options through customizable GUI widgets, and the CLI. For example, you can filter incoming or outgoing updates by using a route map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add the specified offset to the metric of a route. For more information on customizable GUI widgets, see “Customizable routing widgets” on page 309. For more information on CLI routing commands, see the “router” chapter of the FortiGate CLI Reference.

Defining OSPF areas An area logically defines part of the OSPF AS. Each area is identified by a 32-bit area ID expressed in dotted-decimal notation, for example 192.168.0.1. Area ID 0.0.0.0 is reserved for the OSPF network backbone. You can classify the remaining areas of an AS as regular, stub, or NSSA. A regular area contains more than one router, each having at least one OSPF-enabled interface to the area. To reach the OSPF backbone, the routers in a stub area must send packets to an area border router. Routes leading to non-OSPF domains are not advertised to the routers in stub areas. The area border router advertises to the OSPF AS a single default route (destination 0.0.0.0) into the stub area, which ensures that any OSPF packet that cannot be matched to a specific route will match the default route. Any router connected to a stub area is considered part of the stub area. In a Not-So-Stubby Area (NSSA), routes that lead out of the area into a non-OSPF domain are made known to OSPF AS. However, the area itself continues to be treated like a stub area by the rest of the AS. Regular areas and stub areas (including not-so-stubby areas) are connected to the OSPF backbone through area border routers. To define an OSPF area, go to Router > Dynamic > OSPF, and then under Areas, select Create New. To edit the attributes of an OSPF area, go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the area. Note: If required, you can define a virtual link to an area that has lost its physical connection to the OSPF backbone. Virtual links can be set up only between two FortiGate units that act as area border routers. For more information on virtual links, see the FortiGate CLI Reference. Figure 175: New/Edit OSPF Area

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

299

OSPF

Router Dynamic

Area

Type a 32-bit identifier for the area. The value must resemble an IP address in dotted-decimal notation. Once you have created the OSPF area, the area IP value cannot be changed; you must delete the area and restart.

Type

Select an area type to classify the characteristics of the network that will be assigned to the area: Regular — If the area contains more than one router, each having at least one OSPF-enabled interface to the area. NSSA — If you want routes to external non-OSPF domains made known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS. STUB — If the routers in the area must send packets to an area border router in order to reach the backbone and you do not want routes to non-OSPF domains to be advertised to the routers in the area.

Authentication Select the method for authenticating OSPF packets sent and received through all interfaces in the area: None — Disable authentication. Text — Enables text-based password authentication. to authenticate LSA exchanges using a plain-text password. The password is sent in clear text over the network. MD5 — Enable MD5-based authentication using an MD5 cryptographic hash (RFC 1321). If required, you can override this setting for one or more of the interfaces in the area. For more information, see “Selecting operating parameters for an OSPF interface” on page 301.

Note: To assign a network to the area, see “Specifying OSPF networks” on page 300.

Specifying OSPF networks OSPF areas group a number of contiguous networks together. When you assign an area ID to a network address space, the attributes of the area are associated with the network. To assign an OSPF area ID to a network, go to Router > Dynamic > OSPF, and then under Networks, select Create New. To change the OSPF area ID assigned to a network, go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the network. Figure 176: New/Edit OSPF Network

300

IP/Netmask

Enter the IP address and network mask of the local network that you want to assign to an OSPF area.

Area

Select an area ID for the network. The attributes of the area must match the characteristics and topology of the specified network. You must define the area before you can select the area ID. For more information, see “Defining OSPF areas” on page 299.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

OSPF

Selecting operating parameters for an OSPF interface An OSPF interface definition contains specific operating parameters for a FortiGate OSPF-enabled interface. The definition includes the name of the interface (for example, external or VLAN_1), the IP address assigned to the interface, the method for authenticating LSA exchanges through the interface, and timer settings for sending and receiving OSPF Hello and dead-interval packets. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPFenabled network space. For example, define an area of 0.0.0.0 and the OSPF network as 10.0.0.0/16. Then define vlan1 as 10.0.1.1/24, vlan2 as 10.0.2.1/24 and vlan3 as 10.0.3.1/24. All three VLANs can run OSPF in area 0.0.0.0. To enable all interfaces, you would create an OSPF network 0.0.0.0/0 You can configure different OSPF parameters for the same FortiGate interface when more than one IP address has been assigned to the interface. For example, the same FortiGate interface could be connected to two neighbors through different subnets. You could configure an OSPF interface definition containing one set of Hello and dead-interval parameters for compatibility with one neighbor’s settings, and a second OSPF interface definition for the same interface to ensure compatibility with the second neighbor’s settings. To select OSPF operating parameters for a FortiGate interface, go to Router > Dynamic > OSPF, and then under Interfaces, select Create New. To edit the operating parameters of an OSPF-enabled interface, go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the OSPF-enabled interface. Figure 177 shows the New/Edit OSPF Interface dialog box belonging to a FortiGate unit that has an interface named “port1”. The interface names on your FortiGate unit may differ. Figure 177: New/Edit OSPF Interface

Add

Name

Enter a name to identify the OSPF interface definition. For example, the name could indicate to which OSPF area the interface will be linked.

Interface

Select the name of the FortiGate interface to associate with this OSPF interface definition (for example, port1, external, or VLAN_1). The FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces connected to the OSPF-enabled network.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

301

BGP

Router Dynamic

IP

Enter the IP address that has been assigned to the OSPF-enabled interface. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space. For example, if you defined an OSPF network of 172.20.120.0/24 and port1 has been assigned the IP address 172.20.120.140, type 172.20.120.140.

Authentication Select an authentication method for LSA exchanges on the specified interface: None — Disable authentication. Text — Authenticate LSA exchanges using a plain-text password. The password can be up to 35 characters, and is sent in clear text over the network. MD5 — Use one or more keys to generate an MD5 cryptographic hash. Password

Enter the plain-text password. Enter an alphanumeric value of up to 15 characters. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical password. This field is available only if you selected plain-text authentication.

MD5 Keys

Enter the key identifier for the (first) password in the ID field (the range is from 1 to 255) and then type the associated password in the Key field. The password is a 128-bit hash, represented by an alphanumeric string of up to 16 characters. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical MD5 key. If the OSPF neighbor uses more than one password to generate MD5 hash, select the Add icon to add additional MD5 keys to the list. This field is available only if you selected MD5 authentication.

Hello Interval

Optionally, set the Hello Interval to be compatible with Hello Interval settings on all OSPF neighbors. This setting defines the period of time (in seconds) that the FortiGate unit waits between sending Hello packets through this interface.

Dead Interval

Optionally, set the Dead Interval to be compatible with Dead Interval settings on all OSPF neighbors. This setting defines the period of time (in seconds) that the FortiGate unit waits to receive a Hello packet from an OSPF neighbor through the interface. If the FortiGate unit does not receive a Hello packet within the specified amount of time, the FortiGate unit declares the neighbor inaccessible. By convention, the Dead Interval value is usually four times greater than the Hello Interval value.

BGP Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to exchange routing information between different ISP networks. For example, BGP enables the sharing of network paths between the ISP network and an autonomous system (AS) that uses RIP, OSPF, or both to route packets within the AS. The FortiGate implementation of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385.

How BGP works When BGP is enabled on an interface, the FortiGate unit sends routing table updates to neighboring autonomous systems connected to that interface whenever any part of the FortiGate routing table changes. Each AS to which the unit belongs is associated with an AS number. The AS number references a particular destination network. BGP updates advertise the best path to a destination network. When the FortiGate unit receives a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate unit routing table.

302

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

BGP

BGP has the capability to gracefully restart. This capability limits the effects of software problems by allowing forwarding to continue when the control plane of the router fails. It also reduces routing flaps by stabilizing the network. Note: You can configure graceful restarting and other advanced settings only through CLI commands. For more information on advanced BGP settings, see the “router” chapter of the FortiGate CLI Reference.

Viewing and editing BGP settings When you configure BGP settings, you need to specify the AS to which the FortiGate unit belongs and enter a router ID to identify this unit to other BGP routers. You must also identify the FortiGate unit’s BGP neighbors and specify which of the networks local to the FortiGate unit should be advertised to BGP neighbors. To view and edit BGP settings, go to Router > Dynamic > BGP. The web-based manager offers a simplified user interface to configure basic BGP options. You can also configure many advanced BGP options through the CLI. For more information, see the “router” chapter of the FortiGate CLI Reference. Figure 178: Basic BGP options

Delete

Local AS

Enter the number of the local AS to which the FortiGate unit belongs.

Router ID

Enter a unique router ID to identify the FortiGate unit to other BGP routers. The router ID is an IP address written in dotted-decimal format, for example 192.168.0.1. If you change the router ID while BGP is configured on an interface, all connections to BGP peers will be broken temporarily. The connections will reestablish themselves. If Router ID is not explicitly set, the highest IP address of the VDOM will be used.

Neighbors

The IP addresses and AS numbers of BGP peers in neighboring autonomous systems.

IP

Enter the IP address of the neighbor interface to the BGP-enabled network.

Remote AS

Enter the number of the AS that the neighbor belongs to.

Add/Edit

Add the neighbor information to the Neighbors list, or edit an entry in the list.

Neighbor

The IP addresses of BGP peers.

Remote AS

The numbers of the autonomous systems associated with the BGP peers.

Delete icon

Delete a BGP neighbor entry.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

303

Multicast

Router Dynamic

Networks

The IP addresses and network masks of networks to advertise to BGP peers. The FortiGate unit may have a physical or VLAN interface connected to those networks.

IP/Netmask

Enter the IP address and netmask of the network to be advertised.

Add

Add the network information to the Networks list.

Network

The IP addresses and network masks of major networks that are advertised to BGP peers.

Delete icon

Delete a BGP network definition.

Note: The get router info bgp CLI command provides detailed information about configured BGP settings. For a complete list of the command options, see the “router” chapter of the FortiGate CLI Reference.

Multicast A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode (RFC 2362) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected.

How multicast works Multicast server applications use a (Class D) multicast address to send one copy of a packet to a group of receivers. The PIM routers throughout the network ensure that only one copy of the packet is forwarded through the network until it reaches an end-point destination. At the end-point destination, copies of the packet are made only when required to deliver the information to multicast client applications that request traffic destined for the multicast address. Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To support source-to-destination packet delivery, either sparse mode or dense mode must be enabled on all the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, or between two PIM routers, or is connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination.

A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one Boot Strap Router (BSR). If sparse mode is enabled, the domain also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs). When you enable PIM on a FortiGate unit, the FortiGate unit can perform any of these functions at any time as configured. If required for sparse mode operation, you can define static RPs. Note: You can configure basic options through the web-based manager. Many additional options are available, but only through the CLI. For complete descriptions and examples of how to use CLI commands to configure PIM settings, see multicast in the “router” chapter of the FortiGate CLI Reference.

Note: For more information about FortiGate multicast support, see the FortiGate Multicast Technical Note.

304

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

Multicast

Viewing and editing multicast settings When multicast (PIM) routing is enabled, you can configure sparse mode or dense mode operation on any FortiGate interface. To view and edit PIM settings, go to Router > Dynamic > Multicast. The web-based manager offers a simplified user interface to configure basic PIM options. You can also configure advanced PIM options through the CLI. For more information, see the “router” chapter of the FortiGate CLI Reference. Figure 179: Basic Multicast options Add Static RP

Delete Edit

Enable Multicast Routing

Select to enable PIM version 2 routing. A firewall policy must be created on PIM-enabled interfaces to pass encapsulated packets and decapsulated data between the source and destination,

Add Static RP

If required for sparse mode operation, enter the IP address of a Rendezvous Point (RP) that may be used as the root of a packet distribution tree for a multicast group. Join messages from the multicast group are sent to the RP, and data from the source is sent to the RP. If an RP for the specified IP’s multicast group is already known to the Boot Strap Router (BSR), the RP known to the BSR is used and the static RP address that you specify is ignored.

Apply

Save the specified static RP addresses.

Create New

Create a new multicast entry for an interface. You can use the new entry to fine-tune PIM operation on a specific FortiGate interface or override the global PIM settings on a particular interface. For more information, see “Overriding the multicast settings on an interface” on page 306.

Interface

The names of FortiGate interfaces having specific PIM settings.

Mode

The mode of PIM operation (Sparse or Dense) on that interface.

Status

The status of parse-mode RP candidacy on the interface. To change the status of RP candidacy on an interface, select the Edit icon in the row that corresponds to the interface.

Priority

The priority number assigned to RP candidacy on that interface. Available only when RP candidacy is enabled.

DR Priority

The priority number assigned to Designated Router (DR) candidacy on the interface. Available only when sparse mode is enabled.

Delete and Edit icons

Delete or edit the PIM settings on the interface.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

305

Multicast

Router Dynamic

Overriding the multicast settings on an interface You use multicast (PIM) interface options to set operating parameters for FortiGate interfaces connected to PIM domains. For example, you can enable dense mode on an interface that is connected to a PIM-enabled network segment. When sparse mode is enabled, you can adjust the priority number that is used to advertise Rendezvous Point (RP) and/or Designated Router (DR) candidacy on the interface. Figure 180: Multicast interface settings

Interface

Select the name of the root VDOM FortiGate interface to which these settings apply. The interface must be connected to a PIM version 2 enabled network segment.

PIM Mode

Select the mode of operation: Sparse Mode or Dense Mode. All PIM routers connected to the same network segment must be running the same mode of operation. If you select Sparse Mode, adjust the remaining options as described below.

DR Priority

Enter the priority number for advertising DR candidacy on the FortiGate unit’s interface. The range is from 1 to 4 294 967 295. The unit compares this value to the DR interfaces of all other PIM routers on the same network segment, and selects the router having the highest DR priority to be the DR.

RP Candidate

Enable RP candidacy on the interface.

RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate interface. The range is from 1 to 255.

Multicast destination NAT Multicast destination NAT (DNAT) allows you translate externally received multicast destination addresses to addresses that conform to an organization's internal addressing policy. By using this feature that is available only in the CLI, you can avoid redistributing routes at the translation boundary into their network infrastructure for Reverse Path Forwarding (RPF) to work properly. They can also receive identical feeds from two ingress points in the network and route them independently. Configure multicast DNAT in the CLI by using the following command: config firewall multicast-policy edit p1 set dnat set ... next end For more information, see the “firewall” chapter of the FortiGate CLI Reference.

306

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

Bi-directional Forwarding Detection (BFD)

Bi-directional Forwarding Detection (BFD) The bi-directional Forwarding Detection (BFD) protocol is designed to deal with dynamic routing protocols' lack of a fine granularity for detecting device failures on the network and re-routing around those failures. BFD can more quickly react to these failures, since it detects them on a millisecond timer, where other dynamic routing protocols can only detect them on a second timer. Your unit supports BFD as part of OSPF and BGP dynamic networking.

Note: You can configure BFD only from the CLI.

How BFD works When you enable BFD on your FortiGate unit, BFD starts trying to connect to other routers on the network. You can limit where BFD looks for routers by enabling one interface only, and by enabling BFD for specific neighboring routers on the network. Once the connection has been made, BFD will continue to send periodic packets to the router to make sure it is still operational. These small packets are sent frequently. If there is no response from the neighboring router within the set period of time, BFD on your unit reports that router down and changes routing accordingly. BFD continues to try to reestablish a connection with the non-responsive router. Once that connection is reestablished, routes are reset to include the router once again.

Configuring BFD BFD is intended for networks that use BGP or OSPF routing protocols. This generally excludes smaller networks. BFD configuration on your FortiGate unit is very flexible. You can enable BFD for the whole unit, and turn it off for one or two interfaces. Alternatively you can specifically enable BFD for each neighbor router, or interface. Which method you choose will be determined by the amount of configuring required for your network The timeout period determines how long the unit waits before labeling a connection as down. The length of the timeout period is important—if it is too short connections will be labeled down prematurely, and if it is too long time will be wasted waiting for a reply from a connection that is down. There is no easy number, as it varies for each network and unit. High end FortiGate models will respond very quickly unless loaded down with traffic. Also the size of the network will slow down the response time—packets need to make more hops than on a smaller network. Those two factors (CPU load and network traversal time) affect how long the timeout you select should be. With too short a timeout period, BFD will not connect to the network device but it will keep trying. This state generates unnecessary network traffic, and leaves the device unmonitored. If this happens, you should try setting a longer timeout period to allow BFD more time to discover the device on the network. Configuring BFD on your FortiGate unit For this example, BFD is enabled on the FortiGate unit using the default values. This means that once a connection is established, your unit will wait for up to 150 milliseconds for a reply from a BFD router before declaring that router down and rerouting traffic—a 50 millisecond minimum transmit interval multiplied by a detection multiplier of 3. The port that BFD traffic originates from will be checked for security purposes as indicated by disabling bfd-dont-enforce-src-port. config system settings FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

307

Bi-directional Forwarding Detection (BFD)

set set set set set end

Router Dynamic

bfd enable bfd-desired-min-tx 50 bfd-required-min-rx 50 bfd-detect-mult 3 bfd-dont-enforce-src-port disable Note: The minimum receive interval (bfd-required-min-rx) and the detection multiplier (bfd-detect-mult) combine to determine how long a period your unit will wait for a reply before declaring the neighbor down. The correct value for your situation will vary based on the size of your network and the speed of your unit’s CPU. The numbers used in this example may not work for your network.

Disabling BFD for a specific interface The previous example enables BFD for your entire FortiGate unit. If an interface is not connected to any BFD enabled routers, you can reduce network traffic by disabling BFD for that interface. For this example, BFD is disabled for the internal interface using CLI commands. config system interface edit set bfd disable end Configuring BFD on BGP Configuring BFD on a BGP network involves only one step— enable BFD globally and then disable it for each neighbor that is running the protocol. config system settings set bfd enable end config router bgp config neighbor edit set bfd disable end end Configuring BFD on OSPF Configuring BFD on an OSPF network is very much like enabling BFD on your unit—you can enable it globally for OSPF, and you can override the global settings at the interface level. To enable BFD on OSPF: configure routing OSPF set bfd enable end To override BFD on an interface: configure routing OSPF configure ospf-interface edit set bfd disable end end

308

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

Customizable routing widgets

Customizable routing widgets You can customize the FortiGate web-based manager (or GUI) to show, hide, and arrange widgets/menus/items according to your specific requirements. Customizing the display allows you to vary or limit the GUI layout to address different administrator needs such as advanced routing. Only administrators with the super_admin admin profile may create and edit GUI layouts. For more information on GUI layouts, see “Customizable web-based manager” on page 231. Each of the customizable GUI widgets can be minimized or maximized using the arrow next to the widget title. Customizable routing widgets include: •

Access List

•

Distribute List

•

Key Chain

•

Offset List

•

Prefix List

•

Route Map

Access List Access lists are filters used by FortiGate unit routing processes to limit access to the network based on IP addresses. For an access list to take effect, it must be called by a FortiGate unit routing process (for example, a process that supports RIP or OSPF). The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see “RIP” on page 289. For more information about OSPF, see “OSPF” on page 294. Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix. Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this purpose. For more information, see “Prefix List” on page 312.

The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny. Figure 181: Access List GUI widget

Access-list

Enter the name of a new access list. Select Add to save the new access list.

Name

The name of the access list.

Action

The action to take when the prefix of this access list is matched. Actions can be either permit or deny.

Prefix

The IP address prefix for this access-list. When this prefix is matched, the action is taken. The prefix can match any address, or a specific address.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

309

Customizable routing widgets

Router Dynamic

Delete Icon

Select delete to remove this access-list.

Add Icon

Select to add a rule to this access-list. Rules include actions and prefixes. Rules are processed from smallest to highest number.

For more information on access list, see the “router” chapter of the FortiGate CLI Reference.

Distribute List The distribute list is a subcommand of OSPF. It filters the networks in routing updates using an access or prefix list. Routes not matched by any of the distribution lists will not be advertised. The offset list is part of the RIP and OSPF routing protocols. For more information about OSPF, see “OSPF” on page 294. Note: You must configure the access list that you want the distribution list to use before you configure the distribution list. To configure an access list, see “Access List” on page 309. Figure 182: Distribute List GUI widget

Create New

Select to create a new distribute list. This includes setting the direction, selecting either the prefix-list or access-list, and interface.

Direction

The name of the access list.

Filter

The prefix-list or access-list to apply to this interface.

Interface

The interface to apply the filter on.

Enable

A green check indicates this distribute list is enabled.

Delete Icon

Select to remove a distribution list rule.

Edit Icon

Select to change the direction, filter, or interface of the distribute list.

For more information on the distribute list, see the “router” chapter of the FortiGate CLI Reference.

Key Chain A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates from one key to the next according to the scheduled send and receive lifetimes. The sending and receiving routers should have their system dates and times synchronized, but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times. RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable. For authentication to work both the sending and receiving routers must be set to use authentication, and must be configured with the same keys. The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see “RIP” on page 289.

310

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

Customizable routing widgets

Figure 183: Key Chain GUI widget

Key-chain

Enter the name for a new key-chain. Select Add to save the new key-chain.

Name

The name of the key-chain, or the number of the key on that chain.

Accept Lifetime

The start and end time that this key can accept routing packets.

Start

The start time for this key. The format is H:M:S M/D/YYYY.

End

The end time for this key. The end can be infinite, a set duration in seconds, or a set time as with the start time.

Send Lifetime

The start and end time that this key can send routing packets.

Start

The start time for this key. The format is H:M:S M/D/YYYY.

End

The end time for this key. The end can be infinite, a set duration in seconds, or a set time as with the start time.

Delete Icon

Select to remove a key or key-chain

Add Icon

Select to add keys to the key-chain.

Edit Icon

Select to edit an existing key.

For more information on key-chains, see the “router” chapter of the FortiGate CLI Reference.

Offset List Use the offset list to change the weighting of the metric (hop count) for a route from the offset list. The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see “RIP” on page 289. For more information about OSPF, see “OSPF” on page 294. Figure 184: Offset List GUI widget

Create New

Select to add a new offset to the list.

Direction

The direction can be In or Out.

Access-list

The access-list to use to match the traffic.

Offset

The adjustment to the hop count metric.

Interface

The interface this offset list applies to.

Delete Icon

Select to remove a offset entry.

Edit Icon

Select to edit an existing offset entry.

For more information on the offset list, see the “router” chapter of the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

311

Customizable routing widgets

Router Dynamic

Prefix List A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask. Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and maximum and minimum prefix length settings. The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny. A prefix-list should be used to match the default route 0.0.0.0/0. For a prefix list to take effect, it must be called by another FortiGate unit routing feature such as RIP or OSPF. For more information about RIP, see “RIP” on page 289. For more information about OSPF, see “OSPF” on page 294. Figure 185: Prefix List GUI widget

Prefix-list

Enter the name of a new prefix-list. Select Add to save the new prefix list entry.

Name

The name of the prefix list, or the number of the prefix entry.

Action

The action of the prefix entry. Actions can be permit or deny.

Prefix

The IP address and netmask associated with this prefix. Optionally this can be set to match any address.

GE

Select the number of bits to match in the address. This number or greater will be matched for there to be a match.

LE

Select the number of bits to match in the address. This number or less will be matched for there to be a match

Delete Icon

Select to remove a prefix entry or list.

Add Icon

Select to add a prefix entry to a list.

Edit Icon

Select to edit an existing prefix entry.

For more information on the prefix list, see the “router” chapter of the FortiGate CLI Reference.

Route Map Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing the routing of packets to particular destinations using the BGP routing protocol. Compared to access lists, route maps support enhanced packet-matching criteria. In addition, route maps can be configured to permit or deny the addition of routes to the FortiGate unit routing table and make changes to routing information dynamically as defined through route-map rules. The FortiGate unit compares the rules in a route map to the attributes of a route. The rules are examined in ascending order until one or more of the rules in the route map are found to match one or more of the route attributes: •

312

When a single matching match-* rule is found, changes to the routing information are made as defined through the rule’s set-ip-nexthop, set-metric, set-metric-type, and/or set-tag settings. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Dynamic

Customizable routing widgets

•

If no matching rule is found, no changes are made to the routing information.

•

When more than one match-* rule is defined, all of the defined match-* rules must evaluate to TRUE or the routing information is not changed.

•

If no match-* rules are defined, the FortiGate unit makes changes to the routing information only when all of the default match-* rules happen to match the attributes of the route.

The default rule in the route map (which the FortiGate unit applies last) denies all routes. For a route map to take effect, it must be called by a FortiGate unit routing process. Figure 186: Route Map GUI widget

Route-map

Enter the name of a new route-map. Select Add to save the new routemap.

Name

The name of the route map, or the number of the prefix entry.

Action

The action of the route map. Actions can be permit or deny.

Rules

The rules include the criteria to match and a value to set. The criteria to match can be an interface, address from access or prefix list, the next-hop to match from access or prefix list, a metrics, or other information. The value to set can be the next-hop IP address, the metric, metric type, and a tag number.

Delete Icon

Select to remove a route map or entry.

Add Icon

Select to add a route map entry to a route map.

Edit Icon

Select to edit an existing route map entry.

For more information on the route map, see the “router” chapter of the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

313

Customizable routing widgets

314

Router Dynamic

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Monitor

Viewing routing information

Router Monitor This section explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table. If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is available separately for each virtual domain. For more information, see “Using virtual domains” on page 103. This section describes: •

Viewing routing information

•

Searching the FortiGate routing table

Viewing routing information By default, all routes are displayed in the Routing Monitor list. The default static route is defined as 0.0.0.0/0, which matches the destination IP address of “any/all” packets. To display the routes in the routing table, go to Router > Monitor. Figure 187 shows the Routing Monitor list belonging to a FortiGate unit that has interfaces named “port1”, “port4”, and “lan”. The names of the interfaces on your FortiGate unit may be different. Figure 187: Routing Monitor list

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

315

Viewing routing information

Router Monitor

IP version

Select IPv4 or IPv6 routes.

Type

Select one of the following route types to search the routing table and display routes of the selected type only: All — all routes recorded in the routing table. Connected — all routes associated with direct connections to FortiGate interfaces. Static — the static routes that have been added to the routing table manually. For more information see “Static Route” on page 280. RIP — all routes learned through RIP. For more information see “RIP” on page 289. OSPF — all routes learned through OSPF. For more information see “OSPF” on page 294. BGP — all routes learned through BGP. For more information see “BGP” on page 302 HA — RIP, OSPF, and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster. HA routes are maintained on subordinate units and are visible only if you are viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster. For details about HA routing synchronization, see the FortiGate High Availability User Guide.

Network

Enter an IP address and netmask (for example, 172.16.14.0/24) to search the routing table and display routes that match the specified network.

Gateway

Enter an IP address and netmask (for example, 192.168.12.1/32) to search the routing table and display routes that match the specified gateway.

Apply Filter Select to search the entries in the routing table based on the specified search criteria and display any matching routes.

316

Type

The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP).

Subtype

If applicable, the subtype classification assigned to OSPF routes. • An empty string implies an intra-area route. The destination is in an area to which the FortiGate unit is connected. • OSPF inter area — the destination is in the OSPF AS, but the FortiGate unit is not connected to that area. • External 1 — the destination is outside the OSPF AS. The metric of a redistributed route is calculated by adding the external cost and the OSPF cost together. • External 2 — the destination is outside the OSPF AS. In this case, the metric of the redistributed route is equivalent to the external cost only, expressed as an OSPF cost. • OSPF NSSA 1 — same as External 1, but the route was received through a notso-stubby area (NSSA). • OSPF NSSA 2 — same as External 2, but the route was received through a notso-stubby area.

Network

The IP addresses and network masks of destination networks that the FortiGate unit can reach.

Distance

The administrative distance associated with the route. A value of 0 means the route is preferable compared to routes to the same destination. To modify the administrative distance assigned to static routes, see “Adding a static route to the routing table” on page 284. To modify this distance for dynamic routes, see FortiGate CLI Reference.

Metric

The metric associated with the route type. The metric of a route influences how the FortiGate unit dynamically adds it to the routing table. The following are types of metrics and when they are applied. • Hop count — routes learned through RIP. • Relative cost — routes learned through OSPF. • Multi-Exit Discriminator (MED) — routes learned through BGP. However, several attributes in addition to MED determine the best path to a destination network.

Gateway

The IP addresses of gateways to the destination networks.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Router Monitor

Searching the FortiGate routing table

Interface

The interface through which packets are forwarded to the gateway of the destination network.

Up Time

The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has been reachable.

Searching the FortiGate routing table You can apply a filter to search the routing table and display certain routes only. For example, you can display one or more static routes, connected routes, routes learned through RIP, OSPF, or BGP, and routes associated with the network or gateway that you specify. If you want to search the routing table by route type and further limit the display according to network or gateway, all of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed (an implicit AND condition is applied to all of the search parameters you specify). For example, if the FortiGate unit is connected to network 172.16.14.0/24 and you want to display all directly connected routes to network 172.16.14.0/24, you must select Connected from the Type list, type 172.16.14.0/24 in the Network field, and then select Apply Filter to display the associated routing table entry or entries. Any entry that contains the word “Connected” in its Type field and the specified value in the Gateway field will be displayed. To search the FortiGate routing table 1 Go to Router > Monitor > Routing Monitor. 2 From the Type list, select the type of route to display. For example, select Connected to display all connected routes, or select RIP to display all routes learned through RIP. 3 If you want to display routes to a specific network, type the IP address and netmask of the network in the Networks field. 4 If you want to display routes to a specific gateway, type the IP address of the gateway in the Gateway field. 5 Select Apply Filter. Note: All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

317

Searching the FortiGate routing table

318

Router Monitor

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

How list order affects policy matching

Firewall Policy Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN subinterfaces. Firewall policies are instructions the FortiGate unit uses to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and service (by port number), and attempts to locate a firewall policy matching the packet. Firewall policies can contain many instructions for the FortiGate unit to follow when it receives matching packets. Some instructions are required, such as whether to drop or accept and process the packets, while other instructions, such as logging and authentication, are optional. Policy instructions may include network address translation (NAT), or port address translation (PAT), by using virtual IPs or IP pools to translate source and destination IP addresses and port numbers. For details on using virtual IPs and IP pools, see “Firewall Virtual IP” on page 365. Policy instructions may also include protection profiles, which can specify application-layer inspection and other protocol-specific protection and logging. For details on using protection profiles, see “Firewall Protection Profile” on page 397. If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are configured separately for each virtual domain, and you must first enter the virtual domain to configure its firewall policies. For details, see “Using virtual domains” on page 103. This section describes: •

How list order affects policy matching

•

Multicast policies

•

Viewing the firewall policy list

•

Configuring firewall policies

•

Firewall policy examples

How list order affects policy matching Each time a FortiGate unit receives a connection attempting to pass through one of its interfaces, the unit searches its firewall policy list for a matching firewall policy. The search begins at the top of the policy list and progresses in order towards the bottom. The FortiGate unit evaluates each policy in the firewall policy list for a match until a match is found. When the FortiGate unit finds the first matching policy, it applies the matching policy’s specified actions to the packet, and disregards subsequent firewall policies. Matching firewall policies are determined by comparing the firewall policy and the packet’s: •

source and destination interfaces

•

source and destination firewall addresses

•

services

•

time/schedule.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

319

How list order affects policy matching

Firewall Policy

If no policy matches, the connection is dropped. As a general rule, you should order the firewall policy list from most specific to most general because of the order in which policies are evaluated for a match, and because only the first matching firewall policy is applied to a connection. Subsequent possible matches are not considered or applied. Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions. For example, you might have a general policy that allows all connections from the internal network to the Internet, but want to make an exception that blocks FTP. In this case, you would add a policy that denies FTP connections above the general policy. Figure 188: Example: Blocking FTP — Correct policy order

}Exception

}General FTP connections would immediately match the deny policy, blocking the connection. Other kinds of services do not match the FTP policy, and so policy evaluation would continue until reaching the matching general policy. This policy order has the intended effect. But if you reversed the order of the two policies, positioning the general policy before the policy to block FTP, all connections, including FTP, would immediately match the general policy, and the policy to block FTP would never be applied. This policy order would not have the intended effect. Figure 189: Example: Blocking FTP — Incorrect policy order

}General }Exception

Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would position those policies above other potential matches in the policy list. Otherwise, the other matching policies could always take precedence, and the required authentication, IPSec VPN, or SSL VPN might never occur. Note: A default firewall policy may exist which accepts all connections. You can move, disable or delete it. If you move the default policy to the bottom of the firewall policy list and no other policy matches the packet, the connection will be accepted. If you disable or delete the default policy and no other policy matches the packet, the connection will be dropped.

Moving a policy to a different position in the policy list You can arrange the firewall policy list to influence the order in which policies are evaluated for matches with incoming traffic. When more than one policy has been defined for the same interface pair, the first matching firewall policy will be applied to the traffic session. For more information, see “How list order affects policy matching” on page 319. Moving a policy in the firewall policy list does not change its ID, which only indicates the order in which the policy was created. Figure 190: Move Policy

320

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Multicast policies

To move a firewall policy in the firewall policy list 1 Go to Firewall > Policy. 2 In the firewall policy list, note the ID of a firewall policy that is before or after your intended destination. 3 In the row corresponding to the firewall policy that you want to move, select the Move To icon. 4 Select Before or After, and enter the ID of the firewall policy that is before or after your intended destination. This specifies the policy’s new position in the firewall policy list. 5 Select OK.

Multicast policies FortiGate units support multicast policies. You can configure and create multicast policies using the following CLI command: config firewall multicast-policy For more information, see the FortiOS CLI Reference and the FortiGate Multicast Technical Note.

Viewing the firewall policy list The firewall policy list displays firewall policies in their order of matching precedence for each source and destination interface pair. If virtual domains are enabled on the FortiGate unit, firewall policies are configured separately for each virtual domain; you must access the VDOM before you can configure its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to the VDOM whose policies you want to configure, select Enter. You can add, delete, edit, and re-order policies in the policy list. Firewall policy order affects policy matching. For details about arranging policies in a policy list, see “How list order affects policy matching” on page 319 and “Moving a policy to a different position in the policy list” on page 320. To view the policy list, go to Firewall > Policy. Figure 191: Firewall policy list

Filter

Delete Edit Insert Policy before Move To

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

321

Viewing the firewall policy list

Firewall Policy

Create New

Add a firewall policy. Select the down arrow beside Create New to add a firewall policy or firewall policy section. A firewall policy section visually groups firewall policies. For more information, see “Configuring firewall policies” on page 323.

Column Settings Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. For more information, see “Using column settings to control the columns displayed” on page 58 and “Web-based manager icons” on page 60.

322

Section View

Select to display firewall policies organized by source and destination interfaces. Note: Section View is not available if any policy selects Any as the source or destination interface.

Global View

Select to list all firewall policies in order according to a sequence number.

Filter icons

Edit the column filters to filter or sort the policy list according to the criteria you specify. For more information, see “Adding filters to web-based manager lists” on page 53.

ID

The policy identifier. Policies are numbered in the order they are added to the policy list.

From

The source interface of the policy. Global view only.

To

The destination interface of the policy. Global view only.

Source

The source address or address group to which the policy applies. For more information, see “Firewall Address” on page 345.

Destination

The destination address or address group to which the policy applies. For more information, see “Firewall Address” on page 345.

Schedule

The schedule that controls when the policy should be active. For more information, see “Firewall Schedule” on page 361.

Service

The service to which the policy applies. For more information, see “Firewall Service” on page 351.

Profile

The protection profile that is associated with the policy.

Action

The response to make when the policy matches a connection attempt.

Status

Select the checkbox to enable a policy or deselect it to disable a policy.

From

The source interface.

To

The destination interface.

VPN Tunnel

The VPN tunnel the VPN policy uses.

Authentication

The user authentication method the policy uses.

Comments

Comments entered when creating or editing the policy.

Log

A green check mark indicates traffic logging is enabled for the policy; a grey cross mark indicates traffic logging is disabled for the policy.

Count

The FortiGate unit counts the number of packets and bytes that hit the firewall policy. For example, 5/50B means that five packets and 50 bytes in total have hit the policy. The counter is reset when the FortiGate unit is restarted or the policy is deleted and re-configured.

Delete icon

Delete the policy from the list.

Edit icon

Edit the policy.

Insert Policy Before icon

Add a new policy above the corresponding policy (the New Policy screen appears).

Move To icon

Move the corresponding policy before or after another policy in the list. For more information, see “Moving a policy to a different position in the policy list” on page 320.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Configuring firewall policies You can configure firewall policies to define which sessions will match the policy and what actions the FortiGate unit will perform with packets from matching sessions. Sessions are matched to a firewall policy by considering these features of both the packet and policy: •

Source Interface/Zone

•

Source Address

•

Destination Interface/Zone

•

Destination Address

•

schedule and time of the session’s initiation

•

service and the packet’s port numbers.

If the initial packet matches the firewall policy, the FortiGate unit performs the configured Action and any other configured options on all packets in the session. Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN. •

ACCEPT policy actions permit communication sessions, and may optionally include other packet processing instructions, such as requiring authentication to use the policy, or specifying a protection profile to apply features such as virus scanning to packets in the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if either the selected source or destination interface is an IPSec virtual interface. For more information, see “Overview of IPSec VPN configuration” on page 531.

•

DENY policy actions block communication sessions, and may optionally log the denied traffic.

•

IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN tunnel, respectively, and may optionally apply NAT and allow traffic for one or both directions. If permitted by the firewall encryption policy, a tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network interface, destined for the local private network. For more information, see “IPSec firewall policy options” on page 330 and “Configuring SSL VPN identity-based firewall policies” on page 331.

To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add a policy or select the edit icon beside an existing firewall policy. Configure the settings as described in the following table and in the references to specific features for IPSec, SSL VPN and other specialized settings, and then select OK. If you want to create a DoS policy, go to Firewall > Policy > DoS Policy, and configure the settings according to the following table. For more information, see “DoS policies” on page 337. If you want to use IPv6 firewall addresses in your firewall policy, first go to System > Admin > Settings. Select “IPv6 Support on GUI”. Then go to Firewall > Policy > IPv6 Policy, and configure the settings according to the following table. Firewall policy order affects policy matching. Each time that you create or edit a policy, make sure that you position it in the correct location in the list. You can create a new policy and position it right away before an existing one in the firewall policy list, by selecting Insert Policy before (see “Viewing the firewall policy list” on page 321). Note: You can configure differentiated services (DSCP) firewall policy options through the CLI. See the “firewall” chapter of the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

323

Configuring firewall policies

Firewall Policy

Figure 192: Firewall Policy options

Source Interface/Zone

Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone on which IP packets are received. Interfaces and zones are configured on the System Network page. For more information, see “Interfaces” on page 119 and “Configuring zones” on page 138. If you select Any as the source interface, the policy matches all interfaces as source. If Action is set to IPSEC, the interface is associated with the local private network. If Action is set to SSL-VPN, the interface is associated with connections from remote SSL VPN clients.

Source Address Select the name of a firewall address to associate with the Source Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see “Configuring addresses” on page 347. If you want to associate multiple firewall addresses or address groups with the Source Interface/Zone, from Source Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If Action is set to IPSEC, the address is the private IP address of the host, server, or network behind the FortiGate unit. If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients.

324

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Destination Interface/Zone

Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone to which IP packets are forwarded. Interfaces and zones are configured on the System Network page. For more information, see “Interfaces” on page 119 and “Configuring zones” on page 138. If you select Any as the destination interface, the policy matches all interfaces as destination. If Action is set to IPSEC, the interface is associated with the entrance to the VPN tunnel. If Action is set to SSL-VPN, the interface is associated with the local private network.

Destination Address

Select the name of a firewall address to associate with the Destination Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see “Configuring addresses” on page 347. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied translation varies by the settings specified in the virtual IP, and whether you select NAT (below). For more information on using virtual IPs, see “Firewall Virtual IP” on page 365. If Action is set to IPSEC, the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. If Action is set to SSL-VPN, select the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit.

Schedule

Select a one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see “Firewall Schedule” on page 361.

Service

Select the name of a firewall service or service group that packets must match to trigger this policy. You can select from a wide range of predefined firewall services, or you can create a custom service or service group by selecting Create New from this list. For more information, see “Configuring custom services” on page 357 and “Configuring service groups” on page 359. By selecting the Multiple button beside Service, you can select multiple services or service groups.

Action

Select how you want the firewall to respond when a packet matches the conditions of the policy. The options available will vary widely depending on this selection.

ACCEPT

Accept traffic matched by the policy. You can configure NAT, protection profiles, log traffic, shape traffic, set authentication options, or add a comment to the policy.

DENY

Reject traffic matched by the policy. The only other configurable policy options are Log Violation Traffic to log the connections denied by this policy and adding a Comment.

IPSEC

You can configure an IPSec firewall encryption policy to process IPSec VPN packets, as well as configure protection profiles, log traffic, shape traffic or add a comment to the policy. See “IPSec firewall policy options” on page 330.

SSL-VPN

You can configure an SSL-VPN firewall encryption policy to accept SSL VPN traffic. This option is available only after you have added a SSL-VPN user group. You can also configure NAT and protection profiles, log traffic, shape traffic or add a comment to the policy. See “Configuring SSL VPN identity-based firewall policies” on page 331.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

325

Configuring firewall policies

Firewall Policy

NAT

Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. When NAT is enabled, you can also configure Dynamic IP Pool and Fixed Port. If you select a virtual IP as the Destination Address, but do not select the NAT option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT. Source NAT (SNAT) is not performed.

Dynamic IP Pool Select the check box, then select an IP pool to translate the source address to an IP address randomly selected from addresses in the IP Pool. IP Pool cannot be selected if the destination interface, VLAN subinterface, or one of the interfaces or VLAN subinterfaces in the destination zone is configured using DHCP or PPPoE, or if you have selected a Destination Interface to which no IP Pools are bound. You cannot use IP pools when using zones. An IP pool can only be associated with an interface. For details, see “IP pools” on page 381. Fixed Port

Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is translated. In most cases, if Fixed Port is selected, Dynamic IP pool is also selected. If Dynamic IP pool is not selected, a policy with Fixed Port selected can allow only one connection to that service at a time.

Enable Identity Based Policy

Select to configure firewall policies that require authentication. For more information, see “Adding authentication to firewall policies” on page 327.

Enable Endpoint Firewall policies can deny access for hosts that do not have FortiClient Endpoint Security software installed and operating. For more information, see “Endpoint Compliance Compliance Check options” on page 336. Check You cannot enable Endpoint Compliance Check in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication.

326

User Authentication Disclaimer

Available only on some models and only if Action is set to ACCEPT. Select this option to display the Authentication Disclaimer page (a replacement message) to the user. The user must accept the disclaimer to connect to the destination. You can use the disclaimer together with authentication or a protection profile.

Redirect URL

Available only on some models and only if Action is set to ACCEPT. If you enter a URL, the user is redirected to the URL after authenticating and/or accepting the user authentication disclaimer.

Protection Profile

Select a protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to a firewall policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397. If you intend to apply authentication to this policy, do not make a Protection Profile selection. The user group you choose for authentication is already linked to a protection profile. For more information, see “Adding authentication to firewall policies” on page 327.

Traffic Shaping

Select a traffic shaper for the policy. You can also select to create a new traffic shaper. Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. For information about traffic shaping, see “Traffic Shaping” on page 423. Note: To ensure that traffic shaping is working at its best, make sure that the interface ethernet statistics show no errors, collisions, or buffer overruns. If any of these problems do appear, then FortiGate and switch settings may require adjusting. Also, do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0 (zero), or the policy will not allow any traffic.

Guaranteed Bandwidth

Select a value to ensure there is enough bandwidth available for a high-priority service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface.

Maximum Bandwidth

Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default. Distribute firewall policies over all three priority queues. Reverse Direction Traffic Shaping

Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.

Log Allowed Traffic

Select to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information see “Log&Report” on page 647.

Log Violation Traffic

Available only if Action is set to DENY. Select Log Violation Traffic, for Deny policies, to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information, see “Log&Report” on page 647.

Comments

Add information about the policy. The maximum length is 63 characters.

Adding authentication to firewall policies If you enable Enable Identity Based Policy in a firewall policy, network users must send traffic involving a supported firewall authentication protocol to trigger the firewall authentication challenge, and successfully authenticate, before the FortiGate unit will allow any other traffic matching the firewall policy. User authentication can occur through any of the following supported protocols: •

HTTP

•

HTTPS

•

FTP

•

Telnet

The authentication style depends on which of these supported protocols you have included in the selected firewall services group and which of those enabled protocols the network user applies to trigger the authentication challenge. The authentication style will be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only) authentication, you must install customized certificates on the FortiGate unit and on the browsers of network users, which the FortiGate unit matches. For user name and password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts network users to input their firewall user name and password. For example, if you want to require HTTPS certificate-based authentication before allowing SMTP and POP3 traffic, you must select a firewall service (in the firewall policy) that includes SMTP, POP3 and HTTPS services. Prior to using either POP3 or SMTP, the network user would send traffic using the HTTPS service, which the FortiGate unit would use to verify the network user’s certificate; upon successful certificate-based authentication, the network user would then be able to access his or her email.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

327

Configuring firewall policies

Firewall Policy

In most cases, you should ensure that users can use DNS through the FortiGate unit without authentication. If DNS is not available, users will not be able to use a domain name when using a supported authentication protocol to trigger the FortiGate unit’s authentication challenge. Note: If you do not install certificates on the network user’s web browser, the network users may see an SSL certificate warning message and have to manually accept the default FortiGate certificate, which the network users’ web browsers may then deem as invalid. For information on installing certificates, see “System Certificates” on page 243. Note: When you use certificate authentication, if you do not specify any certificate when you create a firewall policy, the FortiGate unit will use the default certificate from the global settings will be used. If you specify a certificate, the per-policy setting will override the global setting. For information on global authentication settings, see “Options” on

page 590. Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create users, assign them to a firewall user group, and assign a protection profile to that user group. For information on configuring user groups, see “User Group” on page 583. For information on configuring authentication settings, see “Identity-based firewall policy options (non-SSL-VPN)” on page 328 and “Configuring SSL VPN identity-based firewall policies” on page 331.

Identity-based firewall policy options (non-SSL-VPN) For network users to use non-SSL-VPN identity-based policies, you need to add user groups to the policy. For information about configuring user groups, see “User Group” on page 583. To configure identity-based policies, go to Firewall > Policy, select Create New to add a firewall policy, or, in the row corresponding to an existing firewall policy, select Edit. Make sure that Action is set to ACCEPT. Select Enable Identity Based Policy. Figure 193: Selecting user groups for authentication

Edit Delete Enable Identity Select to enable identity-based policy authentication. Based Policy When the Action is set to ACCEPT, you can select one or more authentication server types. When a network user attempts to authenticate, the server types selected indicate which local or remote authentication servers the FortiGate unit will consult to verify the user’s credentials.

328

Add

Select to create an identity-based firewall policy. For more information, see “To create an identity-based firewall policy (non-SSL-VPN)” on page 329.

User Group

The selected user groups that must authenticate to be allowed to use this policy.

Schedule

The one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see “Firewall Schedule” on page 361.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Service

The firewall service or service group that packets must match to trigger this policy.

Profile

The protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to this policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397.

Traffic Shaping The traffic shaping configuration for this policy. For more information, see “Firewall Policy” on page 319. Reverse Direction Traffic Shaping

Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.

Log Traffic

If the Log Allowed Traffic option is selected when adding an identity-based policy, a green check mark appears. Otherwise, a white cross mark appears.

Delete icon

Select to remove this policy.

Edit icon

Select to modify this policy.

Firewall

Include firewall user groups defined locally on the FortiGate unit, as well as on any connected LDAP and RADIUS servers. This option is selected by default.

Directory Include Directory Service groups defined in User > User Group. The groups are Service (FSAE) authenticated through a domain controller using Fortinet Server Authentication Extensions (FSAE). If you select this option, you must install the FSAE on the Directory Service domain controller. For information about FSAE, see the FSAE Technical Note. For information about configuring user groups, see “User Group” on page 583. NTLM Include Directory Service groups defined in User > User Group. If you select this Authentication option, you must use Directory Service groups as the members of the authentication group for NTLM. For information about configuring user groups, see “User Group” on page 583. Certificate

Certificate-based authentication only. Select the protection profile that guest accounts will use. Note: In order to implement certificate-based authentication, you must select a firewall service group that includes one of the supported authentication protocols that use certificate-based authentication. You should also install the certificate on the network user’s web browser. For more information, see “Adding authentication to firewall policies” on page 327.

To create an identity-based firewall policy (non-SSL-VPN) 1 Go to Firewall > Policy > Policy and select Create New. 2 Configure Source Interface/Zone, Source Address, Destination Interface/Zone, Destination Address, Schedule, and Service. For more information, see “Configuring firewall policies” on page 323. 3 In the Action field, select ACCEPT. 4 Select the Enable Identity Based Policy check box. A table opens below the check box. 5 Select Add.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

329

Configuring firewall policies

Firewall Policy

Figure 194: Creating identity-based firewall policies

Right Arrow Left Arrow

6 From the Available User Groups list, select one or more user groups that must authenticate to be allowed to use this policy. Select the right arrow to move the selected user groups to the Selected User Groups list. 7 Select services in the Available Services list and then select the right arrow to move them to the Selected Services list. 8 Select a schedule from the Schedule drop-down list. There is no default. 9 Optionally, select a Protection Profile, enable User Authentication Disclaimer or Log Allowed Traffic. 10 Optionally, select Traffic Shaping and choose a traffic shaper. 11 Select OK.

IPSec firewall policy options In a firewall policy (see “Configuring firewall policies” on page 323), the following encryption options are available for IPSec. To configure these options, go to Firewall > Policy, select Create New to add a firewall policy, or in the row corresponding to an existing firewall policy, select Edit. Make sure that Action is set to IPSEC. Enter the information in the following table and select OK. Figure 195: IPSEC encryption policy

330

VPN Tunnel

Select the VPN tunnel name defined in the phase 1 configuration. The specified tunnel will be subject to this firewall encryption policy.

Allow Inbound

Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel.

Allow outbound

Select to enable traffic from computers on the local private network to initiate the tunnel.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Inbound NAT

Select to translate the source IP addresses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network.

Outbound NAT

Select only in combination with a natip CLI value to translate the source addresses of outbound cleartext packets into the IP address that you specify. When a natip value is specified, the source addresses of outbound IP packets are replaced before the packets are sent through the tunnel. For more information, see the “firewall” chapter of the FortiGate CLI Reference.

Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction of communication, with the IPSec virtual interface as the source or destination interface as appropriate.

For more information, see the “Defining firewall policies” chapter of the FortiGate IPSec VPN User Guide.

Configuring SSL VPN identity-based firewall policies For network users to use SSL-VPN identity-based policies, you must configure users, add them to user groups, and then configure the policy. To create an identity-based firewall policy (SSL-VPN), go to Firewall > Policy > Policy and select Create New and enter the information in the following table. Select Action > SSL VPN. Note: The SSL-VPN option is only available from the Action list after you have added SSL VPN user groups. To add SSL VPN user groups, see “SSL VPN user groups” on page 585.

For more information, see “Configuring firewall policies” on page 323.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

331

Configuring firewall policies

Firewall Policy

Figure 196: Configuring a new SSL VPN firewall policy

Source Interface/Zone

Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone on which IP packets are received.

Source Address

Select the name of a firewall address to associate with the Source Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see “Configuring addresses” on page 347. If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients.

Destination Interface/Zone Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone to which IP packets are forwarded. If Action is set to SSL-VPN, the interface is associated with the local private network.

332

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Destination Address

Select the name of a firewall address to associate with the Destination Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see “Configuring addresses” on page 347. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied translation varies by the settings specified in the virtual IP, and whether you select NAT (below). For more information on using virtual IPs, see “Firewall Virtual IP” on page 365. If Action is set to IPSEC, the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. If Action is set to SSL-VPN, select the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit.

Action

Select SSL-VPN to configure the firewall encryption policy to accept SSL VPN traffic. This option is available only after you have added a SSL-VPN user group.

SSL Client Certificate Restrictive

Allow traffic generated by holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field.

Cipher Strength

Select the bit level of SSL encryption. The web browser on the remote client must be capable of matching the level that you select: Any, High >= 164, or Medium >= 128.

User Authentication Method

Select the authentication server type by which the user will be authenticated:

Any

For all of the above authentication methods. Local is attempted first, then RADIUS, then LDAP.

Local

For a local user group that will be bound to this firewall policy.

RADIUS

For remote clients that will be authenticated by an external RADIUS server.

LDAP

For remote clients that will be authenticated by an external LDAP server.

TACACS+

For remote clients that will be authenticated by an external TACACS+ server.

NAT

Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. When NAT is enabled, you can also configure Dynamic IP Pool and Fixed Port. If you select a virtual IP as the Destination Address, but do not select the NAT option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT. Source NAT (SNAT) is not performed.

Fixed Port

Select Fixed Port to prevent NAT from translating the source port.

Enable Identity Based Policy

Select to configure a SSL-VPN firewall policy that requires authentication.

Add

Select to configure the valid authentication methods, user group names, and services. For more information, see “User Group” on page 583.

Comments

Add information about the policy. The maximum length is 63 characters.

To create an identity based firewall policy, select the Enable Identity Based Policy check box. A table opens below the check box. Select Add. The New Authentication Rule dialog opens (see Figure 197).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

333

Configuring firewall policies

Firewall Policy

Figure 197: New Authentication Rule

User Group Available User Groups List of user groups available for inclusion in the firewall policy. To add a user group to the list, select the name and then select the Right Arrow. Selected User Groups List of user groups that are included in the firewall policy. To remove a user group from the list, select the name and then select the Left Arrow. Service

334

Available Services

List of available services to include in the firewall policy. To add a service to the list, select the name and then select the Right Arrow.

Selected Services

List of services that are included in the firewall policy. To remove a service from the list, select the name and then select the Left Arrow.

Schedule

Select a one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see “Firewall Schedule” on page 361.

Protection Profile

Select a protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to a firewall policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Configuring firewall policies

Traffic Shaping

Select a traffic shaper for the policy. You can also select to create a new traffic shaper. Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. For information about traffic shaping, see “Traffic Shaping” on page 423.

Reverse Direction Traffic Shaping

Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.

Reverse Direction Traffic Shaping

Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.

Log Allowed Traffic

Select to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information see “Log&Report” on page 647.

For information about how to create a firewall encryption policy for SSL VPN users, see the “SSL VPN administration tasks” chapter of the FortiGate SSL VPN User Guide. Figure 198: Selecting user groups for authentication

Move Up or Move Down

Delete Edit Enable Identity Based Policy

Select to enable identity-based policy authentication.

Add

Select to create an identity-based firewall policy.

Rule ID

The ID number of the policy.

User Group

The selected user groups that must authenticate to be allowed to use this policy.

Schedule

The one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see “Firewall Schedule” on page 361.

Service

The firewall service or service group that packets must match to trigger this policy.

Profile

The protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to this policy. You can also create a protection profile by selecting Create New from this list. For more information, see “Firewall Protection Profile” on page 397.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

335

Configuring firewall policies

Firewall Policy

Traffic Shaping

The traffic shaping configuration for this policy. For more information, see “Traffic Shaping” on page 423.

Log Traffic

If the Log Allowed Traffic option is selected when adding an identitybased policy, a green check mark appears. Otherwise, a white cross mark appears.

Delete icon

Select to delete this policy.

Edit icon

Select to edit this policy.

Move Up or Move Down

Select to move the policy in the list. Firewall policy order affects policy matching. You can arrange the firewall policy list to influence the order in which policies are evaluated for matches with user groups.

Tip: If you select NAT, the IP address of the outgoing interface of the FortiGate unit is used as the source address for new sessions started by SSL VPN.

Note: The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN traffic, but has no effect on web-mode SSL VPN traffic.

Endpoint Compliance Check options You can require users of a firewall policy to have FortiClient Endpoint Security software installed. Optionally, you can also require that the antivirus signatures are up-to-date and check for the presence of specific applications on the computer. You can quarantine noncompliant users to a web portal, from which they can download the FortiClient installer or update their antivirus signatures. For more information about configuring the Endpoint Control feature and monitoring endpoints, see “Endpoint control” on page 641. In a new or existing firewall policy, the following options configure the Endpoint Compliance Check: Figure 199: Endpoint Compliance firewall policy options

Enable Endpoint Compliance Check

Check that the source hosts of this firewall policy have FortiClient Endpoint Security software installed. Make sure that all of these hosts are capable of installing the software. You cannot enable Endpoint Compliance Check in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication.

Enforce FortiClient AV Check that the FortiClient Endpoint Security application has the antivirus (real-time protection) feature enabled and is using the latest Up-to-date version of the antivirus signatures available from FortiGuard Services.

336

Collect System Information from the Endpoints

Collect information about the host computer, its operating system and specific installed applications. This information is displayed in the Endpoints list. See “Monitoring endpoints” on page 644.

Redirect Non-conforming Clients to Download Portal

The non-compliant user sees a web page that explains why they are non-compliant. The page also provides links to download a FortiClient application installer. To edit this web page go to System > Config > Replacement Messages and edit the Endpoint Control Download Portal replacement message. If the redirect is not enabled, the non-compliant user simply has no network access.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

DoS policies

Note: If the firewall policy involves a load balancing virtual IP, the endpoint compliance check is not performed.

DoS policies DoS policies are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. DoS policies examine network traffic very early in the sequence of protective measures the FortiGate unit deploys to protect your network. Because of this, DoS policies are a very efficient defence, using few resources. The previously mention denial of service would be detected and its packets dropped before requiring firewall policy look-ups, antivirus scans, and other protective but resource-intensive operations.

Viewing the DoS policy list The DoS policy list displays the DoS policies in their order of matching precedence for each interface, source/destination address pair, and service. If virtual domains are enabled on the FortiGate unit, DoS policies are configured separately for each virtual domain; you must access the VDOM before you can configure its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to the VDOM whose policies you want to configure, select Enter. You can add, delete, edit, and re-order policies in the DoS policy list. DoS policy order affects policy matching. As with firewall policies, DoS policies are checked against traffic in the order in which they appear in the DoS policy list, one at a time, from top to bottom. When a matching policy is discovered, it is used and further checking for DoS policy matches are stopped. To view the DoS policy list, go to Firewall > Policy > DoS Policy. Figure 200: The DoS policy list

Create New

Add a firewall policy. Select the down arrow beside Create New to add a firewall policy or firewall policy section. A firewall policy section visually groups firewall policies. For more information, see “Configuring DoS policies” on page 338.

Column Settings

Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table.

Section View

Select to display firewall polices organized by interface.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

337

DoS policies

Firewall Policy

Global View

Select to list all firewall policies in order according to a sequence number.

Filter icon

Edit the column filters to filter or sort the policy list according to the criteria you specify. For more information, see “Adding filters to web-based manager lists” on page 53.

Status

When selected, the DoS policy is enabled. Clear the checkbox to disable the policy.

ID

A unique identifier for each policy. Policies are numbered in the order they are created.

Source

The source address or address group to which the policy applies. For more information, see “Firewall Address” on page 345.

Destination

The destination address or address group to which the policy applies. For more information, see “Firewall Address” on page 345.

Service

The service to which the policy applies. For more information, see “Firewall Service” on page 351.

DoS

The DoS sensor selected in this policy.

Interface

The interface to which this policy applies.

Delete icon

Delete the policy from the list.

Edit icon

Edit the policy.

Insert Policy Before icon

Add a new policy above the corresponding policy (the New Policy screen appears).

Move To icon

Move the corresponding policy before or after another policy in the list.

Configuring DoS policies The DoS policy configuration allows you to specify the interface, a source address, a destination address, and a service. All of the specified attributes must match network traffic to trigger the policy. You can also use the config firewall interface-policy CLI command to specify an IPS sensor to function as part of a DoS policy. For more information, see the FortiGate CLI Reference. For IPv6 operation, DoS sensors are not supported. Further, you must specify IPS sensors with the config firewall interface-policy CLI command. For more information on FortiGate IPv6 support, see “FortiGate IPv6 support” on page 230. Figure 201: Editing a DoS policy

338

Source Interface/Zone

The interface or zone to be monitored.

Source Address

Select an address or address range to limit traffic monitoring to network traffic sent from the specified address or range. Select Multiple to include multiple addresses or ranges.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Firewall policy examples

Destination Address

Select an address or address range to limit traffic monitoring to network traffic sent to the specified address or range. Select Multiple to include multiple addresses or ranges.

Service

Select a service to limit traffic monitoring to only the selected type.

DoS Sensor

Select and specify a DoS sensor to have the FortiGate apply the sensor to matching network traffic.

Firewall policy examples FortiGate units are capable of meeting various network requirements from home use to SOHO, large enterprises and ISPs. The following two scenarios demonstrate practical applications of firewall policies in the SOHO and large enterprise environments. This section describes: •

Scenario one: SOHO-sized business

•

Scenario two: enterprise-sized business

•

Viewing the firewall policy list

•

Configuring firewall policies

Scenario one: SOHO-sized business Company A is a small software company performing development and providing customer support. In addition to their internal network of 15 computers, they also have several employees who work from home all or some of the time. With their current network topography, all 15 of the internal computers are behind a router and must go to an external source to access the IPS mail and web servers. All homebased employees access the router through open/non-secured connections.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

339

Firewall policy examples

Firewall Policy

Figure 202: Example SOHO network before FortiGate installation

Internet

IPS Mail Server

Home-based Workers (no secure connection)

ISP Web Server 172.16.10.3

192.168.100.1

Finance Department

Help Desk

Engineering Department

Internal Network Company A requires secure connections for home-based workers. Like many companies, they rely heavily on email and Internet access to conduct business. They want a comprehensive security solution to detect and prevent network attacks, block viruses, and decrease spam. They want to apply different protection settings for different departments. They also want to integrate web and email servers into the security solution. To deal with their first requirement, Company A configures specific policies for each home-based worker to ensure secure communication between the home-based worker and the internal network. 1 Go to Firewall > Policy. 2 Select Create New and enter or select the following settings for Home_User_1:

340

Interface / Zone

Source: internal

Destination: wan1

Address

Source: CompanyA_Network

Destination: Home_User_1

Schedule

Always

Service

ANY

Action

IPSEC

VPN Tunnel

Home1

Allow Inbound

yes

Allow outbound

yes

Inbound NAT

yes

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Firewall policy examples

Outbound NAT

no

Protection Profile

Select the check mark and select standard_profile

3 Select OK. 4 Select Create New and enter or select the following settings for Home_User_2: Interface / Zone

Source: internal

Destination: wan1

Address

Source: CompanyA_network

Destination: All

Schedule

Always

Service

ANY

Action

IPSEC

VPN Tunnel

Home2_Tunnel

Allow Inbound

yes

Allow outbound

yes

Inbound NAT

yes

Outbound NAT

no

Protection Profile

Select the check mark and select standard_profile

5 Select OK. Figure 203: SOHO network topology with FortiGate-100

VPN Tunnel

Home User 1 172.20.100.6

Internet

External 172.30.120.8 FortiGate 100A

VPN Tunnel

Home User 2 172.25.106.99 DMZ 10.10.10.1 Email Server 10.10.10.2

Internal 192.168.100.1

Finance Users 192.168.100.10192.168.100.20

Engineering Users 192.168.100.51192.168.100.100

Web Server 10.10.10.3

Help Desk Users 192.168.100.21192.168.100.50

The proposed network is based around a ForitGate 100A unit. The 15 internal computers are behind the FortiGate unit. They now access the email and web servers in a DMZ, which is also behind the FortiGate unit. All home-based employees now access the office network through the FortiGate unit via VPN tunnels.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

341

Firewall policy examples

Firewall Policy

Scenario two: enterprise-sized business Located in a large city, the library system is anchored by a main downtown location serving most of the population, with more than a dozen branches spread throughout the city. Each branch is wired to the Internet but none are linked with each other by dedicated connections. The current network topography at the main location consists of three user groups. The main branch staff and public terminals access the servers in the DMZ behind the firewall. The catalog access terminals directly access the catalog server without first going through the firewall. The topography at the branch office has all three users accessing the servers at the main branch through non-secured internet connections. Figure 204: The library system’s current network topology

The library must be able to set different access levels for patrons and staff members. The first firewall policy for main office staff members allows full access to the Internet at all times. A second policy will allow direct access to the DMZ for staff members. A second pair of policies is required to allow branch staff members the same access. The staff firewall policies will all use a protection profile configured specifically for staff access. Enabled features include virus scanning, spam filtering, IPS, and blocking of all P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and spyware sites.

342

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Policy

Firewall policy examples

A few users may need special web and catalog server access to update information on those servers, depending on how they are configured. Special access can be allowed based on IP address or user. The proposed topography has the main branch staff and the catalog access terminals going through a FortiGate HA cluster to the servers in a DMZ. The public access terminals first go through a FortiWiFi unit, where additional policies can be applied, to the HA Cluster and finally to the servers. The branch office has all three users routed through a FortiWiFi unit to the main branch via VPN tunnels. Figure 205: Proposed library system network topology

Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall > Protection Profile. Main office “staff to Internet” policy: Source Interface

Internal

Source Address

All

Destination Interface

External

Destination Address

All

Schedule

Always

Action

Accept

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

343

Firewall policy examples

Firewall Policy

Main office “staff to DMZ” policy: Source Interface

Internal

Source Address

All

Destination Interface

DMZ

Destination Address

Servers

Schedule

Always

Action

Accept

Branches “staff to Internet” policy: Source Interface

Branches

Source Address

Branch Staff

Destination Interface

External

Destination Address

All

Schedule

Always

Action

Accept

Branches “staff to DMZ” policy: Source Interface

Branches

Source Address

Branch Staff

Destination Interface

DMZ

Destination Address

Servers

Schedule

Always

Action

Accept

For more information about these examples, see:

344

•

SOHO and SMB Configuration Example Guide

•

FortiGate Enterprise Configuration Example

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Address

About firewall addresses

Firewall Address Firewall addresses and address groups define network addresses that you can use when configuring firewall policies’ source and destination address fields. The FortiGate unit compares the IP addresses contained in packet headers with firewall policy source and destination addresses to determine if the firewall policy matches the traffic. You can organize related addresses into address groups to simplify your firewall policy list. If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses are configured separately for each virtual domain, and you must first enter the virtual domain to configure its firewall addresses. For details, see “Using virtual domains” on page 103. This section describes: •

About firewall addresses

•

Viewing the firewall address list

•

Configuring addresses

•

Viewing the address group list

•

Configuring address groups

About firewall addresses A firewall address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask, an IP address range, or a fully qualified domain name (FQDN). When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be: •

a single computer, such as 192.45.46.45

•

a subnetwork, such as 192.168.1.0 for a class C subnet

•

0.0.0.0, which matches any IP address

The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats: •

netmask for a single computer: 255.255.255.255, or /32

•

netmask for a class A subnet: 255.0.0.0, or /8

•

netmask for a class B subnet: 255.255.0.0, or /16

•

netmask for a class C subnet: 255.255.255.0, or /24

•

netmask including all IP addresses: 0.0.0.0

Valid IP address and netmask formats include: •

x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0

•

x.x.x.x/x, such as 192.168.1.0/24 Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid firewall address.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

345

Viewing the firewall address list

Firewall Address

When representing hosts by an IP Range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. Valid IP Range formats include: •

x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120

•

x.x.x.[x-x], such as 192.168.110.[100-120]

•

x.x.x.*, such as 192.168.110.*

When representing hosts by a FQDN, the domain name can be a subdomain, such as mail.example.com. A single FQDN firewall address may be used to apply a firewall policy to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate units automatically resolve and maintain a record of all addresses to which the FQDN resolves. Valid FQDN formats include: •

.., such as mail.example.com

•

. Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain name in a firewall policy, while convenient, does present some security risks, because policy matching then relies on a trusted DNS server. Should the DNS server be compromised, firewall policies requiring domain name resolution may no longer function properly.

Note: By default, IPv6 firewall addresses can be configured only in the CLI. For information on enabling configuration of IPv6 firewall addresses in the web-based manager, see “Settings” on page 228.

Viewing the firewall address list Firewall addresses in the list are grouped by type: IP/Netmask, FQDN, or IPv6. FortiGate unit default configurations include the all address, which represents any IP address on any network. To view the address list, go to Firewall > Address. Figure 206: Firewall address list Create Options

Delete Edit

346

Create New

Add a firewall address. If IPv6 Support on GUI is enabled, you can alternatively select Create Options (the down arrow) located in the Create New button, then select IPv6 Address, to configure an IPv6 firewall address. For more information on enabling IPv6 support, see “Settings” on page 228.

Name

The name of the firewall address.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Address

Configuring addresses

Address / FQDN

The IP address and mask, IP address range, or fully qualified domain name.

Interface

The interface, zone, or virtual domain (VDOM) to which you bind the IP address.

Delete icon

Select to remove the address. The Delete icon appears only if a firewall policy or address group is not currently using the address.

Edit icon

Select to edit the address.

Configuring addresses You can use one of the following methods to represent hosts in firewall addresses: IP/Netmask, FQDN, or IPv6. Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain name in a firewall policy, while convenient, does present some security risks, because policy matching then relies on a trusted DNS server. Should the DNS server be compromised, firewall policies requiring domain name resolution may no longer function properly.

Note: By default, IPv6 firewall addresses can be configured only in the CLI. For information on enabling configuration of IPv6 firewall addresses in the web-based manager, see “Settings” on page 228.

To add a firewall address 1 Go to Firewall > Address. 2 Select Create New. If IPv6 Support on GUI is enabled, you can alternatively select the down arrow located in the Create New button, then select IPv6 Address to configure an IPv6 firewall address. For information on enabling configuration of IPv6 firewall addresses in the web-based manager, see “Settings” on page 228. 3 Complete the following: Figure 207: New address or IP range options

Address Name

Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names.

Type

Select the type of address: Subnet/IP Range or FQDN. You can enter either an IP range or an IP address with subnet mask.

Subnet / IP Range

Enter the firewall IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen.

Interface

Select the interface, zone, or virtual domain (VDOM) link to which you want to bind the IP address. Select Any if you want to bind the IP address with the interface/zone when you create a firewall policy.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

347

Viewing the address group list

Firewall Address

4 Select OK. Tip: You can also create firewall addresses when configuring a firewall policy: Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Source Address list, select Address > Create New.

Viewing the address group list You can organize multiple firewall addresses into an address group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related firewall addresses, you might combine the five addresses into a single address group, which is used by a single firewall policy. To view the address group list, go to Firewall > Address > Group. Figure 208: Firewall address group list Create Options

Delete Edit Create New

Add an address group. If IPv6 Support on GUI is enabled, you can alternatively select Create Options (the down arrow) located in the Create New button, then select IPv6 Address Group, to configure an IPv6 firewall address group. For more information on enabling IPv6 Support on GUI, see “Settings” on page 228.

Group Name

The name of the address group.

Members

The addresses in the address group.

Delete icon

Select to remove the address group. The Delete icon appears only if the address group is not currently being used by a firewall policy.

Edit icon

Select to edit the address group.

Configuring address groups Because firewall policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any — addresses whose selected interface is Any are bound to a network interface during creation of a firewall policy, rather than during creation of the firewall address. For example, if address A1 is associated with port1, and address A2 is associated with port2, they cannot be grouped. However, if A1 and A2 have an interface of Any, they can be grouped, even if the addresses involve different networks. To organize addresses into an address group 1 Go to Firewall > Address > Group. 2 Select Create New. 3 Complete the following:

348

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Address

Configuring address groups

Figure 209: Address group options

Group Name

Enter a name to identify the address group. Addresses, address groups, and virtual IPs must have unique names.

Available Addresses

The list of all configured and default firewall addresses. Use the arrows to move selected addresses between the lists of available and member addresses.

Members

The list of addresses included in the address group. Use the arrows to move selected addresses between the lists of available and member addresses.

4 Select OK. Tip: You can also create firewall address groups when configuring a firewall policy: Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Source Address list, select Address Group > Create New.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

349

Configuring address groups

350

Firewall Address

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Service

Viewing the predefined service list

Firewall Service Firewall services define one or more protocols and port numbers associated with each service. Firewall policies use service definitions to match session types. You can organize related services into service groups to simplify your firewall policy list. If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall services separately for each virtual domain. For more information, see “Using virtual domains” on page 103. This section describes: •

Viewing the predefined service list

•

Viewing the custom service list

•

Configuring custom services

•

Viewing the service group list

•

Configuring service groups

Viewing the predefined service list Many well-known traffic types have been predefined in firewall services. These predefined services are defaults, and cannot be edited or removed. However, if you require different services, you can create custom services. For more information, see “Configuring custom services” on page 357. To view the predefined service list, go to Firewall > Service > Predefined. Figure 210: Predefined service list

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

351

Viewing the predefined service list

Firewall Service

Name

The name of the predefined service.

Detail

The protocol and port number of the predefined service.

Table 43: Predefined services Service name

Description

AFS3

Advanced File Security Encrypted File, version 3, of TCP the AFS distributed file system protocol. UDP

AH

Authentication Header. AH provides source host authentication and data integrity, but not secrecy. This protocol is used for authentication by IPSec remote gateways set to aggressive mode.

ANY

Matches connections using any protocol over IP.

all

all

AOL

America Online Instant Message protocol.

TCP

5190-5194

BGP

Border Gateway Protocol. BGP is an interior/exterior routing protocol.

TCP

179

CVSPSERVER

Concurrent Versions System Proxy Server.CSSPServer is very good for providing anonymous CVS access to a repository.

TCP

2401

UDP

2401

Distributed Computing Environment / Remote Procedure Calls. Applications using DCE-RPC can call procedures from another application without having to know on which host the other application is running.

TCP

135

UDP

135

DHCP

Dynamic Host Configuration Protocol. DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts.

UDP

67 68

DHCP6

Dynamic Host Configuration Protocol for IPv6.

UDP

546, 547

DNS

Domain Name Service. DNS resolves domain names into IP addresses.

TCP

53

UDP

53

DCE-RPC

352

IP Protocol Port 7000-7009 7000-7009 51

ESP

Encapsulating Security Payload. ESP is used by manual key and AutoIKE IPSec VPN tunnels for communicating encrypted data. AutoIKE VPN tunnels use ESP after establishing the tunnel by IKE.

50

FINGER

A network service providing information about users.

TCP

79

FTP

File Transfer Protocol.

TCP

21

FTP_GET

File Transfer Protocol. FTP-GET is used for FTP connections which upload files.

TCP

21

FTP_PUT

File Transfer Protocol. FTP-PUT is used for FTP connections which download files.

TCP

21

GOPHER

Gopher organizes and displays Internet server contents as a hierarchically structured list of files.

TCP

70

GRE

Generic Routing Encapsulation. GRE allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets.

47

H323

H.323 multimedia protocol. H.323 is a standard TCP approved by the International Telecommunication Union (ITU) defining how audiovisual conferencing UDP data can be transmitted across networks. For more information, see the FortiGate Support for H.323 Technical Note.

1720, 1503 1719

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Service

Viewing the predefined service list

Table 43: Predefined services (Continued) Service name

Description

IP Protocol Port

HTTP

Hypertext Transfer Protocol. HTTP is used to browse web pages on the World Wide Web.

TCP

80

HTTPS

HTTP with secure socket layer (SSL). HTTPS is used for secure communication with web servers.

TCP

443

ICMP_ANY

Internet Control Message Protocol. ICMP allows control messages and error reporting between a host and gateway (Internet).

ICMP

Any

IKE

Internet Key Exchange. IKE obtains authenticated keying material for use with the Internet Security Association and Key Management Protocol (ISAKMP) for IPSEC.

UDP

500, 4500

IMAP

Internet Message Access Protocol. IMAP is used by TCP email clients to retrieves email messages from email servers.

143

IMAPS

IMAP with SSL. IMAPS is used for secure IMAP communication between email clients and servers. IMAPS is only available on FortiGate units that support SSL content scanning and inspection.

TCP

993

ICMP

17

INFO_REQUEST ICMP address mask request messages.

ICMP

15

IRC

Internet Relay Chat. IRC allows users to join chat channels.

TCP

6660-6669

InternetInternet Locator Service. ILS includes LDAP, User Locator-Service Locator Service, and LDAP over TLS/SSL.

TCP

389

L2TP

Layer 2 Tunneling Protocol. L2TP is a PPP-based tunnel protocol for remote access.

TCP

1701

UDP

1701

LDAP

Lightweight Directory Access Protocol. LDAP is used to access information directories.

TCP

389

MGCP

Media Gateway Control Protocol. MGCP is used by UDP call agents and media gateways in distributed Voice over IP (VoIP) systems.

2427, 2727

MS-SQL

Microsoft SQL Server is a relational database TCP management system (RDBMS) produced by Microsoft. Its primary query languages are MS-SQL and T-SQL.

1433, 1434

MYSQL

MySQL is a relational database management system (RDBMS) which runs as a server providing multi-user access to a number of databases.

TCP

3306

NFS

Network File System. NFS allows network users to mount shared files.

TCP

111, 2049

UDP

111, 2049

INFO_ADDRESS ICMP information request messages.

NNTP

Network News Transport Protocol. NNTP is used to TCP post, distribute, and retrieve Usenet messages.

119

NTP

Network Time Protocol. NTP synchronizes a host’s TCP time with a time server. UDP

123

NetMeeting

NetMeeting allows users to teleconference using the Internet as the transmission medium.

TCP

1720

ONC-RPC

Open Network Computing Remote Procedure Call. ONC-RPC is a widely deployed remote procedure call system.

TCP

111

UDP

111

OSPF

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Open Shortest Path First. OSPF is a common link state routing protocol.

123

89

353

Viewing the predefined service list

Firewall Service

Table 43: Predefined services (Continued)

354

Service name

Description

IP Protocol Port

PC-Anywhere

PC-Anywhere is a remote control and file transfer protocol.

TCP

5631

UDP

5632

PING

Ping sends ICMP echo request/replies to test connectivity to other hosts.

ICMP

8

PING6

Ping6 sends ICMPv6 echo request/replies to network hosts to test IPv6 connectivity to other hosts.

POP3

Post Office Protocol v3. POP retrieves email messages.

TCP

110

POP3S

Post Office Protocol v3 with secure socket layer (SSL). POP3S is used for secure retrieval of email messages. POP3S is only available on FortiGate units that support SSL content scanning and inspection.

TCP

995

PPTP

Point-to-Point Tunneling Protocol. PPTP is used to tunnel connections between private network hosts over the Internet. Note: Also requires IP protocol 47.

TCP

1723

QUAKE

Quake multi-player computer game traffic.

UDP

26000, 27000, 27910, 27960

RADIUS

Remote Authentication Dial In User Service. RADIUS is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service.

TCP

1812, 1813

RAUDIO

RealAudio multimedia traffic.

UDP

7070

RDP

Remote Desktop Protocol is a multi-channel protocol that allows a user to connect to a networked computer.

TCP

3389

REXEC

Rexec traffic allows specified commands to be executed on a remote host running the rexecd service (daemon).

TCP

512

RIP

Routing Information Protocol. RIP is a common distance vector routing protocol. This service matches RIP v1.

UDP

520

RLOGIN

Remote login traffic.

TCP

513

RSH

Remote Shell traffic allows specified commands to be executed on a remote host running the rshd service (daemon).

TCP

514

RTSP

Real Time Streaming Protocol is a protocol for use TCP in streaming media systems which allows a client to remotely control a streaming media server, issuing VCR-like commands such as play and pause, and UDP allowing time-based access to files on a server.

58

47

SAMBA

Server Message Block. SMB allows clients to use file and print shares from enabled hosts. This is primarily used for Microsoft Windows hosts, but may be used with operating systems running the Samba daemon.

TCP

SCCP

Skinny Client Control Protocol. SCCP is a Cisco TCP proprietary standard for terminal control for use with voice over IP (VoIP).

554, 7070, 8554 554 139

2000

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Service

Viewing the predefined service list

Table 43: Predefined services (Continued) Service name

Description

IP Protocol Port

SIP

Session Initiation Protocol. SIP allows audiovisual conferencing data to be transmitted across networks. For more information, see the FortiGate SIP Support Technical Note.

UDP

5060

SIPMSNmessenger

Session Initiation Protocol used by Microsoft Messenger to initiate an interactive, possibly multimedia session.

TCP

1863

SMTP

Simple Mail Transfer Protocol. SMTP is used for TCP sending email messages between email clients and email servers, and between email servers.

25

SMTPS

SMTP with SSL. Used for sending email messages TCP between email clients and email servers, and between email servers securely. SMTPS is only available on FortiGate units that support SSL content scanning and inspection.

465

SNMP

Simple Network Management Protocol. SNMP can TCP be used to monitor and manage complex networks. UDP

161-162

SOCKS

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

SOCKetS. SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.

161-162

TCP

1080

UDP

1080

355

Viewing the custom service list

Firewall Service

Table 43: Predefined services (Continued) Service name

Description

IP Protocol Port

SQUID

A proxy server and web cache daemon that has a wide variety of uses that includes speeding up a web server by caching repeated requests; caching web, DNS and other computer network lookups for a group of people sharing network resources; aiding security by filtering traffic.

TCP

3128

SSH

Secure Shell. SSH allows secure remote management and tunneling.

TCP

22

UDP

22

SYSLOG

Syslog service for remote logging.

UDP

514

TALK

Talk allows conversations between two or more users.

UDP

517-518

TCP

Matches connections using any TCP port.

TCP

0-65535

TELNET

Allows plain text remote management.

TCP

23

TFTP

Trivial File Transfer Protocol. TFTP is similar to FTP, but without security features such as authentication.

UDP

69

TIMESTAMP

ICMP timestamp request messages.

ICMP

13

TRACEROUTE

A computer network tool used to determine the route taken by packets across an IP network.

TCP

33434

UDP

33434

UDP

Matches connections using any UDP port.

UDP

0-65535

UUCP

Unix to Unix Copy Protocol. UUCP provides simple UDP file copying.

540

VDOLIVE

VDO Live streaming multimedia traffic.

TCP

7000-7010

VNC

Virtual Network Computing.VNC is a graphical desktop sharing system which uses the RFB protocol to remotely control another computer.

TCP

5900

WAIS

Wide Area Information Server. WAIS is an Internet search protocol which may be used in conjunction with Gopher.

TCP

210

WINFRAME

WinFrame provides communications between computers running Windows NT, or Citrix WinFrame/MetaFrame.

TCP

1494

WINS

Windows Internet Name Service is Microsoft's TCP implementation of NetBIOS Name Service (NBNS), UDP a name server and service for NetBIOS computer names.

1512

X-WINDOWS

X Window System (also known as X11) can forward TCP the graphical shell from an X Window server to X Window client.

1512 6000-6063

Viewing the custom service list If you need to create a firewall policy for a service that is not in the predefined service list, you can add a custom service. To view the custom service list, go to Firewall > Service > Custom.

356

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Service

Configuring custom services

Figure 211: Custom service list

Delete Edit Create New

Add a custom service.

Service Name

The name of the custom service.

Detail

The protocol and port numbers for each custom service.

Delete icon

Remove the custom service. The Delete icon appears only if the service is not currently being used by a firewall policy.

Edit icon

Edit the custom service.

Configuring custom services If you need to create a firewall policy for a service that is not in the predefined service list, you can add a custom service. Tip: You can also create custom services when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Service list, select Service > Create New.

To add a custom TCP or UDP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to TCP/UDP. 4 Complete the fields in the following table and select OK. Figure 212: New Custom Service - TCP/UDP

Delete

Name

Enter a name for the custom service.

Protocol Type

Select TCP/UDP.

Protocol

Select TCP or UDP as the protocol of the port range being added.

Source Port

Specify the source port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the Low and High fields. The default values allow the use of any source port.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

357

Configuring custom services

Firewall Service

Destination Port Specify the destination port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the Low and High fields. Add

If your custom service requires more than one port range, select Add to allow more source and destination ranges.

Delete Icon

Remove the entry from the list.

To add a custom ICMP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to ICMP. 4 Complete the fields in the following table and select OK. Figure 213: New Custom Service - ICMP

Name

Enter a name for the ICMP custom service.

Protocol Type

Select ICMP.

Type

Enter the ICMP type number for the service.

Code

If required, enter the ICMP code number for the service.

To add a custom IP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to IP. 4 Complete the fields in the following table and select OK. Figure 214: New Custom Service - IP

Name

358

Enter a name for the IP custom service.

Protocol Type

Select IP.

Protocol Number

Enter the IP protocol number for the service.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Service

Viewing the service group list

Viewing the service group list You can organize multiple firewall services into a service group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related firewall services, you might combine the five services into a single address group that is used by a single firewall policy. Service groups can contain both predefined and custom services. Service groups cannot contain other service groups. To view the service group list, go to Firewall > Service > Group. Figure 215: Sample service group list

Delete Edit Create New

Add a service group.

Group Name

The name to identify the service group.

Members

The services added to the service group.

Delete icon

Remove the entry from the list. The Delete icon appears only if the service group is not selected in a firewall policy.

Edit icon

Select to edit the Group Name and Members.

Configuring service groups You can organize multiple firewall services into a service group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related firewall services, you might combine the five services into a single address group, which is used by a single firewall policy. Service groups can contain both predefined and custom services. Service groups cannot contain other service groups. To organize services into a service group, go to Firewall > Service > Group. Tip: You can also create custom service groups when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Service list, select Service Group > Create New.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

359

Configuring service groups

Firewall Service

Figure 216: Service Group

360

Group Name

Enter a name to identify the service group.

Available Services

The list of configured and predefined services available for your group, with custom services at the bottom. Use the arrows to move selected services between this list and Members.

Members

The list of services in the group. Use the arrows to move selected services between this list and Available Services.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Schedule

Viewing the recurring schedule list

Firewall Schedule Firewall schedules control when policies are in effect. You can create one-time schedules or recurring schedules. One-time schedules are in effect only once for the period of time specified in the schedule. Recurring schedules are in effect repeatedly at specified times of specified days of the week. If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall schedules separately for each virtual domain. For more information, see “Using virtual domains” on page 103. This section describes: •

Viewing the recurring schedule list

•

Configuring recurring schedules

•

Viewing the one-time schedule list

•

Configuring one-time schedules

Viewing the recurring schedule list You can create a recurring schedule that activates a policy during a specified period of time. For example, you might prevent game playing during office hours by creating a recurring schedule that covers office hours. Note: If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. For example, to prevent game playing except at lunchtime, you might set the start time for a recurring schedule at 1:00 p.m. and the stop time at 12:00 noon. To create a recurring schedule that runs for 24 hours, set the start and stop times to 00.

To view the recurring schedule list, go to Firewall > Schedule > Recurring. Figure 217: Recurring schedule list

Delete

Edit Create New

Add a recurring schedule.

Name

The name of the recurring schedule.

Day

The initials of the days of the week on which the schedule is active.

Start

The start time of the recurring schedule.

Stop

The stop time of the recurring schedule.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

361

Configuring recurring schedules

Firewall Schedule

Delete icon

Remove the schedule from the list. The Delete icon appears only if the schedule is not being used in a firewall policy.

Edit icon

Edit the schedule.

Configuring recurring schedules To add a recurring schedule, go to Firewall > Schedule > Recurring. Complete the fields as described in the following table and select OK. To put a policy into effect for an entire day, set schedule start and stop times to 00. Figure 218: New Recurring Schedule

Name

Enter a name to identify the recurring schedule.

Select

Select the days of the week for the schedule to be active.

Start

Select the start time for the recurring schedule.

Stop

Select the stop time for the recurring schedule. Tip: You can also create recurring schedules when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule list, select Recurring > Create New.

Viewing the one-time schedule list You can create a one-time schedule that activates a policy during a specified period of time. For example, a firewall might be configured with a default policy that allows access to all services on the Internet at all times, but you could add a one-time schedule to block access to the Internet during a holiday. To view the one-time schedule list, go to Firewall > Schedule > One-time. Figure 219: One-time schedule list

Delete Edit

362

Create New

Add a one-time schedule.

Name

The name of the one-time schedule.

Start

The start date and time for the schedule.

Stop

The stop date and time for the schedule.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Schedule

Configuring one-time schedules

Delete icon

Remove the schedule from the list. The Delete icon appears only if the schedule is not being used in a firewall policy.

Edit icon

Edit the schedule.

Configuring one-time schedules To add a one-time schedule, go to Firewall > Schedule > One-time. Complete the fields as described in the following table and select OK. To put a policy into effect for an entire day, set schedule start and stop times to 00. Figure 220: New One-time Schedule

Name

Enter a name to identify the one-time schedule.

Start

Select the start date and time for the schedule.

Stop

Select the stop date and time for the schedule. Tip: You can also create one-time schedules when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule list, select One-time > Create New.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

363

Configuring one-time schedules

364

Firewall Schedule

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

How virtual IPs map connections through FortiGate units

Firewall Virtual IP Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP addresses and ports of packets received by a network interface, including a modem interface. When the FortiGate unit receives inbound packets matching a firewall policy whose Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets’ IP addresses with the virtual IP’s mapped IP address. IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP pools configure dynamic translation of packets’ IP addresses based on the Destination Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets’ IP addresses based upon the Source Interface/Zone. To implement the translation configured in the virtual IP or IP pool, you must add it to a NAT firewall policy. For details, see “Configuring virtual IPs” on page 370. Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies that include Virtual IPs and IP pools. See “Adding NAT firewall policies in transparent mode” on page 386.

If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are configured separately for each virtual domain. For details, see “Using virtual domains” on page 103. This section describes: •

How virtual IPs map connections through FortiGate units

•

Viewing the virtual IP list

•

Configuring virtual IPs

•

Virtual IP Groups

•

Viewing the VIP group list

•

Configuring VIP groups

•

IP pools

•

Viewing the IP pool list

•

Configuring IP Pools

•

Double NAT: combining IP pool with virtual IP

•

Adding NAT firewall policies in transparent mode

How virtual IPs map connections through FortiGate units Virtual IPs can specify translations of packets’ port numbers and/or IP addresses for both inbound and outbound connections. In Transparent mode, virtual IPs are available from the FortiGate CLI.

Inbound connections Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to apply bidirectional NAT, also known as inbound NAT. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

365

How virtual IPs map connections through FortiGate units

Firewall Virtual IP

When comparing packets with the firewall policy list to locate a matching policy, if a firewall policy’s Destination Address is a virtual IP, FortiGate units compares packets’ destination address to the virtual IP’s external IP address. If they match, the FortiGate unit applies the virtual IP’s inbound NAT mapping, which specifies how the FortiGate unit translates network addresses and/or port numbers of packets from the receiving (external) network interface to the network interface connected to the destination (mapped) IP address or IP address range. In addition to specifying IP address and port mappings between interfaces, virtual IP configurations can optionally bind an additional IP address or IP address range to the receiving network interface. By binding an additional IP address, you can configure a separate set of mappings that the FortiGate unit can apply to packets whose destination matches that bound IP address, rather than the IP address already configured for the network interface. Depending on your configuration of the virtual IP, its mapping may involve port address translation (PAT), also known as port forwarding or network address port translation (NAPT), and/or network address translation (NAT) of IP addresses. If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your selection of: •

static vs. dynamic NAT mapping

•

the dynamic NAT’s load balancing style, if using dynamic NAT mapping

•

full NAT vs. destination NAT (DNAT)

The following table describes combinations of PAT and/or NAT that are possible when configuring a firewall policy with a virtual IP. Static NAT

Static, one-to-one NAT mapping: an external IP address is always translated to the same mapped IP address. If using IP address ranges, the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses, and each IP address in the external range is always translated to the same IP address in the mapped range.

Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP address is Port Forwarding always translated to the same mapped IP address, and an external port number is always translated to the same mapped port number. If using IP address ranges, the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses, and each IP address in the external range is always translated to the same IP address in the mapped range. If using port number ranges, the external port number range corresponds to a mapped port number range containing an equal number of port numbers, and each port number in the external range is always translated to the same port number in the mapped range. Server Load Balancing

Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the mapped IP addresses, as determined by the selected load balancing algorithm for more even traffic distribution. The external IP address is not always translated to the same mapped IP address. Server load balancing requires that you configure at least one “real” server, but can use up to eight. Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets.

Server Load Dynamic, one-to-many NAT mapping with port forwarding: an external IP Balancing with address is translated to one of the mapped IP addresses, as determined by the Port Forwarding selected load balancing algorithm for more even traffic distribution. The external IP address is not always translated to the same mapped IP address. Server load balancing requires that you configure at least one “real” server, but can use up to eight. Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets.

366

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

How virtual IPs map connections through FortiGate units

Note: If the NAT check box is not selected when building the firewall policy, the resulting policy does not perform full (source and destination) NAT; instead, it performs destination network address translation (DNAT). For inbound traffic, DNAT translates packets’ destination address to the mapped private IP address, but does not translate the source address. The private network is aware of the source’s public IP address. For reply traffic, the FortiGate unit translates packets’ private network source IP address to match the destination address of the originating packets, which is maintained in the session table.

A typical example of static NAT is to allow client access from a public network to a web server on a private network that is protected by a FortiGate unit. Reduced to its essence, this example involves only three hosts, as shown in Figure 221: the web server on a private network, the client computer on another network, such as the Internet, and the FortiGate unit connecting the two networks. When a client computer attempts to contact the web server, it uses the virtual IP on the FortiGate unit’s external interface. The FortiGate unit receives the packets. The addresses in the packets are translated to private network IP addresses, and the packet is forwarded to the web server on the private network. Figure 221: A simple static NAT virtual IP example

The packets sent from the client computer have a source IP of 192.168.37.55 and a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets’ addresses. The source address is changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session table it maintains internally. The packets are then sent on to the web server. Figure 222: Example of packet address remapping during NAT from client to server

Note that the client computer’s address does not appear in the packets the server receives. After the FortiGate unit translates the network addresses, there is no reference to the client computer’s IP address, except in its session table. The web server has no indication that another network exists. As far as the server can tell, all packets are sent by the FortiGate unit.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

367

How virtual IPs map connections through FortiGate units

Firewall Virtual IP

When the web server replies to the client computer, address translation works similarly, but in the opposite direction. The web server sends its response packets having a source IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit receives these packets on its internal interface. This time, however, the session table is used to recall the client computer’s IP address as the destination address for the address translation. In the reply packets, the source address is changed to 192.168.37.4 and the destination is changed to 192.168.37.55. The packets are then sent on to the client computer. The web server’s private IP address does not appear in the packets the client receives. After the FortiGate unit translates the network addresses, there is no reference to the web server’s network. The client has no indication that the web server’s IP address is not the virtual IP. As far as the client is concerned, the FortiGate unit’s virtual IP is the web server. Figure 223: Example of packet address remapping during NAT from server to client

In the previous example, the NAT check box is checked when configuring the firewall policy. If the NAT check box is not selected when building the firewall policy, the resulting policy does not perform full NAT; instead, it performs destination network address translation (DNAT). For inbound traffic, DNAT translates packets’ destination address to the mapped private IP address, but does not translate the source address. The web server would be aware of the client’s IP address. For reply traffic, the FortiGate unit translates packets’ private network source IP address to match the destination address of the originating packets, which is maintained in the session table.

Outbound connections Virtual IPs can also affect outbound NAT, even though they are not selected in an outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional outbound NAT to connections outbound from private network IP addresses to public network IP addresses. However, if virtual IP configurations exist, FortiGate units use virtual IPs’ inbound NAT mappings in reverse to apply outbound NAT, causing IP address mappings for both inbound and outbound traffic to be symmetric. For example, if a network interface’s IP address is 10.10.10.1, and its bound virtual IP’s external IP is 10.10.10.2, mapping inbound traffic to the private network IP address 192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not 10.10.10.1

368

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Viewing the virtual IP list

VIP requirements Virtual IPs have the following requirements. •

The Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.

•

The Mapped IP Address/Range must not include any interface IP addresses.

•

If the virtual IP is mapped to a range of IP addresses and its type is Static NAT, the External IP Address/Range cannot be 0.0.0.0.

•

When port forwarding, the External IP Address/Range cannot include any other interface IP addresses.

•

When port forwarding, the count of mapped port numbers and external port numbers must be the same, and the last port number in the range must not exceed 65535.

•

Virtual IP names must be different from address or address group names.

•

A physical external IP address can be used as the external VIP IP address.

•

Duplicate entries or overlapping ranges are not permitted.

Viewing the virtual IP list To view the virtual IP list, go to Firewall > Virtual IP > Virtual IP. Figure 224: Virtual IP list

Delete Edit Create New

Select to add a virtual IP.

Name

The name of the virtual IP.

IP

The bound network interface and external IP address or IP address, separated by a slash (/).

Service Port

The external port number or port number range. This field is empty if the virtual IP does not specify port forwarding.

Map to IP/IP Range

The mapped to IP address or address range on the destination network.

Map to Port

The mapped to port number or port number range. This field is empty if the virtual IP does not specify port forwarding.

Delete icon

Remove the virtual IP from the list. The Delete icon only appears if the virtual IP is not selected in a firewall policy.

Edit icon

Edit the virtual IP to change any virtual IP option including the virtual IP name.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

369

Configuring virtual IPs

Firewall Virtual IP

Configuring virtual IPs A virtual IP’s external IP address can be a single IP address or an IP address range, and is bound to a FortiGate unit interface. When you bind the virtual IP’s external IP address to a FortiGate unit interface, by default, the network interface responds to ARP requests for the bound IP address or IP address range. Virtual IPs use proxy ARP, as defined in RFC 1027, so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network. To disable ARP replies, see the FortiGate CLI Reference. A virtual IP’s mapped IP address can be a single IP address, or an IP address range. When the FortiGate unit receives packets matching a firewall policy whose Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing the packet’s destination IP address with the virtual IP’s mapped IP address. To implement the translation configured in the virtual IP or IP pool, you must add it to a NAT firewall policy. For example, to add a firewall policy that maps public network addresses to a private network, add an external to internal firewall policy whose Destination Address field is a virtual IP. Figure 225: Creating a Virtual IP

Name

Enter or change the name to identify the virtual IP. To avoid confusion, addresses, address groups, and virtual IPs cannot have the same names.

External Interface Select the virtual IP external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any FortiGate interface, VLAN subinterface, VPN interface, or modem interface.

370

Type

VIP type is Static NAT, read only.

External IP Address/Range

Enter the external IP address that you want to map to an address on the destination network. To configure a dynamic virtual IP that accepts connections for any IP address, set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you can only add one mapped IP address. For a load balance dynamic virtual IP you can specify a single mapped address or a mapped address range.

Mapped IP Address/Range

Enter the real IP address on the destination network to which the external IP address is mapped. You can also enter an address range to forward packets to multiple IP addresses on the destination network. For a static NAT virtual IP, if you add a mapped IP address range the FortiGate unit calculates the external IP address range and adds the IP address range to the External IP Address/Range field. This option appears only if Type is Static NAT.

Port Forwarding

Select to perform port address translation (PAT).

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Configuring virtual IPs

Protocol

Select the protocol of the forwarded packets. This option appears only if Port Forwarding is enabled.

External Service Port

Enter the external interface port number for which you want to configure port forwarding. This option appears only if Port Forwarding is enabled.

Map to Port

Enter the port number on the destination network to which the external port number is mapped. You can also enter a port number range to forward packets to multiple ports on the destination network. For a virtual IP with static NAT, if you add a map to port range the FortiGate unit calculates the external port number range and adds the port number range to the External Service port field. This option appears only if Port Forwarding is enabled.

SSL Offloading

Select to accelerate clients’ SSL connections to the server by using the FortiGate unit to perform SSL operations, then select which segments of the connection will receive SSL offloading. • Client FortiGate Select to apply hardware accelerated SSL only to the part of the connection between the client and the FortiGate unit. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator. • Client FortiGate Server Select to apply hardware accelerated SSL to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the other option, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration. SSL 3.0, TLS 1.0, and TLS 1.1 are supported. This option appears only if Port Forwarding is selected, and only on FortiGate models whose hardware support SSL acceleration, such as FortiGate-3600A. Note: Additional SSL Offloading options are available in the CLI. For details, see the FortiGate CLI Reference.

Certificate

Select which SSL certificate to use with SSL Offloading. This option appears only if Port Forwarding is selected, and is available only if SSL Offloading is selected.

To configure a virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound to the network interface, and selecting the mapping type and mapped IP address(es) and/or port(s). For configuration examples of each type, see: • “Adding a static NAT virtual IP for a single IP address” on page 372 • “Adding a static NAT virtual IP for an IP address range” on page 373 • “Adding static NAT port forwarding for a single IP address and a single port” on page 375 • “Adding static NAT port forwarding for an IP address range and a port range” on page 377 • “Adding dynamic virtual IPs” on page 378 • “Adding a virtual IP with port translation only” on page 379

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

371

Configuring virtual IPs

Firewall Virtual IP

4 Select OK. The virtual IP appears in the virtual IP list. 5 To implement the virtual IP, select the virtual IP in a firewall policy. For example, to add a firewall policy that maps public network addresses to a private network, you might add an external to internal firewall policy and select the Source Interface/Zone to which a virtual IP is bound, then select the virtual IP in the Destination Address field of the policy. For details, see “Configuring firewall policies” on page 323.

Adding a static NAT virtual IP for a single IP address The IP address 192.168.37.4 on the Internet is mapped to 10.10.10.42 on a private network. Attempts to communicate with 192.168.37.4 from the Internet are translated and sent to 10.10.10.42 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit with a private network behind it. Figure 226: Static NAT virtual IP for a single IP address example

To add a static NAT virtual IP for a single IP address 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Figure 227: Virtual IP options: static NAT virtual IP for a single IP address

Name

static_NAT

External Interface wan1 Type

372

Static NAT

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Configuring virtual IPs

External IP Address/Range

The Internet IP address of the web server. The external IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.

Mapped IP Address/Range

The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank.

4 Select OK. To add a static NAT virtual IP for a single IP address to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the DMZ network IP address of the web server. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy: Source Interface/Zone

external

Source Address

All (or a more specific address)

Destination Interface/Zone

dmz1

Destination Address

simple_static_nat

Schedule

always

Service

HTTP

Action

ACCEPT

3 Select NAT. 4 Select OK.

Adding a static NAT virtual IP for an IP address range The IP address range 192.168.37.4-192.168.37.6 on the Internet is mapped to 10.10.10.42-10.10.123.44 on a private network. Packets from Internet computers communicating with 192.168.37.4 are translated and sent to 10.10.10.42 by the FortiGate unit. Similarly, packets destined for 192.168.37.5 are translated and sent to 10.10.10.43, and packets destined for 192.168.37.6 are translated and sent to 10.10.10.44. The computers on the Internet are unaware of this translation and see three computers with individual IP addresses rather than a FortiGate unit with a private network behind it.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

373

Configuring virtual IPs

Firewall Virtual IP

Figure 228: Static NAT virtual IP for an IP address range example

To add a static NAT virtual IP for an IP address range 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to three individual web servers on the DMZ network. In this example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Figure 229: Virtual IP options: static NAT virtual IP with an IP address range

Name

static_NAT_range

External Interface

wan1

Type

Static NAT

External IP Address/Range

The Internet IP address range of the web servers. The external IP addresses are usually static IP addresses obtained from your ISP for your web server. These addresses must be unique IP addresses that are not used by another host and cannot be the same as the IP addresses of the external interface the virtual IP will be using. However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses.

Mapped IP Address/Range

The IP address range of the servers on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.

4 Select OK.

374

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Configuring virtual IPs

To add a static NAT virtual IP with an IP address range to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the server IP addresses, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination addresses of these packets from the wan1 IP to the DMZ network IP addresses of the servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy: Source Interface/Zone

wan1

Source Address

All (or a more specific address)

Destination Interface/Zone

dmz1

Destination Address

static_NAT_range

Schedule

always

Service

HTTP

Action

ACCEPT

3 Select NAT. 4 Select OK.

Adding static NAT port forwarding for a single IP address and a single port The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000 on a private network. Attempts to communicate with 192.168.37.4, port 80 from the Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4, port 80 rather than a FortiGate unit with a private network behind it. Figure 230: Static NAT virtual IP port forwarding for a single IP address and a single port example

To add static NAT virtual IP port forwarding for a single IP address and a single port 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

375

Configuring virtual IPs

Firewall Virtual IP

3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Figure 231: Virtual IP options: Static NAT port forwarding virtual IP for a single IP address and a single port

Name

Port_fwd_NAT_VIP

External Interface

wan1

Type

Static NAT

External IP Address/Range

The Internet IP address of the web server. The external IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.

Mapped IP Address/Range

The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank.

Port Forwarding

Selected

Protocol

TCP

External Service Port

The port traffic from the Internet will use. For a web server, this will typically be port 80.

Map to Port

The port on which the server expects traffic. Since there is only one port, leave the second field blank.

4 Select OK. To add static NAT virtual IP port forwarding for a single IP address and a single port to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:

376

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Configuring virtual IPs

Source Interface/Zone

wan1

Source Address

All (or a more specific address)

Destination Interface/Zone

dmz1

Destination Address

Port_fwd_NAT_VIP

Schedule

always

Service

HTTP

Action

ACCEPT

3 Select NAT. 4 Select OK.

Adding static NAT port forwarding for an IP address range and a port range Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network. Attempts to communicate with 192.168.37.5, port 82 from the Internet, for example, are translated and sent to 10.10.10.43, port 8002 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.5 rather than a FortiGate unit with a private network behind it. Figure 232: Static NAT virtual IP port forwarding for an IP address range and a port range example

To add static NAT virtual IP port forwarding for an IP address range and a port range 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In this example, the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network. Name

Port_fwd_NAT_VIP_port_range

External Interface

external

Type

Static NAT

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

377

Configuring virtual IPs

Firewall Virtual IP

External IP Address/Range

The external IP addresses are usually static IP addresses obtained from your ISP. This addresses must be unique, not used by another host, and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses.

Mapped IP Address/Range

The IP addresses of the server on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.

Port Forwarding

Selected

Protocol

TCP

External Service Port

The ports that traffic from the Internet will use. For a web server, this will typically be port 80.

Map to Port

The ports on which the server expects traffic. Define the range by entering the first port of the range in the first field and the last port of the range in the second field. If there is only one port, leave the second field blank.

4 Select OK. To add static NAT virtual IP port forwarding for an IP address range and a port range to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy: Source Interface/Zone

external

Source Address

All (or a more specific address)

Destination Interface/Zone

dmz1

Destination Address

Port_fwd_NAT_VIP_port_range

Schedule

always

Service

HTTP

Action

ACCEPT

3 Select NAT. 4 Select OK.

Adding dynamic virtual IPs Adding a dynamic virtual IP is similar to adding a virtual IP. The difference is that the External IP address must be set to 0.0.0.0 so the External IP address matches any IP address. To add a dynamic virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter a name for the dynamic virtual IP.

378

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Configuring virtual IPs

4 Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. Select any firewall interface or a VLAN subinterface. 5 Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. 6 Enter the Mapped IP Address to which to map the external IP address. For example, the IP address of a PPTP server on an internal network. 7 Select Port Forwarding. 8 For Protocol, select TCP. 9 Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port). 10 Enter the Map to Port number to be added to packets when they are forwarded. Enter the same number as the External Service Port if the port is not to be translated. 11 Select OK.

Adding a virtual IP with port translation only When adding a virtual IP, if you enter a virtual IP address that is the same as the mapped IP address and apply port forwarding, the destination IP address will be unchanged, but the port number will be translated. Note: To apply port forwarding to the external interface without binding a virtual IP address to it, enter the IP address of the network interface instead of a virtual IP address, then configure port forwarding as usual.

To add a virtual IP with port translation only 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter a name for the dynamic virtual IP. 4 Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. Select any firewall interface or a VLAN subinterface. 5 Set the External IP Address as the mapped IP address. 6 Enter the Mapped IP Address to which to map the external IP address. For example, the IP address of a PPTP server on an internal network. 7 Select Port Forwarding. 8 For Protocol, select TCP. 9 Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port). FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

379

Virtual IP Groups

Firewall Virtual IP

10 Enter the Map to Port number to be added to packets when they are forwarded. 11 Select OK.

Virtual IP Groups You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related virtual IPs located on the same network interface, you might combine the five virtual IPs into a single virtual IP group, which is used by a single firewall policy. Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es) and port number(s).

Viewing the VIP group list To view the virtual IP group list, go to Firewall > Virtual IP > VIP Group. Figure 233: VIP Group list

Delete Edit Create New

Select to add a new VIP group. See “Configuring VIP groups” on page 380.

Group Name

The name of the virtual IP group.

Members

Lists the group members.

Interface

Displays the interface that the VIP group belongs to.

Delete icon

Remove the VIP group from the list. The Delete icon only appears if the VIP group is not being used in a firewall policy.

Edit icon

Edit the VIP group information, including the group name and membership.

Configuring VIP groups To add a VIP group, go to Firewall > Virtual IP > VIP Group and select Create New. To edit a VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP group to edit. Enter the information as described below, and select OK.

380

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

IP pools

Figure 234: Editing a VIP group

Group Name

Enter or modify the group name.

Interface

Select the interface for which you want to create the VIP group. If you are editing the group, the Interface box is grayed out.

Available VIPs and Members

Select the up or down arrow to move virtual IPs between Available VIPs and Members. Members contains virtual IPs that are a part of this virtual IP group.

IP pools Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool, rather than the IP address assigned to that FortiGate unit interface. In Transparent mode, IP pools are available from the FortiGate CLI. An IP pool defines an address or a range of IP addresses, all of which respond to ARP requests on the interface to which the IP pool is added. Select Enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool. An IP pool list appears when the policy destination interface is the same as the IP pool interface. With an IP pool added to the internal interface, you can select Dynamic IP pool for policies with the internal interface as the destination. Add multiple IP pools to any interface and select the IP pool to use when configuring a firewall policy. A single IP address is entered normally. For example, 192.168.110.100 is a valid IP pool address. If an IP address range is required, use either of the following formats. •

x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120

•

x.x.x.[x-x], for example 192.168.110.[100-120]

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

381

IP pools

Firewall Virtual IP

IP pools and dynamic NAT Use IP pools for dynamic NAT. For example, an organization might have purchased a range of Internet addresses but has only one Internet connection on the external interface of the FortiGate unit. Assign one of the organization’s Internet IP addresses to the external interface of the FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from the network to the Internet appear to come from this IP address. For connections to originate from all the Internet IP addresses, add this address range to an IP pool for the external interface. Then select Dynamic IP Pool for all policies with the external interface as the destination. For each connection, the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. As a result, connections to the Internet appear to be originating from any of the IP addresses in the IP pool.

IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. Select fixed port for NAT policies to prevent source port translation. However, selecting fixed port means that only one connection can be supported through the firewall for this service. To be able to support multiple connections, add an IP pool to the destination interface, and then select dynamic IP pool in the policy. The firewall randomly selects an IP address from the IP pool and assigns it to each connection. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool.

Source IP address and IP pool address matching When the source addresses are translated to the IP pool addresses, one of the following three cases may occur: Scenario 1: The number of source addresses equals that of IP pool addresses In this case, the FortiGate unit will always match the IP addressed one to one. If you use fixed port in such a case, the FortiGate unit will preserve the original source port. However, this may cause conflicts if more than one firewall policy uses the same IP pool, or the same IP addresses are used in more than one IP pool. Original address

Change to

192.168.1.1

172.16.30.1

192.168.1.2

172.16.30.2

......

......

192.168.1.254

172.16.30.254

Scenario 2: The number of source addresses is more than that of IP pool addresses In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism. If you use fixed port in such a case, the FortiGate unit preserves the original source port. But conflicts may occur since users may have different sessions using the same TCP 5 tuples.

382

Original address

Change to

192.168.1.1

172.16.30.10

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Viewing the IP pool list

192.168.1.2

172.16.30.11

......

......

192.168.1.10

172.16.30.19

192.168.1.11

172.16.30.10

192.168.1.12

172.16.30.11

192.168.1.13

172.16.30.12

......

......

Scenario 3: The number of source addresses is fewer than that of IP pool addresses In this case, some of the IP pool addresses will used and the rest of them will not be used. Original address

Change to

192.168.1.1

172.16.30.10

192.168.1.2

172.16.30.11

192.168.1.3

172.16.30.12

No more source addresses

172.16.30.13 and other addresses will not be used

Viewing the IP pool list If virtual domains are enabled on the FortiGate unit, IP pools are created separately for each virtual domain. To access IP pools, select a virtual domain from the list on the main menu. To view the IP pool list go to Firewall > Virtual IP > IP Pool. Figure 235: IP pool list

Delete Edit Create New

Select to add an IP pool.

Name

Enter the name of the IP pool.

Start IP

Enter the start IP defines the start of an address range.

End IP

Enter the end IP defines the end of an address range.

Delete icon

Select to remove the entry from the list. The Delete icon only appears if the IP pool is not being used in a firewall policy.

Edit icon

Select to edit the following information: Name, Interface, IP Range/Subnet.

Configuring IP Pools To add an IP pool, go to Firewall > Virtual IP > IP Pool.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

383

Double NAT: combining IP pool with virtual IP

Firewall Virtual IP

Figure 236: New Dynamic IP Pool

Name

Enter the name of the IP pool.

Interface

Select the interface to which to add an IP pool.

IP Range/Subnet Enter the IP address range for the IP pool. The IP range defines the start and end of an address range. The start of the range must be lower than the end of the range. The start and end of the IP range does not have to be on the same subnet as the IP address of the interface to which you are adding the IP pool.

Double NAT: combining IP pool with virtual IP When creating a firewall policy, you can use both IP pool and virtual IP for double IP and/or port translation. For example, in the following network topology: •

Users in the 10.1.1.0/24 subnet use port 8080 to access server 172.16.1.1.

•

The server’s listening port is 80.

•

Fixed ports must be used.

Figure 237: Double NAT

To allow the local users to access the server, you can use fixed port and IP pool to allow more than one user connection while using virtual IP to translate the destination port from 8080 to 80. To create an IP pool 1 Go to Firewall > Virtual IP > IP Pool.

384

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Double NAT: combining IP pool with virtual IP

2 Select Create New. 3 Enter the following information and select OK. Name

pool-1

Interface

DMZ

IP Range/Subnet

10.1.3.1-10.1.3.254

To create a Virtual IP with port translation only 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter the following information and select OK. Name

server-1

External Interface

Internal

Type

Static NAT

External IP 172.16.1.1 Address/Range Note this address is the same as the server address. Mapped IP 172.16.1.1. Address/Range Port Forwarding Enable Protocol

TCP

External Service 8080 Port Map to Port

80

To create a firewall policy Add an internal to dmz firewall policy that uses the virtual IP to translate the destination port number and the IP pool to translate the source addresses. 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the firewall policy: Source Interface/Zone

internal

Source Address

10.1.1.0/24

Destination Interface/Zone

dmz

Destination Address

server-1

Schedule

always

Service

HTTP

Action

ACCEPT

4 Select NAT. 5 Select OK.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

385

Adding NAT firewall policies in transparent mode

Firewall Virtual IP

Adding NAT firewall policies in transparent mode Similar to operating in NAT/Route mode, when operating a FortiGate unit in Transparent mode you can add firewall policies and: •

Enable NAT to translate the source addresses of packets as they pass through the FortiGate unit.

•

Add virtual IPs to translate destination addresses of packets as they pass through the FortiGate unit.

•

Add IP pools as required for source address translation

For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two different networks with two different subnet addresses. Then you can create firewall policies to translate source or destination addresses for packets as they are relayed by the FortiGate unit from one interface to the other. A FortiGate unit operating in Transparent mode normally has only one IP address, the management IP. To support NAT in Transparent mode you can add a second management IP. These two management IPs must be on different subnets. When you add two management IP addresses, all FortiGate unit network interfaces will respond to connections to both of these IP addresses. In the example shown in Figure 238, all of the PCs on the internal network (subnet address 192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of the management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results in a typical NAT mode firewall. When a PC on the internal network attempts to connect to the Internet, the PC's default route sends packets destined for the Internet to the FortiGate unit internal interface. Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default route of 10.1.1.99. The example describes adding an internal to wan1 firewall policy to relay these packets from the internal interface out the wan1 interface to the Internet. Because the wan1 interface does not have an IP address of its own, you must add an IP pool to the wan1 interface that translates the source addresses of the outgoing packets to an IP address on the network connected to the wan1 interface. The example describes adding an IP pool with a single IP address of 10.1.1.201. So all packets sent by a PC on the internal network that are accepted by the internal to wan1 policy leave the wan1 interface with their source address translated to 10.1.1.201. These packets can now travel across the Internet to their destination. Reply packets return to the wan1 interface because they have a destination address of 10.1.1.201. The internal to wan1 NAT policy translates the destination address of these return packets to the IP address of the originating PC and sends them out the internal interface to the originating PC. Use the following steps to configure NAT in Transparent mode

386

•

Adding two management IPs

•

Adding an IP pool to the wan1 interface

•

Adding an internal to wan1 firewall policy

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Virtual IP

Adding NAT firewall policies in transparent mode

Figure 238: Example NAT in Transparent mode configuration Internet

Router 10.1.1.0/24

Transparent mode Management IPs: 10.1.1.99 192.168.1.99 WAN 1

Internal network 192.168.1.0/24

Internal DMZ

DMZ network 10.1.1.0/24

To add a source address translation NAT policy in Transparent mode 1 Enter the following command to add two management IPs. The second management IP is the default gateway for the internal network. config system settings set manageip 10.1.1.99/24 192.168.1.99/24 end 2 Enter the following command to add an IP pool to the wan1 interface: config firewall ippool edit nat-out set interface "wan1" set startip 10.1.1.201 set endip 10.1.1.201 end 3 Enter the following command to add an internal to wan1 firewall policy with NAT enabled that also includes an IP pool: config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set scraddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable set ippool enable set poolname nat-out end

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

387

Adding NAT firewall policies in transparent mode

Firewall Virtual IP

Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT and add the IP Pool.

388

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Load Balance

How load balancer works

Firewall Load Balance Use the FortiGate load balancing function to intercept the incoming traffic and share it across the available servers. By doing so, the FortiGate unit enables multiple servers to respond as if they were a single device or server. This in turn means that more simultaneous requests can be handled. There are additional benefits to server load balancing. Firstly, because the load is distributed across multiple servers, the service being provided can be highly available. If one of the servers breaks down, the load can still be handled by the other servers. Secondly, this increases scalability. If the load increases substantially, more servers can be added behind the FortiGate unit in order to cope with the increased load. This section describes: •

How load balancer works

•

Configuring virtual servers

•

Configuring real servers

•

Configuring health check monitors

•

Monitoring the servers

How load balancer works You can configure virtual servers on the FortiGate unit (load balancer) and bind them to a cluster of real servers. Up to 8 real servers can be bound to 1 virtual server. The topology of cluster is transparent to end users, and the users interact with the system as if it were only a single virtual server. The real servers may be interconnected by high-speed LAN or by geographically dispersed WAN. The FortiGate unit schedules requests to the different servers and makes parallel services of the cluster to appear as a virtual service on a single IP address. Figure 239: Virtual server and real servers setup

Internet/Intranet User

(Virtual Server/Load Balancer)

LAN/WAN Real Server

Real Server

Real Server

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

389

Configuring virtual servers

Firewall Load Balance

Configuring virtual servers Configure a virtual server’s external IP address and bind it to a FortiGate unit interface. When you bind the virtual server’s external IP address to a FortiGate unit interface, by default, the network interface responds to ARP requests for the bound IP address. Virtual servers use proxy ARP, as defined in RFC 1027, so that the FortiGate unit can respond to ARP requests on a network for a real server that is actually installed on another network. To disable ARP replies, see the FortiGate CLI Reference. To view the virtual server list, go to Firewall > Load Balance > Virtual Server. Figure 240: Virtual server list

Delete Edit

390

Create New

Select to add virtual servers. For more information, see “To create a virtual server” on page 391.

Name

Name of the virtual server. This name is not the hostname for the FortiGate unit.

Type

The communication protocol used by the virtual server.

Comments

Comments on the virtual server.

Virtual Server IP

The IP address of the virtual server.

Virtual server Port

The port number to which the virtual server communicates.

Load Balance Method

Load balancing methods include: • Static: The traffic load is spread evenly across all servers, no additional server is required. • Round Robin: Directs requests to the next server, and treats all servers as equals regardless of response time or number of connections. Dead servers or non responsive servers are avoided. A separate server is required. • Weighted: Servers with a higher weight value will receive a larger percentage of connections. Set the server weight when adding a server. • First Alive: Always directs requests to the first alive real server. • Least RTT: Directs requests to the server with the least round trip time. The round trip time is determined by a Ping monitor and is defaulted to 0 if no Ping monitors are defined. • Least Session: Directs requests to the server that has the least number of current connections. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities.

Health Check

The health check monitor selected for this virtual server. For more information, see “Health Check” on page 392.

Persistence

Persistence is the process of ensuring that a user is connected to the same server every time they make a request within the boundaries of a single session. Depending on the type of protocol selected for the virtual server, the following persistence options are available: • None: No persistence option is selected. • HTTP Cookie: Persistence time is equal to the cookie age. Cookie ages are set in CLI under config firewall vip. • SSL Session ID: Persistence time is equal to the SSL sessions. SSL session states are set in CLI under config firewall vip.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Load Balance

Configuring virtual servers

Delete icon

Remove the virtual server from the list. The Delete icon only appears if the virtual server is not bound to a real server.

Edit icon

Edit the virtual server to change any virtual server option including the virtual server name.

To create a virtual server 1 Go to Firewall > Load Balance > Virtual Server > Create New. Figure 241: Creating a virtual server

2 Complete the following: Name

Enter the name for the virtual server. This name is not the hostname for the FortiGate unit.

Type

Enter the communication protocol used by the virtual server.

Interface

Select the virtual server external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network.

Virtual Server IP

Enter the IP address of the virtual server.

Virtual server Port

The port number to which the virtual server communicates.

Load Balance Method

Select a load balancing method. For more information, see “Load Balance Method” on page 390.

Persistence

Select a persistence for the virtual server. For more information, see “Persistence” on page 390.

HTTP Multiplexing

Select to use the FortiGate unit’s HTTP proxy to multiplex multiple client connections destined for the web server into a few connections between the FortiGate unit and the web server. This can improve performance by reducing server overhead associated with establishing multiple connections. The server must be HTTP/1.1 compliant. This option appears only if HTTP or HTTS are selected for Type. Note: Additional HTTP Multiplexing options are available in the CLI. For more information, see the FortiGate CLI Reference.

Preserve Client IP

Select to preserve the IP address of the client in the X-Forwarded-For HTTP header. This can be useful if you require logging on the server of the client’s original IP address. If this option is not selected, the header will contain the IP address of the FortiGate unit. This option appears only if HTTP or HTTS are selected for Type, and is available only if HTTP Multiplexing is selected.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

391

Configuring real servers

Firewall Load Balance

SSL Offloading

Select to accelerate clients’ SSL connections to the server by using the FortiGate unit to perform SSL operations, then select which segments of the connection will receive SSL offloading. • Client FortiGate Select to apply hardware accelerated SSL only to the part of the connection between the client and the FortiGate unit. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator. • Client FortiGate Server Select to apply hardware accelerated SSL to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the other option, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration. SSL 3.0, TLS 1.0, and TLS 1.1 are supported. SSL Offloading appears only if HTTPS or SSL are selected for Type, and only on FortiGate models with hardware that supports SSL acceleration. Note: Additional SSL Offloading options are available in the CLI. For more information, see the FortiGate CLI Reference.

Certificate

Select the certificate to use with SSL Offloading. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported. This option appears only if HTTPS or SSL are selected for Type, and is available only if SSL Offloading is selected.

Health Check

Select which health check monitor configuration will be used to determine a server’s connectivity status. For information on configuring health check monitors, see “Configuring health check monitors” on page 393.

Comments

Any comments or notes about this virtual server.

3 Select OK.

Configuring real servers Configure a real server to bind it to a virtual server. To view the real server list, go to Firewall > Load Balance > Real Server. Figure 242: Real server list

Delete Edit

392

Create New

Select to add real servers. For more information, see “To create a real server” on page 393.

IP Address

Select the blue arrow beside a virtual server name to view the IP addresses of the real servers that are bound to it.

Port

The port number on the destination network to which the external port number is mapped.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Load Balance

Configuring health check monitors

Weight

The weight value of the real server. The higher the weight value, the higher the percentage of connections the server will handle.

Max Connection

The limit on the number of active connections directed to a real server. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit.

Delete icon

Remove the real server from the list.

Edit icon

Edit the real server to change any virtual server option.

To create a real server 1 Go to Firewall > Load Balance > Real Server > Create New. Figure 243: Creating a real server

2 Complete the following: Virtual Server

Select the virtual server to which you want to bind this real server.

IP

Enter the IP address of the real server.

Port

Enter the port number on the destination network to which the external port number is mapped.

Weight

Enter the weight value of the real server. The higher the weight value, the higher the percentage of connections the server will handle. A range of 1-255 can be used. This option is available only if the associated virtual server’s load balance method is Weighted.

Max Connection

Enter the limit on the number of active connections directed to a real server. A range of 1-99999 can be used. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit.

3 Select OK.

Configuring health check monitors You can specify which health check monitor configuration to use when polling to determine a virtual server’s connectivity status. Health check monitor configurations can specify TCP, HTTP or ICMP PING. A health check occurs every number of seconds indicated by the interval. If a reply is not received within the timeout period, and you have configured the health check to retry, it will attempt a health check again; otherwise, the virtual server is deemed unresponsive, and load balancing will compensate by disabling traffic to that server until it becomes responsive again.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

393

Configuring health check monitors

Firewall Load Balance

Figure 244: Health check monitor

Delete Edit Create New

Select to add a health check monitor configuration. For more information, see “To create a health check monitor configuration” on page 394.

Name

The name of the health check monitor configuration. The names are grouped by the health check monitor types.

Details

The details of the health check monitor configuration, which vary by the type of the health check monitor, and do not include the interval, timeout, or retry, which are settings common to all types. This field is empty if the type of the health check monitor is PING.

Delete

Select to remove the health check monitor configuration. This option appears only if the health check monitor configuration is not currently being used by a virtual server configuration.

Edit

Select to change the health check monitor configuration.

To create a health check monitor configuration 1 Go to Firewall > Virtual IP > Health Check Monitor > Create New. Figure 245: Creating a health check monitor

2 Complete the following: Name

Enter the name of the health check monitor configuration.

Type

Select the protocol used to perform the health check. • TCP • HTTP • PING

Port

Enter the port number used to perform the health check. This option does not appear if the Type is PING.

URL

Enter the URL that will receive the HTTP request. This option appears only if Type is HTTP.

Matched Content Enter the HTTP reply content that must be present to indicate proper server connectivity. This option appears only if Type is HTTP. Interval

394

Enter the number of seconds between each server health check.

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ • Feedback

Firewall Load Balance

Monitoring the servers

Timeout

Enter the number of seconds which must pass after the server health check to indicate a failed health check.

Retry

Enter the number of times, if any, a failed health check will be retried before the server is determined to be inaccessible.

3 Select OK.

Monitoring the servers You can monitor the status of each virtual server and real server and start or stop the real servers. Figure 246: Server monitor

Virtual Server

The IP addresses of the existing virtual servers.

Real Server

The IP addresses of the existing real servers.

Health Status

Display the health status according to the health check results for each real server. A green arrow means the server is up. A red arrow means the server is down.

Monitor Events

Display each real server's up and down times.

Active Sessions

Display each real server's active sessions.

RTT (ms)

Display the Round Trip Time of each real server. By default, the RTT is “