Upload
rizkymulyawan89
View
51
Download
0
Embed Size (px)
Citation preview
FortiGate
Version 4.0Administration Guide
Visit http://support.fortinet.com to register your FortiGate product. By registering you canreceive product updates, technical support, and FortiGuard services.
FortiGate Administration GuideVersion 4.024 April 2009 01-400-89802-20090424
Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
F0hContentsIntroduction ............................................................................................ 21Fortinet products .......................................................................................................... 21
About this document .................................................................................................... 21
Document conventions ................................................................................................ 24IP addresses............................................................................................................. 24CLI constraints.......................................................................................................... 24Cautions, Notes and Tips ......................................................................................... 24Typographical conventions ....................................................................................... 25
Registering your Fortinet product............................................................................... 25
Customer service and technical support.................................................................... 25
Training .......................................................................................................................... 26
Fortinet documentation ............................................................................................... 26Tools and Documentation CD................................................................................... 26Fortinet Knowledge Center ...................................................................................... 26Comments on Fortinet technical documentation ..................................................... 26
Whats new in FortiOS 4.0 ..................................................................... 27FortiOS 4.0 FortiGate models and features supported ............................................. 28
UTM features grouped under new UTM menu............................................................ 29
Data Leak Prevention.................................................................................................... 29
Application Control....................................................................................................... 29
SSL content scanning and inspection ........................................................................ 29
WAN Optimization......................................................................................................... 30
Endpoint control ........................................................................................................... 30
Network Access Control (NAC) quarantine ................................................................ 30
IPS extensions............................................................................................................... 31DoS policies for applying IPS sensors...................................................................... 31NAC quarantine in DoS Sensors .............................................................................. 31Adding IPS sensors to a DoS policy from the CLI .................................................... 32One-arm IDS (sniffer mode) ..................................................................................... 32IPS interface policies for IPv6 ............................................................................... 33IPS Packet Logging .................................................................................................. 33
Enhanced Antispam Engine (ASE).............................................................................. 33
WCCP v2 support.......................................................................................................... 33
Any interface for firewall policies ............................................................................ 35
Global view of firewall policies .................................................................................... 35
Identity-based firewall policies .................................................................................... 35
Web filtering HTTP upload enhancements ................................................................. 36ortiGate Version 4.0 Administration Guide1-400-89802-20090424 3ttp://docs.fortinet.com/ Feedback
ContentsTraffic shaping enhancements .................................................................................... 36
Firewall load balancing virtual IP changes................................................................. 36User session persistence.......................................................................................... 36Health Check Monitor ............................................................................................... 36Load balancing server monitor ................................................................................. 36
Per-firewall policy session TTL ................................................................................... 37
Gratuitous ARP for virtual IPs ..................................................................................... 37
Changes to protection profiles .................................................................................... 37
Changes to content archiving...................................................................................... 37
Customizable web-based manager pages.................................................................. 37
Administration over modem ........................................................................................ 38
Auto-bypass and recovery for AMC bridge module .................................................. 38
Rogue Wireless Access Point detection..................................................................... 38
Configurable VDOM and global resource limits......................................................... 38
User authentication monitor ........................................................................................ 39
OCSP and SCEP certificate over HTTPS .................................................................... 39
Adding non-standard ports for firewall authentication ............................................. 39
Dynamically assigning VPN client IP addresses from a RADIUS record ................ 40
DHCP over route-based IPSec VPNs........................................................................... 40
SNMP upgraded to v3.0 ................................................................................................ 40
File Quarantine .............................................................................................................. 41
Customizable SSL VPN web portals ........................................................................... 41
Logging improvements ................................................................................................ 41
Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) .......................................................................................................... 41
Web-based manager .............................................................................. 43Common web-based manager tasks........................................................................... 44
Connecting to the web-based manager.................................................................... 44Changing your FortiGate administrator password .................................................... 45Changing the web-based manager language........................................................... 46Changing administrative access to your FortiGate unit ............................................ 46Changing the web-based manager idle timeout ....................................................... 47Connecting to the FortiGate CLI from the web-based manager ............................... 47
Button bar features ....................................................................................................... 47
Contacting Customer Support..................................................................................... 48
Backing up your FortiGate configuration ................................................................... 48
Using FortiGate Online Help ........................................................................................ 49Searching the online help ......................................................................................... 50FortiGate Version 4.0 Administration Guide4 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Contents
F0hLogging out ................................................................................................................... 52
Web-based manager pages.......................................................................................... 52Using the web-based manager menu....................................................................... 52Using web-based manager lists................................................................................ 53Adding filters to web-based manager lists ................................................................ 53Using page controls on web-based manager lists .................................................... 57Using column settings to control the columns displayed .......................................... 58Using filters with column settings.............................................................................. 59
Web-based manager icons........................................................................................... 60
System Status ........................................................................................ 63Status page.................................................................................................................... 63
Viewing system status .............................................................................................. 63
Changing system information ..................................................................................... 78Configuring system time ........................................................................................... 78Changing the FortiGate unit host name.................................................................... 78
Changing the FortiGate firmware ................................................................................ 79Upgrading to a new firmware version ....................................................................... 80Reverting to a previous firmware version ................................................................. 80
Viewing operational history ......................................................................................... 81
Manually updating FortiGuard definitions.................................................................. 82
Viewing Statistics.......................................................................................................... 83Viewing the session list............................................................................................. 83Viewing Content Archive information on the Statistics widget .................................. 84Viewing the Attack Log ............................................................................................. 85
Topology ........................................................................................................................ 87Adding a subnet object ............................................................................................. 89Customizing the topology diagram ........................................................................... 90
Managing firmware versions................................................................. 91Backing up your configuration .................................................................................... 92
Backing up your configuration through the web-based manager ............................. 92Backing up your configuration through the CLI......................................................... 92Backing up your configuration to a USB key ............................................................ 93
Testing firmware before upgrading............................................................................. 94
Upgrading your FortiGate unit..................................................................................... 95Upgrading to FortiOS 4.0 through the web-based manager..................................... 95Upgrading to FortiOS 4.0 through the CLI ................................................................ 96Verifying the upgrade................................................................................................ 97
Reverting to a previous firmware image..................................................................... 98Downgrading to a previous firmware through the web-based manager ................... 98Verifying the downgrade........................................................................................... 99Downgrading to a previous firmware through the CLI .............................................. 99ortiGate Version 4.0 Administration Guide1-400-89802-20090424 5ttp://docs.fortinet.com/ Feedback
ContentsRestoring your configuration..................................................................................... 101Restoring your configuration settings in the web-based manager.......................... 101Restoring your configuration settings in the CLI ..................................................... 101
Using virtual domains.......................................................................... 103Virtual domains ........................................................................................................... 103
Benefits of VDOMs ................................................................................................. 103VDOM configuration settings .................................................................................. 104Global configuration settings .................................................................................. 107
Enabling VDOMs ......................................................................................................... 108
Configuring VDOMs and global settings .................................................................. 109VDOM licenses ....................................................................................................... 109Creating a new VDOM............................................................................................ 110Working with VDOMs and global settings............................................................... 111Adding interfaces to a VDOM ................................................................................. 113Inter-VDOM links .................................................................................................... 113Assigning an interface to a VDOM.......................................................................... 114Assigning an administrator to a VDOM................................................................... 115Changing the management VDOM......................................................................... 116
Configuring global and VDOM resource limits ........................................................ 116VDOM resource limits............................................................................................. 117Global resource limits ............................................................................................. 118
System Network ................................................................................... 119Interfaces ..................................................................................................................... 119
Switch Mode ........................................................................................................... 122Interface settings .................................................................................................... 123Creating an 802.3ad aggregate interface ............................................................... 127Creating a redundant interface ............................................................................... 128Configuring DHCP on an interface ......................................................................... 130Configuring an interface for PPPoE........................................................................ 131Configuring Dynamic DNS on an interface ............................................................. 132Configuring a virtual IPSec interface ...................................................................... 133Configuring interfaces with CLI commands ............................................................ 134Administrative access to an interface ..................................................................... 135Interface MTU packet size ...................................................................................... 135Secondary IP Addresses ........................................................................................ 136
Configuring zones....................................................................................................... 138
Configuring the modem interface.............................................................................. 139Configuring modem settings ................................................................................... 140Redundant mode configuration............................................................................... 142Standalone mode configuration .............................................................................. 143Adding firewall policies for modem connections ..................................................... 144Connecting and disconnecting the modem............................................................. 144Checking modem status ......................................................................................... 144FortiGate Version 4.0 Administration Guide6 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Contents
F0hConfiguring Networking Options............................................................................... 145DNS Servers........................................................................................................... 146Dead gateway detection ......................................................................................... 146
Web Proxy.................................................................................................................... 147
Routing table (Transparent Mode)............................................................................. 149Transparent mode route settings............................................................................ 149
VLAN overview ............................................................................................................ 150FortiGate units and VLANs..................................................................................... 151
VLANs in NAT/Route mode ........................................................................................ 151Rules for VLAN IDs................................................................................................. 152Rules for VLAN IP addresses ................................................................................. 152Adding VLAN subinterfaces.................................................................................... 153
VLANs in Transparent mode...................................................................................... 154Rules for VLAN IDs................................................................................................. 156Transparent mode virtual domains and VLANs...................................................... 156Troubleshooting ARP Issues .................................................................................. 157
System Wireless................................................................................... 159FortiWiFi wireless interfaces ..................................................................................... 159
Channel assignments ................................................................................................. 160IEEE 802.11a channel numbers ............................................................................. 160IEEE 802.11b channel numbers ............................................................................. 160IEEE 802.11g channel numbers ............................................................................. 161
Wireless settings......................................................................................................... 162Adding a wireless interface..................................................................................... 163
Wireless MAC Filter .................................................................................................... 165Managing the MAC Filter list................................................................................... 166
Wireless Monitor ......................................................................................................... 167
Rogue AP detection .................................................................................................... 168Viewing wireless access points .............................................................................. 168
System DHCP ....................................................................................... 171FortiGate DHCP servers and relays .......................................................................... 171
Configuring DHCP services ....................................................................................... 172Configuring an interface as a DHCP relay agent.................................................... 173Configuring a DHCP server .................................................................................... 173
Viewing address leases.............................................................................................. 175Reserving IP addresses for specific clients ............................................................ 175ortiGate Version 4.0 Administration Guide1-400-89802-20090424 7ttp://docs.fortinet.com/ Feedback
ContentsSystem Config ...................................................................................... 177HA ................................................................................................................................. 177
HA options .............................................................................................................. 177Cluster members list ............................................................................................... 180Viewing HA statistics .............................................................................................. 182Changing subordinate unit host name and device priority...................................... 183Disconnecting a cluster unit from a cluster ............................................................. 184
SNMP............................................................................................................................ 185Configuring SNMP.................................................................................................. 186Configuring an SNMP community........................................................................... 186Fortinet MIBs .......................................................................................................... 188Fortinet and FortiGate traps.................................................................................... 189Fortinet and FortiGate MIB fields............................................................................ 192
Replacement messages ............................................................................................. 194Replacement messages list.................................................................................... 195Changing replacement messages .......................................................................... 196Mail replacement messages ................................................................................... 197HTTP replacement messages ................................................................................ 197FTP replacement messages................................................................................... 198NNTP replacement messages................................................................................ 199Alert Mail replacement messages........................................................................... 199Spam replacement messages ................................................................................ 200Administration replacement message..................................................................... 200Authentication replacement messages................................................................... 201FortiGuard Web Filtering replacement messages .................................................. 202IM and P2P replacement messages....................................................................... 203Endpoint control replacement message ................................................................. 204NAC quarantine replacement messages ................................................................ 204SSL VPN replacement message ............................................................................ 205Replacement message tags ................................................................................... 205
Operation mode and VDOM management access ................................................... 206Changing operation mode ...................................................................................... 206Management access............................................................................................... 207
System Admin ...................................................................................... 209Administrators............................................................................................................. 209
Viewing the administrators list ................................................................................ 211Configuring an administrator account ..................................................................... 212Configuring regular (password) authentication for administrators .......................... 214Configuring remote authentication for administrators ............................................. 214Configuring PKI certificate authentication for administrators .................................. 220
Admin profiles ............................................................................................................. 222Viewing the admin profiles list ................................................................................ 224Configuring an admin profile................................................................................... 225FortiGate Version 4.0 Administration Guide8 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Contents
F0hCentral Management................................................................................................... 226
Settings ........................................................................................................................ 228
Monitoring administrators.......................................................................................... 229
FortiGate IPv6 support ............................................................................................... 230
Customizable web-based manager ........................................................................... 231
System Certificates.............................................................................. 243Local Certificates ....................................................................................................... 244
Generating a certificate request.............................................................................. 245Downloading and submitting a certificate request .................................................. 246Importing a signed server certificate....................................................................... 247Importing an exported server certificate and private key ........................................ 247Importing separate server certificate and private key files...................................... 248
Remote Certificates .................................................................................................... 248Importing Remote (OCSP) certificates ................................................................... 249
CA Certificates ............................................................................................................ 249Importing CA certificates......................................................................................... 250
CRL............................................................................................................................... 251Importing a certificate revocation list ...................................................................... 251
System Maintenance............................................................................ 253About the Maintenance menu .................................................................................... 253
Backing up and restoring........................................................................................... 254Basic backup and restore options........................................................................... 255Upgrading and downgrading firmware.................................................................... 259Upgrading and downgrading firmware through FortiGuard .................................... 259Configuring advanced options ................................................................................ 260
Managing configuration revisions............................................................................. 261
Using script files ......................................................................................................... 262Creating script files ................................................................................................. 263Uploading script files............................................................................................... 264
Configuring FortiGuard Services .............................................................................. 264FortiGuard Distribution Network ............................................................................. 264FortiGuard services ................................................................................................ 265Configuring the FortiGate unit for FDN and FortiGuard subscription services .............................................................................................. 266
Troubleshooting FDN connectivity ........................................................................... 271
Updating antivirus and attack definitions................................................................. 271
Enabling push updates............................................................................................... 273Enabling push updates when a FortiGate unit IP address changes....................... 273Enabling push updates through a NAT device ....................................................... 274
Adding VDOM Licenses.............................................................................................. 276ortiGate Version 4.0 Administration Guide1-400-89802-20090424 9ttp://docs.fortinet.com/ Feedback
ContentsRouter Static ........................................................................................ 277Routing concepts ....................................................................................................... 277
How the routing table is built .................................................................................. 278How routing decisions are made ........................................................................... 278Multipath routing and determining the best route ................................................... 278Route priority ......................................................................................................... 279Blackhole Route...................................................................................................... 279
Static Route ................................................................................................................ 280Working with static routes ...................................................................................... 280Default route and default gateway ......................................................................... 281Adding a static route to the routing table ............................................................... 284
Policy Route ............................................................................................................... 285Adding a policy route .............................................................................................. 286Moving a policy route.............................................................................................. 287
Router Dynamic.................................................................................... 289RIP ................................................................................................................................ 289
Viewing and editing basic RIP settings................................................................... 290Selecting advanced RIP options............................................................................. 292Configuring a RIP-enabled interface....................................................................... 293
OSPF ............................................................................................................................ 294Defining an OSPF ASOverview .......................................................................... 295Configuring basic OSPF settings............................................................................ 296Selecting advanced OSPF options ......................................................................... 298Defining OSPF areas.............................................................................................. 299Specifying OSPF networks ..................................................................................... 300Selecting operating parameters for an OSPF interface .......................................... 301
BGP .............................................................................................................................. 302Viewing and editing BGP settings........................................................................... 303
Multicast....................................................................................................................... 304Viewing and editing multicast settings .................................................................... 305Overriding the multicast settings on an interface.................................................... 306Multicast destination NAT....................................................................................... 306
Bi-directional Forwarding Detection (BFD) .............................................................. 307Configuring BFD ..................................................................................................... 307
Customizable routing widgets ................................................................................... 309Access List.............................................................................................................. 309Distribute List .......................................................................................................... 310Key Chain ............................................................................................................... 310Offset List................................................................................................................ 311Prefix List ................................................................................................................ 312Route Map .............................................................................................................. 312FortiGate Version 4.0 Administration Guide10 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Contents
F0hRouter Monitor ..................................................................................... 315Viewing routing information ...................................................................................... 315
Searching the FortiGate routing table....................................................................... 317
Firewall Policy ...................................................................................... 319How list order affects policy matching ..................................................................... 319
Moving a policy to a different position in the policy list ........................................... 320
Multicast policies ........................................................................................................ 321
Viewing the firewall policy list ................................................................................... 321
Configuring firewall policies ...................................................................................... 323Adding authentication to firewall policies ................................................................ 327Identity-based firewall policy options (non-SSL-VPN) ............................................ 328IPSec firewall policy options ................................................................................... 330Configuring SSL VPN identity-based firewall policies............................................. 331Endpoint Compliance Check options...................................................................... 336
DoS policies................................................................................................................. 337Viewing the DoS policy list...................................................................................... 337Configuring DoS policies ........................................................................................ 338
Firewall policy examples ............................................................................................ 339Scenario one: SOHO-sized business ..................................................................... 339Scenario two: enterprise-sized business ................................................................ 342
Firewall Address .................................................................................. 345About firewall addresses............................................................................................ 345
Viewing the firewall address list................................................................................ 346
Configuring addresses ............................................................................................... 347
Viewing the address group list .................................................................................. 348
Configuring address groups...................................................................................... 348
Firewall Service .................................................................................... 351Viewing the predefined service list ........................................................................... 351
Viewing the custom service list................................................................................. 356
Configuring custom services..................................................................................... 357
Viewing the service group list ................................................................................... 359
Configuring service groups ....................................................................................... 359
Firewall Schedule................................................................................. 361Viewing the recurring schedule list........................................................................... 361
Configuring recurring schedules .............................................................................. 362
Viewing the one-time schedule list ........................................................................... 362
Configuring one-time schedules ............................................................................... 363ortiGate Version 4.0 Administration Guide1-400-89802-20090424 11ttp://docs.fortinet.com/ Feedback
ContentsFirewall Virtual IP ................................................................................. 365How virtual IPs map connections through FortiGate units..................................... 365
Inbound connections............................................................................................... 365Outbound connections............................................................................................ 368VIP requirements .................................................................................................... 369
Viewing the virtual IP list............................................................................................ 369
Configuring virtual IPs................................................................................................ 370Adding a static NAT virtual IP for a single IP address ............................................ 372Adding a static NAT virtual IP for an IP address range .......................................... 373Adding static NAT port forwarding for a single IP address and a single port ..................................................................................................... 375Adding static NAT port forwarding for an IP address range and a port range ..................................................................................................... 377Adding dynamic virtual IPs ..................................................................................... 378Adding a virtual IP with port translation only........................................................... 379
Virtual IP Groups......................................................................................................... 380
Viewing the VIP group list .......................................................................................... 380
Configuring VIP groups.............................................................................................. 380
IP pools ........................................................................................................................ 381IP pools and dynamic NAT ..................................................................................... 382IP Pools for firewall policies that use fixed ports..................................................... 382Source IP address and IP pool address matching.................................................. 382
Viewing the IP pool list ............................................................................................... 383
Configuring IP Pools................................................................................................... 383
Double NAT: combining IP pool with virtual IP........................................................ 384
Adding NAT firewall policies in transparent mode .................................................. 386
Firewall Load Balance ......................................................................... 389How load balancer works ........................................................................................... 389
Configuring virtual servers ........................................................................................ 390
Configuring real servers............................................................................................. 392
Configuring health check monitors........................................................................... 393
Monitoring the servers ............................................................................................... 395
Firewall Protection Profile................................................................... 397What is a protection profile?...................................................................................... 397
Adding a protection profile to a firewall policy ........................................................ 398
Default protection profiles ......................................................................................... 398
Viewing the protection profile list ............................................................................. 399FortiGate Version 4.0 Administration Guide12 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Contents
F0hSSL content scanning and inspection ...................................................................... 399Supported FortiGate models................................................................................... 400Setting up certificates to avoid client warnings ....................................................... 400Configuring SSL content scanning and inspection ................................................. 402
Configuring a protection profile ................................................................................ 404Protocol recognition options ................................................................................... 405Anti-Virus options.................................................................................................... 407IPS options ............................................................................................................. 411Web Filtering options .............................................................................................. 411FortiGuard Web Filtering options............................................................................ 413Spam Filtering options ............................................................................................ 416Data Leak Prevention Sensor options .................................................................... 419Application Control options ..................................................................................... 420Logging options ...................................................................................................... 421
Traffic Shaping..................................................................................... 423Guaranteed bandwidth and maximum bandwidth ................................................... 423
Traffic priority.............................................................................................................. 424
Traffic shaping considerations.................................................................................. 424
Configuring traffic shaping ........................................................................................ 425
SIP support ........................................................................................... 427VoIP and SIP ................................................................................................................ 427
The FortiGate unit and VoIP security ........................................................................ 429SIP NAT.................................................................................................................. 429
How SIP support works .............................................................................................. 431
Configuring SIP ........................................................................................................... 432Enabling SIP support and setting rate limiting from the web-based manager ........ 432Enabling SIP support from the CLI ......................................................................... 433Enabling SIP logging .............................................................................................. 434Enabling advanced SIP features in an application list ............................................ 434
AntiVirus ............................................................................................... 439Order of operations..................................................................................................... 439
Antivirus tasks ............................................................................................................ 440FortiGuard antivirus ................................................................................................ 441
Antivirus settings and controls ................................................................................. 441
File Filter ...................................................................................................................... 443Built-in patterns and supported file types................................................................ 443Viewing the file filter list catalog.............................................................................. 444Creating a new file filter list..................................................................................... 444Viewing the file filter list .......................................................................................... 445Configuring the file filter list..................................................................................... 445ortiGate Version 4.0 Administration Guide1-400-89802-20090424 13ttp://docs.fortinet.com/ Feedback
ContentsFile Quarantine ............................................................................................................ 446Viewing the File Quarantine list .............................................................................. 447Viewing the AutoSubmit list .................................................................................... 448Configuring the AutoSubmit list .............................................................................. 449Configuring quarantine options............................................................................... 449
Viewing the virus database information ................................................................... 451
Viewing and configuring the grayware list ............................................................... 452
Antivirus CLI configuration........................................................................................ 453
Intrusion Protection ............................................................................. 455About intrusion protection......................................................................................... 455
Intrusion Protection settings and controls............................................................... 456When to use Intrusion Protection............................................................................ 456
Signatures.................................................................................................................... 456Viewing the predefined signature list ...................................................................... 457Using display filters................................................................................................. 458
Custom signatures...................................................................................................... 459Viewing the custom signature list ........................................................................... 459Creating custom signatures .................................................................................... 459
Protocol decoders....................................................................................................... 460Viewing the protocol decoder list ............................................................................ 460Upgrading the IPS protocol decoder list ................................................................. 461
IPS sensors.................................................................................................................. 461Viewing the IPS sensor list ..................................................................................... 461Adding an IPS sensor ............................................................................................. 462Configuring IPS sensors ......................................................................................... 462Configuring filters.................................................................................................... 464Configuring pre-defined and custom overrides....................................................... 465Packet logging ........................................................................................................ 467
DoS sensors ................................................................................................................ 469Viewing the DoS sensor list .................................................................................... 470Configuring DoS sensors........................................................................................ 470Understanding the anomalies ................................................................................. 472
Intrusion protection CLI configuration ..................................................................... 472
Web Filter.............................................................................................. 475Order of web filtering.................................................................................................. 475
How web filtering works ............................................................................................. 475
Web filter controls....................................................................................................... 476FortiGate Version 4.0 Administration Guide14 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Contents
F0hWeb content block ...................................................................................................... 478Viewing the web content block list catalog ............................................................. 479Creating a new web content block list .................................................................... 479Viewing the web content block list .......................................................................... 479Configuring the web content block list .................................................................... 480Viewing the web content exempt list catalog .......................................................... 481Creating a new web content exempt list ................................................................. 482Viewing the web content exempt list....................................................................... 482Configuring the web content exempt list................................................................. 483
URL filter ...................................................................................................................... 483Viewing the URL filter list catalog ........................................................................... 484Creating a new URL filter list .................................................................................. 484Viewing the URL filter list........................................................................................ 485Configuring the URL filter list .................................................................................. 485URL formats............................................................................................................ 486Moving URLs in the URL filter list ........................................................................... 487
FortiGuard - Web Filter ............................................................................................... 487Configuring FortiGuard Web Filtering ..................................................................... 488Viewing the override list.......................................................................................... 488Configuring administrative override rules ............................................................... 489Creating local categories ........................................................................................ 491Viewing the local ratings list.................................................................................... 491Configuring local ratings ......................................................................................... 492Category block CLI configuration............................................................................ 493
Antispam............................................................................................... 495Antispam...................................................................................................................... 495
Order of spam filtering ............................................................................................ 495Anti-spam filter controls .......................................................................................... 496
Banned word ............................................................................................................... 498Viewing the banned word list catalog ..................................................................... 498Creating a new banned word list ............................................................................ 499Viewing the antispam banned word list .................................................................. 499Adding words to the banned word list..................................................................... 500
IP address and email address black/white lists ....................................................... 501Viewing the antispam IP address list catalog ......................................................... 501Creating a new antispam IP address list ................................................................ 501Viewing the antispam IP address list ...................................................................... 502Adding an antispam IP address.............................................................................. 503Viewing the antispam email address list catalog .................................................... 503Creating a new antispam email address list ........................................................... 504Viewing the antispam email address list................................................................. 504Configuring the antispam email address list ........................................................... 505ortiGate Version 4.0 Administration Guide1-400-89802-20090424 15ttp://docs.fortinet.com/ Feedback
ContentsAdvanced antispam configuration ............................................................................ 505config spamfilter mheader ...................................................................................... 505config spamfilter dnsbl ............................................................................................ 506
Using wildcards and Perl regular expressions ........................................................ 506Perl regular expression formats.............................................................................. 507Example regular expressions ................................................................................. 508
Data Leak Prevention........................................................................... 511DLP Sensors................................................................................................................ 511
Viewing the DLP sensor list .................................................................................... 511Adding and configuring a DLP sensor .................................................................... 512Adding or editing a rule in a DLP sensor ................................................................ 513
DLP Rules .................................................................................................................... 515Viewing the DLP rule list......................................................................................... 515Adding or configuring DLP rules ............................................................................. 516
DLP Compound Rules ................................................................................................ 519Viewing the DLP compound rule list ....................................................................... 520Adding and configuring DLP compound rules ........................................................ 520
Application Control.............................................................................. 523What is application control? ...................................................................................... 523
FortiGuard application control database.................................................................. 523
Viewing the application control lists......................................................................... 524
Creating a new application control list ..................................................................... 524
Configuring an application control list ..................................................................... 525
Adding or configuring an application control list entry .......................................... 526
Application control statistics..................................................................................... 527
IPSec VPN............................................................................................. 531Overview of IPSec VPN configuration....................................................................... 531
Policy-based versus route-based VPNs ................................................................... 532
Auto Key ...................................................................................................................... 533Creating a new phase 1 configuration .................................................................... 534Defining phase 1 advanced settings....................................................................... 536Creating a new phase 2 configuration .................................................................... 538Defining phase 2 advanced settings....................................................................... 539
Manual Key .................................................................................................................. 541Creating a new manual key configuration .............................................................. 542
Internet browsing configuration ................................................................................ 544
Concentrator ............................................................................................................... 544Defining concentrator options ................................................................................. 545
Monitoring VPNs ......................................................................................................... 545FortiGate Version 4.0 Administration Guide16 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Contents
F0hPPTP VPN ............................................................................................. 547PPTP configuration using FortiGate web-based manager...................................... 547
PPTP configuration using CLI commands ............................................................... 549
SSL VPN................................................................................................ 551ssl.root ......................................................................................................................... 551
Configuring SSL VPN ................................................................................................. 552
Monitoring SSL VPN sessions................................................................................... 553
SSL VPN web portal.................................................................................................... 554
Default web portal configurations ............................................................................. 554General tab............................................................................................................. 556Advanced tab.......................................................................................................... 556Adding and editing widgets..................................................................................... 558Session Information widget..................................................................................... 559Bookmarks widget .................................................................................................. 559Connection Tool widget .......................................................................................... 563Tunnel Mode widget ............................................................................................... 564
User ....................................................................................................... 567Getting started - User authentication........................................................................ 567
Local user accounts ................................................................................................... 568Configuring Local user accounts ............................................................................ 568
Remote ......................................................................................................................... 571
RADIUS ........................................................................................................................ 571Configuring a RADIUS server................................................................................. 572Dynamically assigning VPN client IP addresses from a RADIUS record.......................................................................................... 573
LDAP ............................................................................................................................ 575Configuring an LDAP server ................................................................................... 575
TACACS+ ..................................................................................................................... 578Configuring TACACS+ servers............................................................................... 578
Directory Service......................................................................................................... 579Configuring a Directory Service server ................................................................... 581
PKI ............................................................................................................................... 581Configuring peer users and peer groups ................................................................ 582
User Group .................................................................................................................. 583Firewall user groups ............................................................................................... 584Directory Service user groups ................................................................................ 585SSL VPN user groups............................................................................................. 585Viewing the User group list ..................................................................................... 586Configuring a user group ........................................................................................ 586Configuring FortiGuard Web filtering override options............................................ 589ortiGate Version 4.0 Administration Guide1-400-89802-20090424 17ttp://docs.fortinet.com/ Feedback
ContentsOptions......................................................................................................................... 590
Monitor ......................................................................................................................... 591Firewall user monitor list ......................................................................................... 591IPSEC monitor list................................................................................................... 592SSL VPN monitor list .............................................................................................. 593IM user monitor list ................................................................................................. 594
NAC quarantine and the Banned User list................................................................ 595NAC quarantine and DLP ....................................................................................... 595NAC quarantine and DLP replacement messages ................................................. 595Configuring NAC quarantine................................................................................... 596The Banned User list .............................................................................................. 596
WAN optimization and web caching .................................................. 599Frequently asked questions about FortiGate WAN optimization ........................... 599
Overview of FortiGate WAN optimization ................................................................. 601WAN optimization tunnels....................................................................................... 602WAN optimization peer authentication.................................................................... 602Authentication Groups ............................................................................................ 603WAN optimization rules and firewall policies .......................................................... 603WAN optimization Transparent mode..................................................................... 604FortiGate models that support WAN optimization................................................... 604
Configuring WAN optimization .................................................................................. 605How list order affects rule matching........................................................................ 606Moving a rule to a different position in the rule list.................................................. 607
Configuring a WAN optimization rule ....................................................................... 608
Web caching ................................................................................................................ 610Web cache only topology........................................................................................ 611Configuring web cache only WAN optimization ...................................................... 611Configuring client/server (active-passive) web caching.......................................... 612Configuring peer to peer web caching .................................................................... 614
Client/server or active passive WAN optimization................................................... 617Configuring client/server (active-passive) WAN optimization ................................. 617
Peer to peer WAN optimization.................................................................................. 620Configuring peer to peer WAN optimization ........................................................... 620About WAN optimization addresses ....................................................................... 622
Protocol optimization ................................................................................................. 623
Byte caching................................................................................................................ 624
SSL offloading for WAN optimization and web caching ......................................... 624Example configuration: SSL offloading for a WAN optimization tunnel .................. 625SSL offloading and reverse proxy web caching for an internet web server............ 627
Secure tunnelling ........................................................................................................ 630WAN optimization over IPSec VPN ........................................................................ 630FortiGate Version 4.0 Administration Guide18 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Contents
F0hWAN optimization with FortiClient ............................................................................ 630
Configuring WAN optimization storage .................................................................... 631Example WAN optimization iSCSI configuration .................................................... 632About partition labels .............................................................................................. 633
WAN optimization and HA.......................................................................................... 634
Configuring peers ....................................................................................................... 634
Configuring authentication groups ........................................................................... 635Details about WAN optimization peer authentication.............................................. 636
Monitoring WAN optimization.................................................................................... 637
Changing web cache settings.................................................................................... 638
Endpoint control .................................................................................. 641Configuring endpoint control .................................................................................... 641
Viewing FortiClient required version information .................................................... 642Configuring FortiClient required version and installer download ............................ 642Viewing and configuring the software detection list ................................................ 643
Monitoring endpoints ................................................................................................. 644
Log&Report .......................................................................................... 647FortiGate logging ........................................................................................................ 647
FortiGuard Analysis and Management Service........................................................ 648FortiGuard Analysis and Management Service portal web site .............................. 649
Log severity levels ...................................................................................................... 649
High Availability cluster logging ............................................................................... 650
Storing logs ................................................................................................................. 650Logging to a FortiAnalyzer unit ............................................................................... 650Connecting to FortiAnalyzer using Automatic Discovery ........................................ 651Testing the FortiAnalyzer configuration .................................................................. 652Logging to a FortiGuard Analysis server ................................................................ 653Logging to memory ................................................................................................. 654Logging to a Syslog server ..................................................................................... 654Logging to WebTrends ........................................................................................... 655
Log types ..................................................................................................................... 657Traffic log ................................................................................................................ 657Example configuration: logging all FortiGate traffic ................................................ 658Event log................................................................................................................. 659Data Leak Prevention log ....................................................................................... 660Application Control log............................................................................................ 660Antivirus log ............................................................................................................ 660Web filter log........................................................................................................... 661Spam filter log......................................................................................................... 661Attack log (IPS)....................................................................................................... 661ortiGate Version 4.0 Administration Guide1-400-89802-20090424 19ttp://docs.fortinet.com/ Feedback
ContentsAccessing Logs........................................................................................................... 662Accessing logs stored in memory ........................................................................... 662Accessing logs stored on the hard disk .................................................................. 662Accessing logs stored on the FortiAnalyzer unit..................................................... 663Accessing logs stored on the FortiGuard Analysis server ...................................... 664
Viewing log information ............................................................................................. 664
Customizing the display of log messages................................................................ 665Column settings ...................................................................................................... 666Filtering log messages............................................................................................ 667
Content Archive .......................................................................................................... 667Content archiving and data leak prevention ........................................................... 668Configuring spam email message content archiving .............................................. 668Configuring VoIP content archiving ........................................................................ 669Viewing content archives ........................................................................................ 670
Alert Email ................................................................................................................... 670Configuring Alert Email ........................................................................................... 672
Reports......................................................................................................................... 673Viewing basic traffic reports.................................................................................... 673FortiAnalyzer report schedules ............................................................................... 674Viewing FortiAnalyzer reports................................................................................. 677Printing your FortiAnalyzer report ........................................................................... 677
Index...................................................................................................... 679FortiGate Version 4.0 Administration Guide20 01-400-89802-20090424
http://docs.fortinet.com/ Feedback
Introduction Fortinet products
F0hIntroductionRanging from the FortiGate-50 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS security operating system with FortiASIC processors and other hardware to provide a high-performance array of security and networking functions including: firewall, VPN, and traffic shaping Intrusion Prevention system (IPS) antivirus/antispyware/antimalware web filtering antispam application control (for example, IM and P2P) VoIP support (H.323, SIP, and SCCP) Layer 2/3 routing multiple redundant WAN interface optionsFortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats, including complex attacks favored by cybercriminals, without degrading network availability and uptime. FortiGate platforms include sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain capabilities to separate various networks requiring different security policies.This chapter contains the following sections: Fortinet products About this document Document conventions Registering your Fortinet product Customer service and technical support Fortinet documentation
Fortinet productsFortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion. For more information on the Fortinet product family, go to www.fortinet.com/products.
About this documentThis FortiGate Version 4.0 Administration Guide provides detailed information for system ortiGate Version 4.0 Administration Guide1-400-89802-20090424 21ttp://docs.fortinet.com/ Feedback
administrators about FortiGate web-based manager and FortiOS options and how to use them. This guide also contains some information about the FortiGate CLI.
About this document IntroductionThis section of the guide contains a brief explanation of the structure of the guide, and gives an overview of each chapter.The administration guide describes web-based manager functions in the same order as the web-based manager (or GUI) menu. The document begins with several chapters that provide an overview to help you start using the product: the FortiGate web-based manager, System Status, Managing Firmware, and Using virtual domains. Following these chapters, each item in the System, Router, Firewall, UTM, and VPN menus gets a separate chapter. Then User, WAN optimization, Endpoint Control, and Log&Report are all described in single chapters. The document concludes with a detailed index.VDOM and Global icons appear in this administration guide to indicate that a chapter or section is part of either the VDOM or Global configuration. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. No distinction is made between these configuration settings when virtual domains are not enabled.The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help.You can also find more information about FortiOS from the same FortiGate page, as well as from the Fortinet Knowledge Center.This administration guide contains the following chapters: Whats new in FortiOS 4.0 lists and describes some of the new features and changes
in FortiOS Version 4.0. Web-based manager introduces the features of the FortiGate web-based manager,
and explains how to connect to it. It also includes information about how to use the web-based manager online help.
System Status describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics. You can also access the CLI from this page. This section also describes status changes that you can make, including changing the unit firmware, host name, and system time. Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60.
Managing firmware versions describes upgrading and managing firmware versions. You should review this section before upgrading your FortiGate firmware because it contains important information about how to