FortiGate Administration Guide 01 400 89802 20090424

FortiGate

Version 4.0Administration Guide

Visit http://support.fortinet.com to register your FortiGate product. By registering you canreceive product updates, technical support, and FortiGuard services.

FortiGate Administration GuideVersion 4.024 April 2009 01-400-89802-20090424

Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

F0hContentsIntroduction ............................................................................................ 21Fortinet products .......................................................................................................... 21

About this document .................................................................................................... 21

Document conventions ................................................................................................ 24IP addresses............................................................................................................. 24CLI constraints.......................................................................................................... 24Cautions, Notes and Tips ......................................................................................... 24Typographical conventions ....................................................................................... 25

Registering your Fortinet product............................................................................... 25

Customer service and technical support.................................................................... 25

Training .......................................................................................................................... 26

Fortinet documentation ............................................................................................... 26Tools and Documentation CD................................................................................... 26Fortinet Knowledge Center ...................................................................................... 26Comments on Fortinet technical documentation ..................................................... 26

Whats new in FortiOS 4.0 ..................................................................... 27FortiOS 4.0 FortiGate models and features supported ............................................. 28

UTM features grouped under new UTM menu............................................................ 29

Data Leak Prevention.................................................................................................... 29

Application Control....................................................................................................... 29

SSL content scanning and inspection ........................................................................ 29

WAN Optimization......................................................................................................... 30

Endpoint control ........................................................................................................... 30

Network Access Control (NAC) quarantine ................................................................ 30

IPS extensions............................................................................................................... 31DoS policies for applying IPS sensors...................................................................... 31NAC quarantine in DoS Sensors .............................................................................. 31Adding IPS sensors to a DoS policy from the CLI .................................................... 32One-arm IDS (sniffer mode) ..................................................................................... 32IPS interface policies for IPv6 ............................................................................... 33IPS Packet Logging .................................................................................................. 33

Enhanced Antispam Engine (ASE).............................................................................. 33

WCCP v2 support.......................................................................................................... 33

Any interface for firewall policies ............................................................................ 35

Global view of firewall policies .................................................................................... 35

Identity-based firewall policies .................................................................................... 35

Web filtering HTTP upload enhancements ................................................................. 36ortiGate Version 4.0 Administration Guide1-400-89802-20090424 3ttp://docs.fortinet.com/ Feedback

ContentsTraffic shaping enhancements .................................................................................... 36

Firewall load balancing virtual IP changes................................................................. 36User session persistence.......................................................................................... 36Health Check Monitor ............................................................................................... 36Load balancing server monitor ................................................................................. 36

Per-firewall policy session TTL ................................................................................... 37

Gratuitous ARP for virtual IPs ..................................................................................... 37

Changes to protection profiles .................................................................................... 37

Changes to content archiving...................................................................................... 37

Customizable web-based manager pages.................................................................. 37

Administration over modem ........................................................................................ 38

Auto-bypass and recovery for AMC bridge module .................................................. 38

Rogue Wireless Access Point detection..................................................................... 38

Configurable VDOM and global resource limits......................................................... 38

User authentication monitor ........................................................................................ 39

OCSP and SCEP certificate over HTTPS .................................................................... 39

Adding non-standard ports for firewall authentication ............................................. 39

Dynamically assigning VPN client IP addresses from a RADIUS record ................ 40

DHCP over route-based IPSec VPNs........................................................................... 40

SNMP upgraded to v3.0 ................................................................................................ 40

File Quarantine .............................................................................................................. 41

Customizable SSL VPN web portals ........................................................................... 41

Logging improvements ................................................................................................ 41

Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) .......................................................................................................... 41

Web-based manager .............................................................................. 43Common web-based manager tasks........................................................................... 44

Connecting to the web-based manager.................................................................... 44Changing your FortiGate administrator password .................................................... 45Changing the web-based manager language........................................................... 46Changing administrative access to your FortiGate unit ............................................ 46Changing the web-based manager idle timeout ....................................................... 47Connecting to the FortiGate CLI from the web-based manager ............................... 47

Button bar features ....................................................................................................... 47

Contacting Customer Support..................................................................................... 48

Backing up your FortiGate configuration ................................................................... 48

Using FortiGate Online Help ........................................................................................ 49Searching the online help ......................................................................................... 50FortiGate Version 4.0 Administration Guide4 01-400-89802-20090424

http://docs.fortinet.com/ Feedback

Contents

F0hLogging out ................................................................................................................... 52

Web-based manager pages.......................................................................................... 52Using the web-based manager menu....................................................................... 52Using web-based manager lists................................................................................ 53Adding filters to web-based manager lists ................................................................ 53Using page controls on web-based manager lists .................................................... 57Using column settings to control the columns displayed .......................................... 58Using filters with column settings.............................................................................. 59

Web-based manager icons........................................................................................... 60

System Status ........................................................................................ 63Status page.................................................................................................................... 63

Viewing system status .............................................................................................. 63

Changing system information ..................................................................................... 78Configuring system time ........................................................................................... 78Changing the FortiGate unit host name.................................................................... 78

Changing the FortiGate firmware ................................................................................ 79Upgrading to a new firmware version ....................................................................... 80Reverting to a previous firmware version ................................................................. 80

Viewing operational history ......................................................................................... 81

Manually updating FortiGuard definitions.................................................................. 82

Viewing Statistics.......................................................................................................... 83Viewing the session list............................................................................................. 83Viewing Content Archive information on the Statistics widget .................................. 84Viewing the Attack Log ............................................................................................. 85

Topology ........................................................................................................................ 87Adding a subnet object ............................................................................................. 89Customizing the topology diagram ........................................................................... 90

Managing firmware versions................................................................. 91Backing up your configuration .................................................................................... 92

Backing up your configuration through the web-based manager ............................. 92Backing up your configuration through the CLI......................................................... 92Backing up your configuration to a USB key ............................................................ 93

Testing firmware before upgrading............................................................................. 94

Upgrading your FortiGate unit..................................................................................... 95Upgrading to FortiOS 4.0 through the web-based manager..................................... 95Upgrading to FortiOS 4.0 through the CLI ................................................................ 96Verifying the upgrade................................................................................................ 97

Reverting to a previous firmware image..................................................................... 98Downgrading to a previous firmware through the web-based manager ................... 98Verifying the downgrade........................................................................................... 99Downgrading to a previous firmware through the CLI .............................................. 99ortiGate Version 4.0 Administration Guide1-400-89802-20090424 5ttp://docs.fortinet.com/ Feedback

ContentsRestoring your configuration..................................................................................... 101Restoring your configuration settings in the web-based manager.......................... 101Restoring your configuration settings in the CLI ..................................................... 101

Using virtual domains.......................................................................... 103Virtual domains ........................................................................................................... 103

Benefits of VDOMs ................................................................................................. 103VDOM configuration settings .................................................................................. 104Global configuration settings .................................................................................. 107

Enabling VDOMs ......................................................................................................... 108

Configuring VDOMs and global settings .................................................................. 109VDOM licenses ....................................................................................................... 109Creating a new VDOM............................................................................................ 110Working with VDOMs and global settings............................................................... 111Adding interfaces to a VDOM ................................................................................. 113Inter-VDOM links .................................................................................................... 113Assigning an interface to a VDOM.......................................................................... 114Assigning an administrator to a VDOM................................................................... 115Changing the management VDOM......................................................................... 116

Configuring global and VDOM resource limits ........................................................ 116VDOM resource limits............................................................................................. 117Global resource limits ............................................................................................. 118

System Network ................................................................................... 119Interfaces ..................................................................................................................... 119

Switch Mode ........................................................................................................... 122Interface settings .................................................................................................... 123Creating an 802.3ad aggregate interface ............................................................... 127Creating a redundant interface ............................................................................... 128Configuring DHCP on an interface ......................................................................... 130Configuring an interface for PPPoE........................................................................ 131Configuring Dynamic DNS on an interface ............................................................. 132Configuring a virtual IPSec interface ...................................................................... 133Configuring interfaces with CLI commands ............................................................ 134Administrative access to an interface ..................................................................... 135Interface MTU packet size ...................................................................................... 135Secondary IP Addresses ........................................................................................ 136

Configuring zones....................................................................................................... 138

Configuring the modem interface.............................................................................. 139Configuring modem settings ................................................................................... 140Redundant mode configuration............................................................................... 142Standalone mode configuration .............................................................................. 143Adding firewall policies for modem connections ..................................................... 144Connecting and disconnecting the modem............................................................. 144Checking modem status ......................................................................................... 144FortiGate Version 4.0 Administration Guide6 01-400-89802-20090424


Contents

F0hConfiguring Networking Options............................................................................... 145DNS Servers........................................................................................................... 146Dead gateway detection ......................................................................................... 146

Web Proxy.................................................................................................................... 147

Routing table (Transparent Mode)............................................................................. 149Transparent mode route settings............................................................................ 149

VLAN overview ............................................................................................................ 150FortiGate units and VLANs..................................................................................... 151

VLANs in NAT/Route mode ........................................................................................ 151Rules for VLAN IDs................................................................................................. 152Rules for VLAN IP addresses ................................................................................. 152Adding VLAN subinterfaces.................................................................................... 153

VLANs in Transparent mode...................................................................................... 154Rules for VLAN IDs................................................................................................. 156Transparent mode virtual domains and VLANs...................................................... 156Troubleshooting ARP Issues .................................................................................. 157

System Wireless................................................................................... 159FortiWiFi wireless interfaces ..................................................................................... 159

Channel assignments ................................................................................................. 160IEEE 802.11a channel numbers ............................................................................. 160IEEE 802.11b channel numbers ............................................................................. 160IEEE 802.11g channel numbers ............................................................................. 161

Wireless settings......................................................................................................... 162Adding a wireless interface..................................................................................... 163

Wireless MAC Filter .................................................................................................... 165Managing the MAC Filter list................................................................................... 166

Wireless Monitor ......................................................................................................... 167

Rogue AP detection .................................................................................................... 168Viewing wireless access points .............................................................................. 168

System DHCP ....................................................................................... 171FortiGate DHCP servers and relays .......................................................................... 171

Configuring DHCP services ....................................................................................... 172Configuring an interface as a DHCP relay agent.................................................... 173Configuring a DHCP server .................................................................................... 173

Viewing address leases.............................................................................................. 175Reserving IP addresses for specific clients ............................................................ 175ortiGate Version 4.0 Administration Guide1-400-89802-20090424 7ttp://docs.fortinet.com/ Feedback

ContentsSystem Config ...................................................................................... 177HA ................................................................................................................................. 177

HA options .............................................................................................................. 177Cluster members list ............................................................................................... 180Viewing HA statistics .............................................................................................. 182Changing subordinate unit host name and device priority...................................... 183Disconnecting a cluster unit from a cluster ............................................................. 184

SNMP............................................................................................................................ 185Configuring SNMP.................................................................................................. 186Configuring an SNMP community........................................................................... 186Fortinet MIBs .......................................................................................................... 188Fortinet and FortiGate traps.................................................................................... 189Fortinet and FortiGate MIB fields............................................................................ 192

Replacement messages ............................................................................................. 194Replacement messages list.................................................................................... 195Changing replacement messages .......................................................................... 196Mail replacement messages ................................................................................... 197HTTP replacement messages ................................................................................ 197FTP replacement messages................................................................................... 198NNTP replacement messages................................................................................ 199Alert Mail replacement messages........................................................................... 199Spam replacement messages ................................................................................ 200Administration replacement message..................................................................... 200Authentication replacement messages................................................................... 201FortiGuard Web Filtering replacement messages .................................................. 202IM and P2P replacement messages....................................................................... 203Endpoint control replacement message ................................................................. 204NAC quarantine replacement messages ................................................................ 204SSL VPN replacement message ............................................................................ 205Replacement message tags ................................................................................... 205

Operation mode and VDOM management access ................................................... 206Changing operation mode ...................................................................................... 206Management access............................................................................................... 207

System Admin ...................................................................................... 209Administrators............................................................................................................. 209

Viewing the administrators list ................................................................................ 211Configuring an administrator account ..................................................................... 212Configuring regular (password) authentication for administrators .......................... 214Configuring remote authentication for administrators ............................................. 214Configuring PKI certificate authentication for administrators .................................. 220

Admin profiles ............................................................................................................. 222Viewing the admin profiles list ................................................................................ 224Configuring an admin profile................................................................................... 225FortiGate Version 4.0 Administration Guide8 01-400-89802-20090424


Contents

F0hCentral Management................................................................................................... 226

Settings ........................................................................................................................ 228

Monitoring administrators.......................................................................................... 229

FortiGate IPv6 support ............................................................................................... 230

Customizable web-based manager ........................................................................... 231

System Certificates.............................................................................. 243Local Certificates ....................................................................................................... 244

Generating a certificate request.............................................................................. 245Downloading and submitting a certificate request .................................................. 246Importing a signed server certificate....................................................................... 247Importing an exported server certificate and private key ........................................ 247Importing separate server certificate and private key files...................................... 248

Remote Certificates .................................................................................................... 248Importing Remote (OCSP) certificates ................................................................... 249

CA Certificates ............................................................................................................ 249Importing CA certificates......................................................................................... 250

CRL............................................................................................................................... 251Importing a certificate revocation list ...................................................................... 251

System Maintenance............................................................................ 253About the Maintenance menu .................................................................................... 253

Backing up and restoring........................................................................................... 254Basic backup and restore options........................................................................... 255Upgrading and downgrading firmware.................................................................... 259Upgrading and downgrading firmware through FortiGuard .................................... 259Configuring advanced options ................................................................................ 260

Managing configuration revisions............................................................................. 261

Using script files ......................................................................................................... 262Creating script files ................................................................................................. 263Uploading script files............................................................................................... 264

Configuring FortiGuard Services .............................................................................. 264FortiGuard Distribution Network ............................................................................. 264FortiGuard services ................................................................................................ 265Configuring the FortiGate unit for FDN and FortiGuard subscription services .............................................................................................. 266

Troubleshooting FDN connectivity ........................................................................... 271

Updating antivirus and attack definitions................................................................. 271

Enabling push updates............................................................................................... 273Enabling push updates when a FortiGate unit IP address changes....................... 273Enabling push updates through a NAT device ....................................................... 274

Adding VDOM Licenses.............................................................................................. 276ortiGate Version 4.0 Administration Guide1-400-89802-20090424 9ttp://docs.fortinet.com/ Feedback

ContentsRouter Static ........................................................................................ 277Routing concepts ....................................................................................................... 277

How the routing table is built .................................................................................. 278How routing decisions are made ........................................................................... 278Multipath routing and determining the best route ................................................... 278Route priority ......................................................................................................... 279Blackhole Route...................................................................................................... 279

Static Route ................................................................................................................ 280Working with static routes ...................................................................................... 280Default route and default gateway ......................................................................... 281Adding a static route to the routing table ............................................................... 284

Policy Route ............................................................................................................... 285Adding a policy route .............................................................................................. 286Moving a policy route.............................................................................................. 287

Router Dynamic.................................................................................... 289RIP ................................................................................................................................ 289

Viewing and editing basic RIP settings................................................................... 290Selecting advanced RIP options............................................................................. 292Configuring a RIP-enabled interface....................................................................... 293

OSPF ............................................................................................................................ 294Defining an OSPF ASOverview .......................................................................... 295Configuring basic OSPF settings............................................................................ 296Selecting advanced OSPF options ......................................................................... 298Defining OSPF areas.............................................................................................. 299Specifying OSPF networks ..................................................................................... 300Selecting operating parameters for an OSPF interface .......................................... 301

BGP .............................................................................................................................. 302Viewing and editing BGP settings........................................................................... 303

Multicast....................................................................................................................... 304Viewing and editing multicast settings .................................................................... 305Overriding the multicast settings on an interface.................................................... 306Multicast destination NAT....................................................................................... 306

Bi-directional Forwarding Detection (BFD) .............................................................. 307Configuring BFD ..................................................................................................... 307

Customizable routing widgets ................................................................................... 309Access List.............................................................................................................. 309Distribute List .......................................................................................................... 310Key Chain ............................................................................................................... 310Offset List................................................................................................................ 311Prefix List ................................................................................................................ 312Route Map .............................................................................................................. 312FortiGate Version 4.0 Administration Guide10 01-400-89802-20090424


Contents

F0hRouter Monitor ..................................................................................... 315Viewing routing information ...................................................................................... 315

Searching the FortiGate routing table....................................................................... 317

Firewall Policy ...................................................................................... 319How list order affects policy matching ..................................................................... 319

Moving a policy to a different position in the policy list ........................................... 320

Multicast policies ........................................................................................................ 321

Viewing the firewall policy list ................................................................................... 321

Configuring firewall policies ...................................................................................... 323Adding authentication to firewall policies ................................................................ 327Identity-based firewall policy options (non-SSL-VPN) ............................................ 328IPSec firewall policy options ................................................................................... 330Configuring SSL VPN identity-based firewall policies............................................. 331Endpoint Compliance Check options...................................................................... 336

DoS policies................................................................................................................. 337Viewing the DoS policy list...................................................................................... 337Configuring DoS policies ........................................................................................ 338

Firewall policy examples ............................................................................................ 339Scenario one: SOHO-sized business ..................................................................... 339Scenario two: enterprise-sized business ................................................................ 342

Firewall Address .................................................................................. 345About firewall addresses............................................................................................ 345

Viewing the firewall address list................................................................................ 346

Configuring addresses ............................................................................................... 347

Viewing the address group list .................................................................................. 348

Configuring address groups...................................................................................... 348

Firewall Service .................................................................................... 351Viewing the predefined service list ........................................................................... 351

Viewing the custom service list................................................................................. 356

Configuring custom services..................................................................................... 357

Viewing the service group list ................................................................................... 359

Configuring service groups ....................................................................................... 359

Firewall Schedule................................................................................. 361Viewing the recurring schedule list........................................................................... 361

Configuring recurring schedules .............................................................................. 362

Viewing the one-time schedule list ........................................................................... 362

Configuring one-time schedules ............................................................................... 363ortiGate Version 4.0 Administration Guide1-400-89802-20090424 11ttp://docs.fortinet.com/ Feedback

ContentsFirewall Virtual IP ................................................................................. 365How virtual IPs map connections through FortiGate units..................................... 365

Inbound connections............................................................................................... 365Outbound connections............................................................................................ 368VIP requirements .................................................................................................... 369

Viewing the virtual IP list............................................................................................ 369

Configuring virtual IPs................................................................................................ 370Adding a static NAT virtual IP for a single IP address ............................................ 372Adding a static NAT virtual IP for an IP address range .......................................... 373Adding static NAT port forwarding for a single IP address and a single port ..................................................................................................... 375Adding static NAT port forwarding for an IP address range and a port range ..................................................................................................... 377Adding dynamic virtual IPs ..................................................................................... 378Adding a virtual IP with port translation only........................................................... 379

Virtual IP Groups......................................................................................................... 380

Viewing the VIP group list .......................................................................................... 380

Configuring VIP groups.............................................................................................. 380

IP pools ........................................................................................................................ 381IP pools and dynamic NAT ..................................................................................... 382IP Pools for firewall policies that use fixed ports..................................................... 382Source IP address and IP pool address matching.................................................. 382

Viewing the IP pool list ............................................................................................... 383

Configuring IP Pools................................................................................................... 383

Double NAT: combining IP pool with virtual IP........................................................ 384

Adding NAT firewall policies in transparent mode .................................................. 386

Firewall Load Balance ......................................................................... 389How load balancer works ........................................................................................... 389

Configuring virtual servers ........................................................................................ 390

Configuring real servers............................................................................................. 392

Configuring health check monitors........................................................................... 393

Monitoring the servers ............................................................................................... 395

Firewall Protection Profile................................................................... 397What is a protection profile?...................................................................................... 397

Adding a protection profile to a firewall policy ........................................................ 398

Default protection profiles ......................................................................................... 398

Viewing the protection profile list ............................................................................. 399FortiGate Version 4.0 Administration Guide12 01-400-89802-20090424


Contents

F0hSSL content scanning and inspection ...................................................................... 399Supported FortiGate models................................................................................... 400Setting up certificates to avoid client warnings ....................................................... 400Configuring SSL content scanning and inspection ................................................. 402

Configuring a protection profile ................................................................................ 404Protocol recognition options ................................................................................... 405Anti-Virus options.................................................................................................... 407IPS options ............................................................................................................. 411Web Filtering options .............................................................................................. 411FortiGuard Web Filtering options............................................................................ 413Spam Filtering options ............................................................................................ 416Data Leak Prevention Sensor options .................................................................... 419Application Control options ..................................................................................... 420Logging options ...................................................................................................... 421

Traffic Shaping..................................................................................... 423Guaranteed bandwidth and maximum bandwidth ................................................... 423

Traffic priority.............................................................................................................. 424

Traffic shaping considerations.................................................................................. 424

Configuring traffic shaping ........................................................................................ 425

SIP support ........................................................................................... 427VoIP and SIP ................................................................................................................ 427

The FortiGate unit and VoIP security ........................................................................ 429SIP NAT.................................................................................................................. 429

How SIP support works .............................................................................................. 431

Configuring SIP ........................................................................................................... 432Enabling SIP support and setting rate limiting from the web-based manager ........ 432Enabling SIP support from the CLI ......................................................................... 433Enabling SIP logging .............................................................................................. 434Enabling advanced SIP features in an application list ............................................ 434

AntiVirus ............................................................................................... 439Order of operations..................................................................................................... 439

Antivirus tasks ............................................................................................................ 440FortiGuard antivirus ................................................................................................ 441

Antivirus settings and controls ................................................................................. 441

File Filter ...................................................................................................................... 443Built-in patterns and supported file types................................................................ 443Viewing the file filter list catalog.............................................................................. 444Creating a new file filter list..................................................................................... 444Viewing the file filter list .......................................................................................... 445Configuring the file filter list..................................................................................... 445ortiGate Version 4.0 Administration Guide1-400-89802-20090424 13ttp://docs.fortinet.com/ Feedback

ContentsFile Quarantine ............................................................................................................ 446Viewing the File Quarantine list .............................................................................. 447Viewing the AutoSubmit list .................................................................................... 448Configuring the AutoSubmit list .............................................................................. 449Configuring quarantine options............................................................................... 449

Viewing the virus database information ................................................................... 451

Viewing and configuring the grayware list ............................................................... 452

Antivirus CLI configuration........................................................................................ 453

Intrusion Protection ............................................................................. 455About intrusion protection......................................................................................... 455

Intrusion Protection settings and controls............................................................... 456When to use Intrusion Protection............................................................................ 456

Signatures.................................................................................................................... 456Viewing the predefined signature list ...................................................................... 457Using display filters................................................................................................. 458

Custom signatures...................................................................................................... 459Viewing the custom signature list ........................................................................... 459Creating custom signatures .................................................................................... 459

Protocol decoders....................................................................................................... 460Viewing the protocol decoder list ............................................................................ 460Upgrading the IPS protocol decoder list ................................................................. 461

IPS sensors.................................................................................................................. 461Viewing the IPS sensor list ..................................................................................... 461Adding an IPS sensor ............................................................................................. 462Configuring IPS sensors ......................................................................................... 462Configuring filters.................................................................................................... 464Configuring pre-defined and custom overrides....................................................... 465Packet logging ........................................................................................................ 467

DoS sensors ................................................................................................................ 469Viewing the DoS sensor list .................................................................................... 470Configuring DoS sensors........................................................................................ 470Understanding the anomalies ................................................................................. 472

Intrusion protection CLI configuration ..................................................................... 472

Web Filter.............................................................................................. 475Order of web filtering.................................................................................................. 475

How web filtering works ............................................................................................. 475

Web filter controls....................................................................................................... 476FortiGate Version 4.0 Administration Guide14 01-400-89802-20090424


Contents

F0hWeb content block ...................................................................................................... 478Viewing the web content block list catalog ............................................................. 479Creating a new web content block list .................................................................... 479Viewing the web content block list .......................................................................... 479Configuring the web content block list .................................................................... 480Viewing the web content exempt list catalog .......................................................... 481Creating a new web content exempt list ................................................................. 482Viewing the web content exempt list....................................................................... 482Configuring the web content exempt list................................................................. 483

URL filter ...................................................................................................................... 483Viewing the URL filter list catalog ........................................................................... 484Creating a new URL filter list .................................................................................. 484Viewing the URL filter list........................................................................................ 485Configuring the URL filter list .................................................................................. 485URL formats............................................................................................................ 486Moving URLs in the URL filter list ........................................................................... 487

FortiGuard - Web Filter ............................................................................................... 487Configuring FortiGuard Web Filtering ..................................................................... 488Viewing the override list.......................................................................................... 488Configuring administrative override rules ............................................................... 489Creating local categories ........................................................................................ 491Viewing the local ratings list.................................................................................... 491Configuring local ratings ......................................................................................... 492Category block CLI configuration............................................................................ 493

Antispam............................................................................................... 495Antispam...................................................................................................................... 495

Order of spam filtering ............................................................................................ 495Anti-spam filter controls .......................................................................................... 496

Banned word ............................................................................................................... 498Viewing the banned word list catalog ..................................................................... 498Creating a new banned word list ............................................................................ 499Viewing the antispam banned word list .................................................................. 499Adding words to the banned word list..................................................................... 500

IP address and email address black/white lists ....................................................... 501Viewing the antispam IP address list catalog ......................................................... 501Creating a new antispam IP address list ................................................................ 501Viewing the antispam IP address list ...................................................................... 502Adding an antispam IP address.............................................................................. 503Viewing the antispam email address list catalog .................................................... 503Creating a new antispam email address list ........................................................... 504Viewing the antispam email address list................................................................. 504Configuring the antispam email address list ........................................................... 505ortiGate Version 4.0 Administration Guide1-400-89802-20090424 15ttp://docs.fortinet.com/ Feedback

ContentsAdvanced antispam configuration ............................................................................ 505config spamfilter mheader ...................................................................................... 505config spamfilter dnsbl ............................................................................................ 506

Using wildcards and Perl regular expressions ........................................................ 506Perl regular expression formats.............................................................................. 507Example regular expressions ................................................................................. 508

Data Leak Prevention........................................................................... 511DLP Sensors................................................................................................................ 511

Viewing the DLP sensor list .................................................................................... 511Adding and configuring a DLP sensor .................................................................... 512Adding or editing a rule in a DLP sensor ................................................................ 513

DLP Rules .................................................................................................................... 515Viewing the DLP rule list......................................................................................... 515Adding or configuring DLP rules ............................................................................. 516

DLP Compound Rules ................................................................................................ 519Viewing the DLP compound rule list ....................................................................... 520Adding and configuring DLP compound rules ........................................................ 520

Application Control.............................................................................. 523What is application control? ...................................................................................... 523

FortiGuard application control database.................................................................. 523

Viewing the application control lists......................................................................... 524

Creating a new application control list ..................................................................... 524

Configuring an application control list ..................................................................... 525

Adding or configuring an application control list entry .......................................... 526

Application control statistics..................................................................................... 527

IPSec VPN............................................................................................. 531Overview of IPSec VPN configuration....................................................................... 531

Policy-based versus route-based VPNs ................................................................... 532

Auto Key ...................................................................................................................... 533Creating a new phase 1 configuration .................................................................... 534Defining phase 1 advanced settings....................................................................... 536Creating a new phase 2 configuration .................................................................... 538Defining phase 2 advanced settings....................................................................... 539

Manual Key .................................................................................................................. 541Creating a new manual key configuration .............................................................. 542

Internet browsing configuration ................................................................................ 544

Concentrator ............................................................................................................... 544Defining concentrator options ................................................................................. 545

Monitoring VPNs ......................................................................................................... 545FortiGate Version 4.0 Administration Guide16 01-400-89802-20090424


Contents

F0hPPTP VPN ............................................................................................. 547PPTP configuration using FortiGate web-based manager...................................... 547

PPTP configuration using CLI commands ............................................................... 549

SSL VPN................................................................................................ 551ssl.root ......................................................................................................................... 551

Configuring SSL VPN ................................................................................................. 552

Monitoring SSL VPN sessions................................................................................... 553

SSL VPN web portal.................................................................................................... 554

Default web portal configurations ............................................................................. 554General tab............................................................................................................. 556Advanced tab.......................................................................................................... 556Adding and editing widgets..................................................................................... 558Session Information widget..................................................................................... 559Bookmarks widget .................................................................................................. 559Connection Tool widget .......................................................................................... 563Tunnel Mode widget ............................................................................................... 564

User ....................................................................................................... 567Getting started - User authentication........................................................................ 567

Local user accounts ................................................................................................... 568Configuring Local user accounts ............................................................................ 568

Remote ......................................................................................................................... 571

RADIUS ........................................................................................................................ 571Configuring a RADIUS server................................................................................. 572Dynamically assigning VPN client IP addresses from a RADIUS record.......................................................................................... 573

LDAP ............................................................................................................................ 575Configuring an LDAP server ................................................................................... 575

TACACS+ ..................................................................................................................... 578Configuring TACACS+ servers............................................................................... 578

Directory Service......................................................................................................... 579Configuring a Directory Service server ................................................................... 581

PKI ............................................................................................................................... 581Configuring peer users and peer groups ................................................................ 582

User Group .................................................................................................................. 583Firewall user groups ............................................................................................... 584Directory Service user groups ................................................................................ 585SSL VPN user groups............................................................................................. 585Viewing the User group list ..................................................................................... 586Configuring a user group ........................................................................................ 586Configuring FortiGuard Web filtering override options............................................ 589ortiGate Version 4.0 Administration Guide1-400-89802-20090424 17ttp://docs.fortinet.com/ Feedback

ContentsOptions......................................................................................................................... 590

Monitor ......................................................................................................................... 591Firewall user monitor list ......................................................................................... 591IPSEC monitor list................................................................................................... 592SSL VPN monitor list .............................................................................................. 593IM user monitor list ................................................................................................. 594

NAC quarantine and the Banned User list................................................................ 595NAC quarantine and DLP ....................................................................................... 595NAC quarantine and DLP replacement messages ................................................. 595Configuring NAC quarantine................................................................................... 596The Banned User list .............................................................................................. 596

WAN optimization and web caching .................................................. 599Frequently asked questions about FortiGate WAN optimization ........................... 599

Overview of FortiGate WAN optimization ................................................................. 601WAN optimization tunnels....................................................................................... 602WAN optimization peer authentication.................................................................... 602Authentication Groups ............................................................................................ 603WAN optimization rules and firewall policies .......................................................... 603WAN optimization Transparent mode..................................................................... 604FortiGate models that support WAN optimization................................................... 604

Configuring WAN optimization .................................................................................. 605How list order affects rule matching........................................................................ 606Moving a rule to a different position in the rule list.................................................. 607

Configuring a WAN optimization rule ....................................................................... 608

Web caching ................................................................................................................ 610Web cache only topology........................................................................................ 611Configuring web cache only WAN optimization ...................................................... 611Configuring client/server (active-passive) web caching.......................................... 612Configuring peer to peer web caching .................................................................... 614

Client/server or active passive WAN optimization................................................... 617Configuring client/server (active-passive) WAN optimization ................................. 617

Peer to peer WAN optimization.................................................................................. 620Configuring peer to peer WAN optimization ........................................................... 620About WAN optimization addresses ....................................................................... 622

Protocol optimization ................................................................................................. 623

Byte caching................................................................................................................ 624

SSL offloading for WAN optimization and web caching ......................................... 624Example configuration: SSL offloading for a WAN optimization tunnel .................. 625SSL offloading and reverse proxy web caching for an internet web server............ 627

Secure tunnelling ........................................................................................................ 630WAN optimization over IPSec VPN ........................................................................ 630FortiGate Version 4.0 Administration Guide18 01-400-89802-20090424


Contents

F0hWAN optimization with FortiClient ............................................................................ 630

Configuring WAN optimization storage .................................................................... 631Example WAN optimization iSCSI configuration .................................................... 632About partition labels .............................................................................................. 633

WAN optimization and HA.......................................................................................... 634

Configuring peers ....................................................................................................... 634

Configuring authentication groups ........................................................................... 635Details about WAN optimization peer authentication.............................................. 636

Monitoring WAN optimization.................................................................................... 637

Changing web cache settings.................................................................................... 638

Endpoint control .................................................................................. 641Configuring endpoint control .................................................................................... 641

Viewing FortiClient required version information .................................................... 642Configuring FortiClient required version and installer download ............................ 642Viewing and configuring the software detection list ................................................ 643

Monitoring endpoints ................................................................................................. 644

Log&Report .......................................................................................... 647FortiGate logging ........................................................................................................ 647

FortiGuard Analysis and Management Service........................................................ 648FortiGuard Analysis and Management Service portal web site .............................. 649

Log severity levels ...................................................................................................... 649

High Availability cluster logging ............................................................................... 650

Storing logs ................................................................................................................. 650Logging to a FortiAnalyzer unit ............................................................................... 650Connecting to FortiAnalyzer using Automatic Discovery ........................................ 651Testing the FortiAnalyzer configuration .................................................................. 652Logging to a FortiGuard Analysis server ................................................................ 653Logging to memory ................................................................................................. 654Logging to a Syslog server ..................................................................................... 654Logging to WebTrends ........................................................................................... 655

Log types ..................................................................................................................... 657Traffic log ................................................................................................................ 657Example configuration: logging all FortiGate traffic ................................................ 658Event log................................................................................................................. 659Data Leak Prevention log ....................................................................................... 660Application Control log............................................................................................ 660Antivirus log ............................................................................................................ 660Web filter log........................................................................................................... 661Spam filter log......................................................................................................... 661Attack log (IPS)....................................................................................................... 661ortiGate Version 4.0 Administration Guide1-400-89802-20090424 19ttp://docs.fortinet.com/ Feedback

ContentsAccessing Logs........................................................................................................... 662Accessing logs stored in memory ........................................................................... 662Accessing logs stored on the hard disk .................................................................. 662Accessing logs stored on the FortiAnalyzer unit..................................................... 663Accessing logs stored on the FortiGuard Analysis server ...................................... 664

Viewing log information ............................................................................................. 664

Customizing the display of log messages................................................................ 665Column settings ...................................................................................................... 666Filtering log messages............................................................................................ 667

Content Archive .......................................................................................................... 667Content archiving and data leak prevention ........................................................... 668Configuring spam email message content archiving .............................................. 668Configuring VoIP content archiving ........................................................................ 669Viewing content archives ........................................................................................ 670

Alert Email ................................................................................................................... 670Configuring Alert Email ........................................................................................... 672

Reports......................................................................................................................... 673Viewing basic traffic reports.................................................................................... 673FortiAnalyzer report schedules ............................................................................... 674Viewing FortiAnalyzer reports................................................................................. 677Printing your FortiAnalyzer report ........................................................................... 677

Index...................................................................................................... 679FortiGate Version 4.0 Administration Guide20 01-400-89802-20090424


Introduction Fortinet products

F0hIntroductionRanging from the FortiGate-50 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS security operating system with FortiASIC processors and other hardware to provide a high-performance array of security and networking functions including: firewall, VPN, and traffic shaping Intrusion Prevention system (IPS) antivirus/antispyware/antimalware web filtering antispam application control (for example, IM and P2P) VoIP support (H.323, SIP, and SCCP) Layer 2/3 routing multiple redundant WAN interface optionsFortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats, including complex attacks favored by cybercriminals, without degrading network availability and uptime. FortiGate platforms include sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain capabilities to separate various networks requiring different security policies.This chapter contains the following sections: Fortinet products About this document Document conventions Registering your Fortinet product Customer service and technical support Fortinet documentation

Fortinet productsFortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion. For more information on the Fortinet product family, go to www.fortinet.com/products.

About this documentThis FortiGate Version 4.0 Administration Guide provides detailed information for system ortiGate Version 4.0 Administration Guide1-400-89802-20090424 21ttp://docs.fortinet.com/ Feedback

administrators about FortiGate web-based manager and FortiOS options and how to use them. This guide also contains some information about the FortiGate CLI.

About this document IntroductionThis section of the guide contains a brief explanation of the structure of the guide, and gives an overview of each chapter.The administration guide describes web-based manager functions in the same order as the web-based manager (or GUI) menu. The document begins with several chapters that provide an overview to help you start using the product: the FortiGate web-based manager, System Status, Managing Firmware, and Using virtual domains. Following these chapters, each item in the System, Router, Firewall, UTM, and VPN menus gets a separate chapter. Then User, WAN optimization, Endpoint Control, and Log&Report are all described in single chapters. The document concludes with a detailed index.VDOM and Global icons appear in this administration guide to indicate that a chapter or section is part of either the VDOM or Global configuration. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. No distinction is made between these configuration settings when virtual domains are not enabled.The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help.You can also find more information about FortiOS from the same FortiGate page, as well as from the Fortinet Knowledge Center.This administration guide contains the following chapters: Whats new in FortiOS 4.0 lists and describes some of the new features and changes

in FortiOS Version 4.0. Web-based manager introduces the features of the FortiGate web-based manager,

and explains how to connect to it. It also includes information about how to use the web-based manager online help.

System Status describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics. You can also access the CLI from this page. This section also describes status changes that you can make, including changing the unit firmware, host name, and system time. Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60.

Managing firmware versions describes upgrading and managing firmware versions. You should review this section before upgrading your FortiGate firmware because it contains important information about how to

Documents

FortiGate Administration Guide 01 400 89802 20090424