Fortinet FortiGate 4000 Instrukcja Użytkownika

FortiGate – 4000User ManualPOWER ON/OFFLAN 1 LAN 2PWR/KVMSTATUSKVM/ACCESSPOWER ON/OFFLAN 1 LAN 2PWR/KVMSTATUSKVM/ACCESSPOWER ON/OFFLAN 1 LAN 2PWR/KVMS

Contents10 Fortinet Inc.Addresses ...

100 Fortinet Inc.Active-Active cluster packet flow High availability

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 101System statusYou can connect t

102 Fortinet Inc.Changing the FortiGate host name System statusChanging the FortiGate host nameThe FortiGate host name appears on the Status page and

System status Changing the FortiGate firmwareFortiGate-4000 Installation and Configuration Guide 103Upgrading to a new firmware versionUse the follo

104 Fortinet Inc.Changing the FortiGate firmware System status4 Make sure the FortiGate unit can connect to the TFTP server.You can use the following

System status Changing the FortiGate firmwareFortiGate-4000 Installation and Configuration Guide 105If you are reverting to a previous FortiOS versi

106 Fortinet Inc.Changing the FortiGate firmware System statusIf you are reverting to a previous FortiOS version (for example, reverting from FortiOS

System status Changing the FortiGate firmwareFortiGate-4000 Installation and Configuration Guide 10711 Update antivirus and attack definitions. For

108 Fortinet Inc.Changing the FortiGate firmware System status5 To confirm that the FortiGate unit can connect to the TFTP server, use the following c

System status Changing the FortiGate firmwareFortiGate-4000 Installation and Configuration Guide 10911 Enter the firmware image filename and press E

ContentsFortiGate-4000 Installation and Configuration Guide 11Configuring LDAP support ...

110 Fortinet Inc.Changing the FortiGate firmware System statusTo run this procedure you:• access the CLI by connecting to the FortiGate console port u

System status Changing the FortiGate firmwareFortiGate-4000 Installation and Configuration Guide 1119 Type the address of the TFTP server and press

112 Fortinet Inc.Changing the FortiGate firmware System statusTo install a backup firmware image1 Connect to the CLI using the null-modem cable and Fo

System status Changing the FortiGate firmwareFortiGate-4000 Installation and Configuration Guide 113Switching to the backup firmware imageUse this p

114 Fortinet Inc.Manual virus definition updates System statusTo switch back to the default firmware image1 Connect to the CLI using the null-modem ca

System status Manual attack definition updatesFortiGate-4000 Installation and Configuration Guide 115Manual attack definition updatesThe Status page

116 Fortinet Inc.Restoring system settings System statusTo back up system settings1 Go to System > Status.2 Select System Settings Backup.3 Select

System status Changing to Transparent modeFortiGate-4000 Installation and Configuration Guide 117For information about restoring system settings, se

118 Fortinet Inc.Restarting the FortiGate unit System status4 Select OK.The FortiGate unit changes operation mode.5 To reconnect to the web-based mana

System status System statusFortiGate-4000 Installation and Configuration Guide 119Viewing CPU and memory statusCurrent CPU and memory status indicat

Contents12 Fortinet Inc.Network Intrusion Detection System (NIDS) ... 271Detecting attacks ...

120 Fortinet Inc.System status System statusViewing sessions and network statusUse the session and network status display to track how many network se

System status System statusFortiGate-4000 Installation and Configuration Guide 121Viewing virus and intrusions statusUse the virus and intrusions st

122 Fortinet Inc.Session list System statusSession listThe session list displays information about the communications sessions currently being process

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 123Virus and attack definitions u

124 Fortinet Inc.Updating antivirus and attack definitions Virus and attack definitions updates and registrationThe Update page on the web-based manag

Virus and attack definitions updates and registration Updating antivirus and attack definitionsFortiGate-4000 Installation and Configuration Guide 1

126 Fortinet Inc.Scheduling updates Virus and attack definitions updates and registrationConfiguring update loggingUse the following procedure to conf

Virus and attack definitions updates and registration Scheduling updatesFortiGate-4000 Installation and Configuration Guide 1274 Select Apply.The Fo

128 Fortinet Inc.Enabling push updates Virus and attack definitions updates and registrationEnabling scheduled updates through a proxy serverIf your F

Virus and attack definitions updates and registration Enabling push updatesFortiGate-4000 Installation and Configuration Guide 129When the network c

ContentsFortiGate-4000 Installation and Configuration Guide 13Script filtering ...

130 Fortinet Inc.Enabling push updates Virus and attack definitions updates and registrationExample: push updates through a NAT deviceThis example des

Virus and attack definitions updates and registration Enabling push updatesFortiGate-4000 Installation and Configuration Guide 131General procedureU

132 Fortinet Inc.Enabling push updates Virus and attack definitions updates and registrationFigure 38: Push update port forwarding virtual IPAdding a

Virus and attack definitions updates and registration Registering FortiGate unitsFortiGate-4000 Installation and Configuration Guide 1334 Set IP to t

134 Fortinet Inc.Registering FortiGate units Virus and attack definitions updates and registrationAll registration information is stored in the Fortin

Virus and attack definitions updates and registration Registering FortiGate unitsFortiGate-4000 Installation and Configuration Guide 135• The product

136 Fortinet Inc.Updating registration information Virus and attack definitions updates and registration7 Select Finish.If you have not entered a Fort

Virus and attack definitions updates and registration Updating registration informationFortiGate-4000 Installation and Configuration Guide 1377 Sele

138 Fortinet Inc.Updating registration information Virus and attack definitions updates and registration7 Enter the serial number of the FortiGate uni

Virus and attack definitions updates and registration Updating registration informationFortiGate-4000 Installation and Configuration Guide 1393 Ente

Contents14 Fortinet Inc.

140 Fortinet Inc.Registering a FortiGate unit after an RMA Virus and attack definitions updates and registrationFor information about how to install t

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 141Network configurationYou can u

142 Fortinet Inc.Configuring interfaces Network configurationAdding zonesThe new zone does not appear in the policy grid until you add an interface to

Network configuration Configuring interfacesFortiGate-4000 Installation and Configuration Guide 143Viewing the interface listTo view the interface l

144 Fortinet Inc.Configuring interfaces Network configurationTo add an interface to a zone1 Go to System > Network > Interface.2 Choose the inte

Network configuration Configuring interfacesFortiGate-4000 Installation and Configuration Guide 1454 Clear the Retrieve default gateway and DNS from

146 Fortinet Inc.Configuring interfaces Network configuration7 Select Apply. The FortiGate unit attempts to contact the PPPoE server from the interfac

Network configuration Configuring interfacesFortiGate-4000 Installation and Configuration Guide 147Controlling administrative access to an interface

148 Fortinet Inc.Configuring interfaces Network configurationChanging the MTU size to improve network performanceTo improve network performance, you c

Network configuration Out of band managementFortiGate-4000 Installation and Configuration Guide 149• Enable secure administrative access to this int

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 15IntroductionFortiGate Antivirus

150 Fortinet Inc.VLAN overview Network configuration5 Select Log for the interface if you want to record log messages whenever and administrator conne

Network configuration VLANs in NAT/Route modeFortiGate-4000 Installation and Configuration Guide 151A VLAN segregates devices logically instead of p

152 Fortinet Inc.VLANs in NAT/Route mode Network configurationRules for VLAN IP addressesIP addresses of all FortiGate interfaces cannot overlap. That

Network configuration Virtual domains in Transparent modeFortiGate-4000 Installation and Configuration Guide 153Virtual domains in Transparent modeI

154 Fortinet Inc.Virtual domains in Transparent mode Network configurationFigure 44: FortiGate unit with two virtual domainsVirtual domain propertiesA

Network configuration Virtual domains in Transparent modeFortiGate-4000 Installation and Configuration Guide 155Adding a virtual domainUse the follo

156 Fortinet Inc.Virtual domains in Transparent mode Network configurationAdding zones to virtual domainsAdd zones to a virtual domain to group togeth

Network configuration Virtual domains in Transparent modeFortiGate-4000 Installation and Configuration Guide 1576 Select OK to save your changes.You

158 Fortinet Inc.Adding DNS server IP addresses Network configurationDeleting virtual domains You must remove all VLAN subinterfaces and zones that ha

Network configuration Configuring routingFortiGate-4000 Installation and Configuration Guide 159Adding a default routeYou can add a default route fo

16 Fortinet Inc.Antivirus protection IntroductionAntivirus protectionFortiGate ICSA-certified antivirus protection scans web (HTTP), file transfer (FT

160 Fortinet Inc.Configuring routing Network configuration6 Set Device #1 to the FortiGate interface or VLAN subinterface through which to route traff

Network configuration Configuring routingFortiGate-4000 Installation and Configuration Guide 1615 Select OK to save the new route.6 Repeat steps 1 t

162 Fortinet Inc.Configuring DHCP services Network configurationUsing policy routing you can build a routing policy database (RPDB) that selects the a

Network configuration Configuring DHCP servicesFortiGate-4000 Installation and Configuration Guide 163Configuring a DHCP relay agentIn a DHCP relay

164 Fortinet Inc.Configuring DHCP services Network configurationYou can add multiple scopes to an interface so that the DHCP server added to that inte

Network configuration Configuring DHCP servicesFortiGate-4000 Installation and Configuration Guide 165Adding a reserve IP to a DHCP serverIf you hav

166 Fortinet Inc.Configuring DHCP services Network configuration

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 167RIP configurationThe FortiGate

168 Fortinet Inc.RIP settings RIP configuration5 Change the following RIP timer settings, as required.RIP timer defaults are effective in most configu

RIP configuration Configuring RIP for FortiGate interfacesFortiGate-4000 Installation and Configuration Guide 169Figure 47: Configuring RIP settings

Introduction Email filteringFortiGate-4000 Installation and Configuration Guide 17Email filteringFortiGate email filtering can scan all IMAP and POP

170 Fortinet Inc.Configuring RIP for FortiGate interfaces RIP configuration4 Select OK to save the RIP configuration for the selected interface.Figure

RIP configuration Adding RIP filtersFortiGate-4000 Installation and Configuration Guide 171Adding RIP filtersUse the Filter page to create RIP filte

172 Fortinet Inc.Adding RIP filters RIP configuration3 For Filter Name, type a name for the RIP filter list.The name can be 15 characters long and can

RIP configuration Adding RIP filtersFortiGate-4000 Installation and Configuration Guide 173Assigning a RIP filter list to the outgoing filterThe out

174 Fortinet Inc.Adding RIP filters RIP configuration

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 175System configurationUse the Sy

176 Fortinet Inc.Changing system options System configuration9 Select Apply.Figure 49: Example date and time settingChanging system optionsOn the Syst

System configuration Changing system optionsFortiGate-4000 Installation and Configuration Guide 1773 Select Apply.Auth Timeout controls the amount o

178 Fortinet Inc.Adding and editing administrator accounts System configurationAdding and editing administrator accountsWhen the FortiGate unit is ini

System configuration Adding and editing administrator accountsFortiGate-4000 Installation and Configuration Guide 179Editing administrator accountsT

18 Fortinet Inc.VLANs and virtual domains IntroductionNAT/Route modeIn NAT/Route mode, you can create NAT mode policies and Route mode policies.• NAT

180 Fortinet Inc.Configuring SNMP System configurationConfiguring SNMPYou can configure the FortiGate SNMP agent to report system information and send

System configuration Configuring SNMPFortiGate-4000 Installation and Configuration Guide 181To configure SNMP access to an interface in Transparent

182 Fortinet Inc.Configuring SNMP System configurationFigure 50: Sample SNMP configurationFortiGate MIBsThe FortiGate SNMP agent supports FortiGate pr

System configuration Configuring SNMPFortiGate-4000 Installation and Configuration Guide 183FortiGate trapsThe FortiGate agent can send traps to up

184 Fortinet Inc.Configuring SNMP System configurationVPN trapsNIDS trapsAntivirus trapsLogging trapsTable 31: FortiGate VPN trapsTrap message Descrip

System configuration Configuring SNMPFortiGate-4000 Installation and Configuration Guide 185Fortinet MIB fieldsThe Fortinet MIB contains fields for

186 Fortinet Inc.Configuring SNMP System configurationUsers and authentication configurationVPN configuration and statusNIDS configurationAntivirus co

System configuration Replacement messagesFortiGate-4000 Installation and Configuration Guide 187Logging and reporting configurationReplacement messa

188 Fortinet Inc.Replacement messages System configurationCustomizing replacement messagesEach of the replacement messages in the replacement message

System configuration Replacement messagesFortiGate-4000 Installation and Configuration Guide 189Customizing alert emailsCustomize alert emails to co

Introduction VPNFortiGate-4000 Installation and Configuration Guide 19VPNUsing FortiGate virtual private networking (VPN), you can provide a secure

190 Fortinet Inc.Replacement messages System configuration%%SOURCE_IP%% The IP address from which the block file was received. For email this is the I

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 191Firewall configurationFirewall

192 Fortinet Inc.Default firewall configuration Firewall configuration• IP/MAC binding• Content profilesDefault firewall configurationBy default, the

Firewall configuration Default firewall configurationFortiGate-4000 Installation and Configuration Guide 193VLAN subinterfacesYou can also add VLAN

194 Fortinet Inc.Adding firewall policies Firewall configurationYou can also add firewall policies that perform network address translation (NAT). To

Firewall configuration Adding firewall policiesFortiGate-4000 Installation and Configuration Guide 1953 Select New to add a new policy.You can also

196 Fortinet Inc.Adding firewall policies Firewall configurationFirewall policy optionsThis section describes the options that you can add to firewall

Firewall configuration Adding firewall policiesFortiGate-4000 Installation and Configuration Guide 197NATConfigure the policy for NAT. NAT translate

198 Fortinet Inc.Adding firewall policies Firewall configurationAuthenticationSelect Authentication and select a user group to require users to enter

Firewall configuration Adding firewall policiesFortiGate-4000 Installation and Configuration Guide 199Figure 54: Adding a Transparent mode policyLog

© Copyright 2004 Fortinet Inc. All rights reserved.No part of this publication including text, examples, diagrams or illustrations may be reproduced,t

20 Fortinet Inc.Secure installation, configuration, and management IntroductionSecure installation, configuration, and managementThe first time you po

200 Fortinet Inc.Configuring policy lists Firewall configurationConfiguring policy listsThe firewall matches policies by searching for a match startin

Firewall configuration Configuring policy listsFortiGate-4000 Installation and Configuration Guide 201Changing the order of policies in a policy lis

202 Fortinet Inc.Addresses Firewall configurationAddressesAll policies require source and destination addresses. To add addresses to a policy, you mus

Firewall configuration AddressesFortiGate-4000 Installation and Configuration Guide 2036 Enter the Netmask.The netmask corresponds to the type of ad

204 Fortinet Inc.Addresses Firewall configurationDeleting addressesDeleting an address removes it from an address list. To delete an address that has

Firewall configuration ServicesFortiGate-4000 Installation and Configuration Guide 205Figure 56: Adding an internal address groupServicesUse service

206 Fortinet Inc.Services Firewall configurationGRE Generic Routing Encapsulation. A protocol that allows an arbitrary network protocol to be transmit

Firewall configuration ServicesFortiGate-4000 Installation and Configuration Guide 207LDAP Lightweight Directory Access Protocol is a set of protoco

208 Fortinet Inc.Services Firewall configurationAdding custom TCP and UDP servicesAdd a custom TCP or UDP service if you need to create a policy for a

Firewall configuration ServicesFortiGate-4000 Installation and Configuration Guide 209Adding custom ICMP servicesAdd a custom ICMP service if you ne

Introduction Document conventionsFortiGate-4000 Installation and Configuration Guide 21Command line interfaceYou can access the FortiGate command li

210 Fortinet Inc.Schedules Firewall configuration3 Type a Group Name to identify the group. This name appears in the service list when you add a polic

Firewall configuration SchedulesFortiGate-4000 Installation and Configuration Guide 211Creating one-time schedulesYou can create a one-time schedule

212 Fortinet Inc.Schedules Firewall configurationCreating recurring schedulesYou can create a recurring schedule that activates or deactivates policie

Firewall configuration Virtual IPsFortiGate-4000 Installation and Configuration Guide 213Adding schedules to policiesAfter you create schedules, you

214 Fortinet Inc.Virtual IPs Firewall configurationThis section describes:• Adding static NAT virtual IPs• Adding port forwarding virtual IPs• Adding

Firewall configuration Virtual IPsFortiGate-4000 Installation and Configuration Guide 2157 In Map to IP, type the real IP address on the destination

216 Fortinet Inc.Virtual IPs Firewall configuration6 Enter the External IP Address that you want to map to an address on the destination zone.You can

Firewall configuration Virtual IPsFortiGate-4000 Installation and Configuration Guide 217Figure 61: Adding a port forwarding virtual IPAdding polici

218 Fortinet Inc.IP pools Firewall configuration4 Select OK to save the policy.IP poolsAn IP pool (also called a dynamic IP pool) is a range of IP add

Firewall configuration IP poolsFortiGate-4000 Installation and Configuration Guide 219Figure 62: Adding an IP PoolIP Pools for firewall policies tha

22 Fortinet Inc.Fortinet documentation Introductionexecute restore config <filename_str>You enter restore config myfile.bak<xxx_str> indic

220 Fortinet Inc.IP/MAC binding Firewall configurationIP/MAC bindingIP/MAC binding protects the FortiGate unit and your network from IP spoofing attac

Firewall configuration IP/MAC bindingFortiGate-4000 Installation and Configuration Guide 221For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:

222 Fortinet Inc.IP/MAC binding Firewall configuration3 Enter the IP Address and the MAC Address.You can bind multiple IP addresses to the same MAC ad

Firewall configuration Content profilesFortiGate-4000 Installation and Configuration Guide 223Figure 63: IP/MAC settingsContent profilesUse content

224 Fortinet Inc.Content profiles Firewall configurationDefault content profilesThe FortiGate unit has the following four default content profiles tha

Firewall configuration Content profilesFortiGate-4000 Installation and Configuration Guide 2256 Enable the email filter protection options that you

226 Fortinet Inc.Content profiles Firewall configurationAdding content profiles to policiesYou can add content profiles to policies with action set to

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 227Users and authenticationFortiG

228 Fortinet Inc.Setting authentication timeout Users and authenticationThis chapter describes:• Setting authentication timeout• Adding user names and

Users and authentication Adding user names and configuring authenticationFortiGate-4000 Installation and Configuration Guide 2295 Select the Try oth

Introduction Customer service and technical supportFortiGate-4000 Installation and Configuration Guide 23• Volume 4: FortiGate NIDS GuideDescribes h

230 Fortinet Inc.Configuring RADIUS support Users and authenticationConfiguring RADIUS supportIf you have configured RADIUS support and a user is requ

Users and authentication Configuring LDAP supportFortiGate-4000 Installation and Configuration Guide 231Configuring LDAP supportIf you have configur

232 Fortinet Inc.Configuring user groups Users and authentication7 Enter the distinguished name used to look up entries on the LDAP server.Enter the b

Users and authentication Configuring user groupsFortiGate-4000 Installation and Configuration Guide 233• IPSec VPN Phase 1 configurations for dialup

234 Fortinet Inc.Configuring user groups Users and authentication3 Enter a Group Name to identify the user group.The name can contain numbers (0-9), u

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 235IPSec VPNA Virtual Private Net

236 Fortinet Inc.Key management IPSec VPNKey managementThere are three basic elements in any encryption system:• an algorithm that changes information

IPSec VPN Manual key IPSec VPNsFortiGate-4000 Installation and Configuration Guide 237In some respects, certificates are simpler to manage than manu

238 Fortinet Inc.Manual key IPSec VPNs IPSec VPN5 Enter the Remote SPI. The Remote Security Parameter Index is a hexadecimal number of up to eight dig

IPSec VPN AutoIKE IPSec VPNsFortiGate-4000 Installation and Configuration Guide 239AutoIKE IPSec VPNsFortiGate units support two methods of Automati

24 Fortinet Inc.Customer service and technical support Introduction

240 Fortinet Inc.AutoIKE IPSec VPNs IPSec VPN3 Type a Gateway Name for the remote VPN peer.The remote VPN peer can be either a gateway to another netw

IPSec VPN AutoIKE IPSec VPNsFortiGate-4000 Installation and Configuration Guide 24110 Configure the Local ID the that the FortiGate unit sends to th

242 Fortinet Inc.AutoIKE IPSec VPNs IPSec VPN4 Optionally, configure NAT Traversal.5 Optionally, configure Dead Peer Detection.Use these settings to m

IPSec VPN AutoIKE IPSec VPNsFortiGate-4000 Installation and Configuration Guide 243Figure 69: Adding a phase 1 configuration (Standard options)Figur

244 Fortinet Inc.AutoIKE IPSec VPNs IPSec VPNAdding a phase 2 configuration for an AutoIKE VPNAdd a phase 2 configuration to specify the parameters us

IPSec VPN AutoIKE IPSec VPNsFortiGate-4000 Installation and Configuration Guide 24510 Enable Autokey Keep Alive if you want to keep the VPN tunnel r

246 Fortinet Inc.Managing digital certificates IPSec VPNManaging digital certificatesUse digital certificates to make sure that both participants in a

IPSec VPN Managing digital certificatesFortiGate-4000 Installation and Configuration Guide 2476 Configure the key.7 Select OK to generate the privat

248 Fortinet Inc.Managing digital certificates IPSec VPNDownloading the certificate requestUse the following procedure to download a certificate reque

IPSec VPN Configuring encrypt policiesFortiGate-4000 Installation and Configuration Guide 249Obtaining CA certificatesFor the VPN peers to authentic

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 25Getting startedThis chapter des

250 Fortinet Inc.Configuring encrypt policies IPSec VPNIn addition to defining membership in the VPN by address, you can configure the encrypt policy

IPSec VPN Configuring encrypt policiesFortiGate-4000 Installation and Configuration Guide 251Adding a destination addressThe destination address can

252 Fortinet Inc.Configuring encrypt policies IPSec VPNFor information about configuring the remaining policy settings, see “Adding firewall policies”

IPSec VPN IPSec VPN concentratorsFortiGate-4000 Installation and Configuration Guide 253Figure 73: Adding an encrypt policyIPSec VPN concentrators I

254 Fortinet Inc.IPSec VPN concentrators IPSec VPNIf the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the

IPSec VPN IPSec VPN concentratorsFortiGate-4000 Installation and Configuration Guide 255See “Adding an encrypt policy” on page 251.5 Arrange the pol

256 Fortinet Inc.IPSec VPN concentrators IPSec VPNVPN spoke general configuration stepsA remote VPN peer that functions as a spoke requires the follow

IPSec VPN Monitoring and Troubleshooting VPNsFortiGate-4000 Installation and Configuration Guide 257See “Adding an encrypt policy” on page 251.6 Arr

258 Fortinet Inc.Monitoring and Troubleshooting VPNs IPSec VPNViewing dialup VPN connection statusYou can use the dialup monitor to view the status of

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 259PPTP and L2TP VPNYou can use P

26 Fortinet Inc.Warnings and cautions Getting startedWarnings and cautionsYou should be aware of the following cautions and warnings before operating

260 Fortinet Inc.Configuring PPTP PPTP and L2TP VPNConfiguring the FortiGate unit as a PPTP gatewayUse the following procedures to configure the Forti

PPTP and L2TP VPN Configuring PPTPFortiGate-4000 Installation and Configuration Guide 2613 Select New to add an address.4 Enter the Address Name, IP

262 Fortinet Inc.Configuring PPTP PPTP and L2TP VPN6 Set Service to match the traffic type inside the PPTP VPN tunnel. For example, if PPTP users can

PPTP and L2TP VPN Configuring PPTPFortiGate-4000 Installation and Configuration Guide 263To connect to the PPTP VPN1 Start the dialup connection tha

264 Fortinet Inc.Configuring PPTP PPTP and L2TP VPN5 Name the connection and select Next. 6 If the Public Network dialog box appears, choose the appro

PPTP and L2TP VPN Configuring L2TPFortiGate-4000 Installation and Configuration Guide 265Configuring L2TPSome implementations of L2TP support elemen

266 Fortinet Inc.Configuring L2TP PPTP and L2TP VPNTo add source addressesAdd a source address for every address in the L2TP address range.1 Go to Fir

PPTP and L2TP VPN Configuring L2TPFortiGate-4000 Installation and Configuration Guide 2672 Select the policy list that you want to add the policy to

268 Fortinet Inc.Configuring L2TP PPTP and L2TP VPN4 Go to the Options tab and select IP security properties.5 Make sure that Do not use IPSEC is sele

PPTP and L2TP VPN Configuring L2TPFortiGate-4000 Installation and Configuration Guide 2697 In the VPN Server Selection dialog, enter the IP address

Getting started Physical descriptionFortiGate-4000 Installation and Configuration Guide 27Figure 2: FortiGate-4000 package contentsPhysical descript

270 Fortinet Inc.Configuring L2TP PPTP and L2TP VPN8 Add the following registry value to this key:Value Name: ProhibitIpSecData Type: REG_DWORDValue:

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 271Network Intrusion Detection Sy

272 Fortinet Inc.Detecting attacks Network Intrusion Detection System (NIDS)Selecting the interfaces to monitorTo select the interfaces to monitor for

Network Intrusion Detection System (NIDS) Detecting attacksFortiGate-4000 Installation and Configuration Guide 273Viewing the signature listYou can

274 Fortinet Inc.Detecting attacks Network Intrusion Detection System (NIDS)Figure 80: Example signature group members listDisabling NIDS attack signa

Network Intrusion Detection System (NIDS) Detecting attacksFortiGate-4000 Installation and Configuration Guide 275To add user-defined signatures1 Go

276 Fortinet Inc.Preventing attacks Network Intrusion Detection System (NIDS)Preventing attacksNIDS attack prevention protects the FortiGate unit and

Network Intrusion Detection System (NIDS) Preventing attacksFortiGate-4000 Installation and Configuration Guide 277Setting signature threshold value

278 Fortinet Inc.Logging attacks Network Intrusion Detection System (NIDS)To set Prevention signature threshold values1 Go to NIDS > Prevention.2 S

Network Intrusion Detection System (NIDS) Logging attacksFortiGate-4000 Installation and Configuration Guide 279The FortiGate unit uses an alert ema

28 Fortinet Inc.Front panel features Getting startedFront panel featuresFigure 3 shows the location of the FortiGate-4000 chassis front panel componen

280 Fortinet Inc.Logging attacks Network Intrusion Detection System (NIDS)

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 281Antivirus protectionYou can en

282 Fortinet Inc.Antivirus scanning Antivirus protectionAntivirus scanningVirus scanning intercepts most files (including files compressed with up to

Antivirus protection File blockingFortiGate-4000 Installation and Configuration Guide 283Figure 82: Example content profile for virus scanningFile b

284 Fortinet Inc.File blocking Antivirus protectionBy default, when blocking is enabled, the FortiGate unit blocks the following file patterns:• execu

Antivirus protection Blocking oversized files and emailsFortiGate-4000 Installation and Configuration Guide 285Blocking oversized files and emailsYo

286 Fortinet Inc.Viewing the virus list Antivirus protectionViewing the virus listYou can view the names of the viruses and worms in the current virus

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 287Web filteringWhen you enable A

288 Fortinet Inc.Content blocking Web filtering3 Configure web filtering settings to control how the FortiGate unit applies web filtering to the HTTP

Web filtering Content blockingFortiGate-4000 Installation and Configuration Guide 2894 Type a banned word or phrase.If you type a single word (for e

Getting started Front panel featuresFortiGate-4000 Installation and Configuration Guide 29FortiBlade-4010 moduleEach FortiBlade-4010 module is an in

290 Fortinet Inc.Content blocking Web filteringBacking up the Banned Word listYou can back up the banned word list by downloading it to a text file on

Web filtering URL blockingFortiGate-4000 Installation and Configuration Guide 2915 Select Return to display the updated Banned Word List.6 You can c

292 Fortinet Inc.URL blocking Web filtering4 Ensure that the Enable checkbox has been selected and then select OK.5 Select OK to add the URL to the We

Web filtering URL blockingFortiGate-4000 Installation and Configuration Guide 293Downloading the Web URL block listYou can back up the Web URL block

294 Fortinet Inc.Configuring Cerberian URL filtering Web filtering8 You can continue to maintain the Web URL block list by making changes to the text

Web filtering Configuring Cerberian URL filteringFortiGate-4000 Installation and Configuration Guide 295Installing a Cerberian license keyBefore you

296 Fortinet Inc.Configuring Cerberian URL filtering Web filteringYou can add users to the default group and apply any policies to the group.Use the d

Web filtering Script filteringFortiGate-4000 Installation and Configuration Guide 297Script filteringYou can configure the FortiGate unit to remove

298 Fortinet Inc.Exempt URL list Web filteringExempt URL listAdd URLs to the exempt URL list to allow legitimate traffic that might otherwise be block

Web filtering Exempt URL listFortiGate-4000 Installation and Configuration Guide 299Figure 88: Example URL Exempt listDownloading the URL Exempt Lis

ContentsFortiGate-4000 Installation and Configuration Guide 3Table of ContentsIntroduction ...

30 Fortinet Inc.Front panel features Getting startedKVM switch moduleUse the KVM switch module to switch serial connections to the CLI of each FortiBl

300 Fortinet Inc.Exempt URL list Web filtering3 Select Upload URL Exempt List .4 Type the path and filename of your URL Exempt List text file, or sel

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 301Email filterEmail filtering is

302 Fortinet Inc.Email banned word list Email filterEmail banned word listWhen the FortiGate unit detects an email that contains a word or phrase in t

Email filter Email banned word listFortiGate-4000 Installation and Configuration Guide 303Downloading the email banned word listYou can back up the

304 Fortinet Inc.Email block list Email filterEmail block listYou can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from

Email filter Email exempt listFortiGate-4000 Installation and Configuration Guide 305Uploading an email block listYou can create a email block list

306 Fortinet Inc.Adding a subject tag Email filterAdding address patterns to the email exempt listTo add an address pattern to the email exempt list1

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 307Logging and reportingYou can c

308 Fortinet Inc.Recording logs Logging and reportingRecording logs on a remote computerYou can configure the FortiGate unit to record log messages on

Logging and reporting Recording logsFortiGate-4000 Installation and Configuration Guide 3095 Select Config Policy.To configure the FortiGate unit to

Getting started Rear panel featuresFortiGate-4000 Installation and Configuration Guide 31Rear panel featuresThe FortiGate-4000 chassis rear panel co

310 Fortinet Inc.Filtering log messages Logging and reportingFiltering log messagesYou can configure the logs that you want to record and the message

Logging and reporting Configuring traffic loggingFortiGate-4000 Installation and Configuration Guide 3114 Select the message categories that you wan

312 Fortinet Inc.Configuring traffic logging Logging and reportingThis section describes:• Enabling traffic logging• Configuring traffic filter settin

Logging and reporting Configuring traffic loggingFortiGate-4000 Installation and Configuration Guide 313Configuring traffic filter settingsYou can c

314 Fortinet Inc.Viewing logs saved to memory Logging and reporting4 Select OK.The traffic filter list displays the new traffic address entry with the

Logging and reporting Configuring alert emailFortiGate-4000 Installation and Configuration Guide 3154 To view a specific line in the log, type a lin

316 Fortinet Inc.Configuring alert email Logging and reportingAdding alert email addressesBecause the FortiGate unit uses the SMTP server name to conn

Logging and reporting Configuring alert emailFortiGate-4000 Installation and Configuration Guide 317Enabling alert emailYou can configure the FortiG

318 Fortinet Inc.Configuring alert email Logging and reporting

FortiGate-4000 Installation and Configuration Guide 319FortiGate-4000 Installation and Configuration Guide Version 2.50GlossaryConnection: A link bet

32 Fortinet Inc.Rear panel features Getting startedFigure 7: FortiGate-4000S rear panelPower supplies and power connectionsThe FortiGate-4000 chassis

320 Fortinet Inc.GlossaryLAN, Local Area Network: A computer network that spans a relatively small area. Most LANs connect workstations and personal c

GlossaryFortiGate-4000 Installation and Configuration Guide 321SSH, Secure shell: A secure Telnet replacement that you can use to log into another

322 Fortinet Inc.Glossary

FortiGate-4000 Installation and Configuration Guide 323FortiGate-4000 Installation and Configuration Guide Version 2.50IndexAacceptpolicy 196actionpo

324 Fortinet Inc.Indexattack updatesconfiguring 127scheduling 126through a proxy server 128authentication 198, 227configuring 228enabling 232LDAP serv

IndexFortiGate-4000 Installation and Configuration Guide 325dialup PPTPconfiguring Windows 2000 client 263configuring Windows 98 client 262configur

326 Fortinet Inc.IndexHHA 81connecting a NAT/Route mode cluster 84introduction 19managing HA group 87NAT/Route mode 82replacing FortiGate unit after f

IndexFortiGate-4000 Installation and Configuration Guide 327log settingfiltering log entries 126, 310traffic filter 313log to memoryconfiguring 309

328 Fortinet Inc.Indexoversized files and emailblocking 285Ppasswordadding 228changing administrator account 179Fortinet support 138recovering a lost

IndexFortiGate-4000 Installation and Configuration Guide 329reserved IPadding to a DHCP server 165resolve IP 313traffic filter 313restarting 118res

Getting started Rear panel featuresFortiGate-4000 Installation and Configuration Guide 33Cooling fan traysThe FortiGate-4000 chassis is cooled using

330 Fortinet Inc.Indexstatic NAT virtual IP 213adding 214static routeadding 159statusCPU 119interface 143intrusions 121IPSec VPN tunnel 257memory 119n

IndexFortiGate-4000 Installation and Configuration Guide 331URL block listadding URL 294, 304clearing 292downloading 290, 293, 299, 304uploading 29

332 Fortinet Inc.Indexworm listdisplaying 286worm protection 286Zzoneadding 142adding to a virtual domain 156configuring 141

34 Fortinet Inc.Rear panel features Getting started10/100 out of band management moduleThe 10/100 out of band management module provides dedicated eth

Getting started Rear panel featuresFortiGate-4000 Installation and Configuration Guide 35Pass-through interface moduleTwo pass-through interface mod

36 Fortinet Inc.Rear panel features Getting startedThe internal switched interface module provides two gigabit connections to the internal interfaces

Getting started Installing hardwareFortiGate-4000 Installation and Configuration Guide 37Installing hardwareThis section describes how to install Fo

38 Fortinet Inc.Installing hardware Getting startedFigure 14: Rail mounting locationsInstalling FortiBlade-4010 modulesInstall a FortiBlade-4010 modul

Getting started Installing hardwareFortiGate-4000 Installation and Configuration Guide 39FortiGate-4000P network connectionsUse the following steps

Contents4 Fortinet Inc.Installing hardware...

40 Fortinet Inc.Turning FortiGate-4000 chassis power on and off Getting startedOut of band management connectionsYou can manage the FortiBlade-4010 mo

Getting started Hot swapping modulesFortiGate-4000 Installation and Configuration Guide 412 Connect the three power cables to the power connection m

42 Fortinet Inc.Hot swapping modules Getting startedHot swapping FortiBlade-4010 modulesFollow this procedure to hot swap the FortiBlade-4010 modules.

Getting started Hot swapping modulesFortiGate-4000 Installation and Configuration Guide 437 Slide the power supply module into the slot until the lo

44 Fortinet Inc.Connecting to the web-based manager Getting started2 Unscrew the two locking screws to remove the module’s locking strip.3 Loosen its

Getting started Connecting to the web-based managerFortiGate-4000 Installation and Configuration Guide 45Connecting to the FortiGate-4000 internal i

46 Fortinet Inc.Connecting to the web-based manager Getting startedFigure 16: FortiGate loginConnecting to the FortiGate-4000 10/100 out of band manag

Getting started Connecting to the Command Line Interface (CLI)FortiGate-4000 Installation and Configuration Guide 47To change the out of band manage

48 Fortinet Inc.Factory default configuration Getting started8 Press Enter to connect to the CLI of the FortiGate-4000 unit.The following prompt is di

Getting started Factory default configurationFortiGate-4000 Installation and Configuration Guide 49Factory default Transparent mode network configur

ContentsFortiGate-4000 Installation and Configuration Guide 5Using the command line interface...

50 Fortinet Inc.Factory default configuration Getting startedTable 14: Factory default firewall configuration Internal AddressInternal_AllIP: 0.0.0.0

Getting started Factory default configurationFortiGate-4000 Installation and Configuration Guide 51Factory default content profilesYou can use conte

52 Fortinet Inc.Factory default configuration Getting startedWeb content profileUse the web content profile to apply antivirus scanning and web conten

Getting started Planning the FortiGate configurationFortiGate-4000 Installation and Configuration Guide 53Unfiltered content profileUse the unfilter

54 Fortinet Inc.Planning the FortiGate configuration Getting startedFor each FortiGate-4000 unit, the following interfaces are available for processin

Getting started Planning the FortiGate configurationFortiGate-4000 Installation and Configuration Guide 55You typically use a FortiGate-4000 unit in

56 Fortinet Inc.Planning the FortiGate configuration Getting startedFigure 19: HA network configuration in NAT/Route modeFigure 20: HA network configu

Getting started Planning the FortiGate configurationFortiGate-4000 Installation and Configuration Guide 57Figure 21: FortiGate-4000P HA configuratio

58 Fortinet Inc.Planning the FortiGate configuration Getting startedFigure 22: FortiGate-4000P configuration with load balancersFortiGate-4000 UnitInt

Getting started FortiGate model maximum values matrixFortiGate-4000 Installation and Configuration Guide 59FortiGate model maximum values matrixTabl

Contents6 Fortinet Inc.Managing an HA cluster... 87

60 Fortinet Inc.Next steps Getting startedNext stepsNow that your FortiGate unit is operating, you can proceed to configure it to connect to networks:

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 61NAT/Route mode installationThis

62 Fortinet Inc.Preparing to configure NAT/Route mode NAT/Route mode installationAdvanced NAT/Route mode settingsUse Tab le 21 to gather the informat

NAT/Route mode installation Using the setup wizardFortiGate-4000 Installation and Configuration Guide 63Out of band management interfaceUse Tab le 2

64 Fortinet Inc.Using the command line interface NAT/Route mode installationUsing the command line interfaceAs an alternative to using the setup wizar

NAT/Route mode installation Connecting the FortiGate unit to your networksFortiGate-4000 Installation and Configuration Guide 656 Optionally, set th

66 Fortinet Inc.Configuring your networks NAT/Route mode installationConfiguring your networksIf you are running the FortiGate unit in NAT/Route mode,

NAT/Route mode installation Completing the configurationFortiGate-4000 Installation and Configuration Guide 67Registering your FortiGate unitAfter p

68 Fortinet Inc.Completing the configuration NAT/Route mode installation

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 69Transparent mode installationTh

ContentsFortiGate-4000 Installation and Configuration Guide 7System status ...

70 Fortinet Inc.Using the setup wizard Transparent mode installationOut of band management interfaceUse Tab le 24 to record the IP address, netmask,

Transparent mode installation Using the command line interfaceFortiGate-4000 Installation and Configuration Guide 71Reconnecting to the web-based ma

72 Fortinet Inc.Completing the configuration Transparent mode installationConfigure the Transparent mode default gateway1 Make sure that you are logge

Transparent mode installation Connecting the FortiGate unit to your networksFortiGate-4000 Installation and Configuration Guide 733 Select Anti-Viru

74 Fortinet Inc.Transparent mode configuration examples Transparent mode installationTransparent mode configuration examplesA FortiGate unit operating

Transparent mode installation Transparent mode configuration examplesFortiGate-4000 Installation and Configuration Guide 75Example default route to

76 Fortinet Inc.Transparent mode configuration examples Transparent mode installationWeb-based manager example configuration stepsTo configure basic T

Transparent mode installation Transparent mode configuration examplesFortiGate-4000 Installation and Configuration Guide 77Figure 24: Static route t

78 Fortinet Inc.Transparent mode configuration examples Transparent mode installation2 Go to System > Network > Management.• Change the Manageme

Transparent mode installation Transparent mode configuration examplesFortiGate-4000 Installation and Configuration Guide 79Figure 25: Static route t

Contents8 Fortinet Inc.Network configuration... 141Configuring z

80 Fortinet Inc.Transparent mode configuration examples Transparent mode installationWeb-based manager example configuration stepsTo configure the For

FortiGate-4000 Installation and Configuration Guide Version 2.50FortiGate-4000 Installation and Configuration Guide 81High availabilityFortinet achie

82 Fortinet Inc.Configuring an HA cluster High availabilityAn active-passive (A-P) HA cluster, also referred to as hot standby HA, consists of a prima

High availability Configuring an HA clusterFortiGate-4000 Installation and Configuration Guide 836 Select the HA mode.Select Active-Active mode to c

84 Fortinet Inc.Configuring an HA cluster High availabilityFigure 26: Example Active-Active HA configuration11 If you are configuring a NAT/Route mode

High availability Configuring an HA clusterFortiGate-4000 Installation and Configuration Guide 85To connect the cluster1 Connect the cluster units:F

86 Fortinet Inc.Configuring an HA cluster High availabilityFigure 28: FortiGate-4000P HA network configurationAdding a new FortiGate unit to a functio

High availability Managing an HA clusterFortiGate-4000 Installation and Configuration Guide 87Managing an HA clusterThe configurations of all of the

88 Fortinet Inc.Managing an HA cluster High availabilityThis section describes:• Configuring cluster interface monitoring• Viewing the status of clust

High availability Managing an HA clusterFortiGate-4000 Installation and Configuration Guide 89Figure 29: Example cluster members listMonitoring clus

ContentsFortiGate-4000 Installation and Configuration Guide 9RIP configuration ...

90 Fortinet Inc.Managing an HA cluster High availability4 Select Virus & Intrusions.The cluster displays virus and intrusions status for each clus

High availability Managing an HA clusterFortiGate-4000 Installation and Configuration Guide 913 Select the serial number of one of the units in the

92 Fortinet Inc.Managing an HA cluster High availabilityManaging individual cluster unitsYou can connect to the CLI of each unit in the cluster. This

High availability Managing an HA clusterFortiGate-4000 Installation and Configuration Guide 93Synchronizing the cluster configurationCluster synchro

94 Fortinet Inc.Managing an HA cluster High availabilityUpgrading firmwareTo upgrade the firmware of the FortiGate units in a cluster, you must upgrad

High availability Advanced HA optionsFortiGate-4000 Installation and Configuration Guide 95Replacing a FortiGate unit after failoverA failover can o

96 Fortinet Inc.Advanced HA options High availabilityConfiguring the priority of each FortiGate unit in the clusterIn addition to selecting a permanen

High availability Active-Active cluster packet flowFortiGate-4000 Installation and Configuration Guide 97This command has the following results:• Th

98 Fortinet Inc.Active-Active cluster packet flow High availabilityIn NAT/Route mode, the HA cluster works as a gateway when it responds to ARP reques

High availability Active-Active cluster packet flowFortiGate-4000 Installation and Configuration Guide 99Transparent mode packet flowIn transparent