Your SlideShare is downloading. ×

Fortigate cook book v5

26,389

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
26,389
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
564
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Transcript of "Fortigate cook book v5"

  1. 1. F o r t i n e t P u b l i s h i n g The FortiGate™ Cookbook FortiOS 5.0 A P r a c t i c a l G u i d e t o G e t t i n g t h e B e s t f r o m Yo u r F o r t i G a t e
  2. 2. FortiGate Cookbook 5.0 Volume 1 A Practical Guide to Getting the best from Your FortiGate FortiOS 5.0.1 15 January 2013 01-501-153797-20130115 Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
  3. 3. FortiOS Cookbook FortiOS 5.0.1 3 http://docs.fortinet.com/ Contents Introduction 6 About FortiGate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Administrative interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Installing and setup of a new FortiGate unit 11 Connecting a private network to the Internet in NAT/Route mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Connecting a private network to the Internet in one step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Troubleshooting NAT/Route mode installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Inserting a FortiGate unit into a network without changing the network configuration (transparent mode). . . . . . . . 23 Troubleshooting transparent mode installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Verifying the current firmware version and upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Setting up and troubleshooting FortiGuard services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Setting up an administrator account on the FortiGate unit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Advanced FortiGate installation and setup 40 Connecting to two ISPs for redundant Internet connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Using a modem as a redundant Internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Distributing sessions between dual redundant Internet connections with usage-based ECMP . . . . . . . . . . . . . . . . 54 Protecting a web server on a DMZ network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Protecting an email server with a FortiGate unit without changing the network (transparent Mode). . . . . . . . . . . . . 66 Using port pairing to simplify a transparent mode installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Connecting networks without translating addresses (FortiGate unit in Route mode) . . . . . . . . . . . . . . . . . . . . . . . . 77 Setting up the explicit web proxy for users on a private network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Setting up web caching of Internet content for users on a private network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Employing high availability to improve network reliability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Upgrading the firmware installed on a FortiGate HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Connecting multiple networks to a FortiGate interface using virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit. . . . . . . . . . . . . . . . . . . . 99 Setting up an administrator account for monitoring firewall activity and basic maintenance . . . . . . . . . . . . . . . . . 106 Enhancing FortiGate Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Creating a local DNS server listing for internal sites and servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Using a MAC address to reserve an IP address using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Setting up the FortiGate unit to send SNMP traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Troubleshooting by sniffing packets (packet capture) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Advanced troubleshooting by sniffing packets (packet capture) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Debugging FortiGate configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
  4. 4. Contents 4 FortiGateCookbook http://docs.fortinet.com/ Quick reference to common diagnose commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Wireless Networking 138 Setting up secure WiFi access on your FortiWiFi unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Setting up secure WiFi on your FortiGate unit using FortiAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Improving WiFi security with WPA-Enterprise security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Setting up secure WiFi with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Setting up secure WiFi with a captive portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Sharing the same subnet for WiFi and wired clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Setting up a WiFi network with an external DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Authenticating WiFi users with Windows AD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Using security policies and firewall objects 177 Limiting employees’ Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Restricting Internet access per IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Excluding selected users from UTM filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Verifying that traffic is accepted by a security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Arranging security policies in the correct order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Allowing DNS queries to only one approved DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Extending AirPlay and AirPrint communication through a FortiWiFi unit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Ensuring sufficient and consistent bandwidth for VoIP traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Using geographic addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Providing Internet access for your private network users (static source NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT) . . . . . . . . 226 Dynamic source NAT without changing the source port (one-to-one source NAT) . . . . . . . . . . . . . . . . . . . . . . . . . 229 Dynamic source NAT using the central NAT table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Allowing access to a web server on an internal network when you only have one Internet IP address . . . . . . . . . . 236 Allowing Internet access to a web server on a protected network when you only have one Internet IP address, using port translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Allowing Internet access to a web server on a protected network when you have an IP address for the web server . . 242 Configuring port forwarding to open ports on a FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Dynamic destination NAT for a range of IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 UTM Profiles 252 Protecting your network from viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Protecting your network against grayware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Protecting your network against legacy viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Changing the maximum file size that the AV scanner examines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Blocking files that are too large to scan for viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Improving FortiGate performance with flow-based UTM scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Limiting the types of web sites your users can visit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Overriding FortiGuard web filtering for selected users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Prevent offensive search results in Google, Bing and Yahoo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Finding the FortiGuard web filter category of a URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Listing the web sites your users have visited. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Using FortiGuard web filtering to block access to web proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Blocking access to streaming media using web filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Blocking access to specific web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Blocking all web sites except those you specify using a whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
  5. 5. Contents FortiOS 5.0.1 5 http://docs.fortinet.com/ Configuring FortiGuard web filtering to check IP addresses as well as URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Configuring FortiGuard web filtering to check images and URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Applying ratings to HTTP redirects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Visualizing the applications on your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Preventing the use of instant messaging clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Blocking access to social media web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Blocking peer-to-peer file sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Using IPS to protect a web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Configuring IPS to stop traffic if the scanner fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Protecting against denial of service (DoS) attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Filtering incoming spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Use DLP to track credit card and personal information in HTTP traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Using the FortiGate vulnerability scanner to check your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 SSL VPN 300 Setting up remote web browsing for internal sites through SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Using SSL VPN to provide protected Internet access for remote users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to office servers for remote users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN . . . . . . . . 313 IPsec VPN 315 Protecting communication between offices across the Internet using IPsec VPN. . . . . . . . . . . . . . . . . . . . . . . . . . 316 Using FortiClient VPN for secure remote access to an office network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 IPsec VPN for a secure connection using an iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 IPsec VPN for a secure connection using an Android device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network . . . . . . . . . . . . . . . . . . . . . . . . . 338 Redundant OSPF routing over IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Authentication 350 Creating a security policy to identify users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Identify users and restrict access to websites by category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Configuring FSSO for single sign-on user access in a Windows AD environment. . . . . . . . . . . . . . . . . . . . . . . . . . 357 Authenticating with FortiAuthenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Stopping the “Connection is untrusted” message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Logging and Reporting 365 Understanding log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Creating a backup log solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Alert email notification of SSL VPN login failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Testing the log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Index 377
  6. 6. FortiOS Cookbook FortiOS 5.0.1 6 http://docs.fortinet.com/ Introduction The FortiGate Cookbook provides administrators who are new to FortiGate appliances with examples of how to implement many basic and advanced FortiGate configurations. FortiGate products offer administrators a wealth of features and functions for securing their networks, but to cover the entire scope of configuration possibilities would easily surpass the limits set forth for this book. Fortunately, much more information can be obtained in the FortiOS Handbook. The latest version is available from the Fortinet Technical Documentation website (http://docs.fortinet.com) and is also accessible as FortiGate online help. FortiGate Unit in NAT/Route mode Gate Unitt Route mode NAT between private internal network and the Internet internal 192.168.1.99 w an1 172.20.120.14 G atew ay 172.20.120.2 P rivate in tern aln etw o rk 1 9 2 .1 6 8 .1 .0 /2 5 5 .2 5 5 .2 5 5 .0 This cookbook contains a series of sections (or recipes) that describe how to solve problems. Each section begins with a description of the problem and is followed by a step-by-step solution. Most sections conclude with results that describe how to verify that the problem was successfully resolved. Many sections also contain troubleshooting information, best practices and additional details about the FortiGate features used to solve the problem. Scattered throughout this document you will also find dedicated troubleshooting sections and sections that describe FortiGate troubleshooting features such as the packet sniffer and diagnose debug command. This FortiGate Cookbook was written for FortiOS 5.0 patch 1 (FortiOS 5.0.1). A PDF copy of this document is available from the FortiGate Cookbook website (http://docs.fortinet.com/cookbook.html). You can send comments about this document and ideas for new recipes to techdoc@fortinet.com. New recipes may be published on the FortiGate Cookbook website and added to future versions of the cookbook.
  7. 7. Introduction About FortiGate FortiOS 5.0.1 7 http://docs.fortinet.com/ About the IP addresses used in the cookbook To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918. Most of the examples in this document use 192, 172, or 10 - the non-public addresses covered in RFC 1918. In most of the examples in this cookbook, the 172.20.120.0 network is equivalent to the Internet. About FortiGate A FortiGate appliance represents the latest response to the ever changing Internet security threat landscape. You already know quite well how Internet security covers a wide range of disciplines across a broad set of services, protocols and network topologies. The FortiGate appliance is designed specifically to cover a wide range of solutions for your networking requirements, from the smallest office to the largest Internet service provider. Comprising custom designed silicon and a dedicated operating system this combination of FortiGate, FortiASIC and FortiOS provides a wide range of solutions that scale from the smallest office to the largest internet service provider. FortiGate Unit Internal network FortiGate Unit APPLICATION CONTROL The FortiOS feature set is constantly evolving and today provides both IPv6 as well as IPv4 protection, high availability, a full suite of dynamic routing protocols, traffic shaping, IPsec and SSL VPN, user authentication, WAN optimization, and secure WiFi. UTM has been extended beyond virus scanning and web filtering to include intrusion protection, application control, endpoint security, and data leak prevention. Application control combined with a whole host of monitoring functions and network vulnerability scanning provides a complete and detailed picture of the traffic on your networks allowing you to detect and isolate threats before they happen and take action to control traffic as it passes through your network.
  8. 8. Administrative interfaces Introduction 8 FortiGateCookbook http://docs.fortinet.com/ The advanced capabilities of your FortiGate appliance require an equally advanced and global presence for ensuring as complete a defence as possible. Updated many times a day, the FortiGuard network provides a series of databases which are either installed directly or queried on demand to realize the goal of complete content protection. Whether you are scanning for hundreds of thousands of viruses, checking millions of URLs or looking for that next SPAM outbreak FortiGuard is the place to turn. To ease the introduction of your new FortiGate units they have been designed to operate in what we call NAT/Route mode or Transparent mode. In NAT/Route mode the FortiGate unit functions as a router connecting two or more different networks together. Using static and advanced dynamic routing, in NAT/Route mode the FortiGate unit routes packets between its attached networks. You can also use security policies and firewall objects to apply network address translation (NAT) to traffic as it passes back and forth between different networks. NAT hides addresses on private networks to improve security and also simplifies routing between networks. In Transparent mode the FortiGate unit is installed in a network transparently to layer 3, without changing the IP addressing of the network in any way. Its presence on the network restricted to a single management IP address. In transparent mode, traffic can pass through the FortiGate unit without any address translation or routing taking place. Administrative interfaces A full set of options is available to configure and manage FortiGate units including the web-based manager for visual management, the CLI for command-line-based management, and FortiExplorer which allows management over a USB connection. Web-based Manager Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point and click, drag and drop interface that provides quick access to most FortiGate configuration settings and includes a configuration wizard and complementary visual monitoring and management tools. Using the web-based manager you can for example, add a security policy to monitor application activity on a network, view the results of this application monitoring policy, and then add additional policies or change the existing policy to block or limit the traffic produced by some applications. The web-based manager also provides a wide range of monitoring and reporting tools that provide detailed information about traffic and events on the FortiGate unit. All aspects of FortiGate operation can be monitored from the web-based manager. Specialized monitoring pages are available for most features. You access the web-based manager using HTTP or a secure HTTPS connection from any web browser. By default you can access the web-based manager by connecting to the FortiGate interface usually attached to a protected network. Configuration changes made from the web-based manager take effect immediately, without resetting the unit or interrupting service.
  9. 9. Introduction Revision History FortiOS 5.0.1 9 http://docs.fortinet.com/ Command Line Interface As its name implies the command line interface (CLI) provides a text-based command line configuration interface to the FortiGate unit. You can configure all FortiGate configuration options from the CLI using config commands. The CLI also includes get commands for viewing the configuration and getting status information, execute commands for performing immediate operations including setting the date and time, backing up and restoring the configuration, testing network connections, and so on, and diagnose commands for advanced FortiGate monitoring and troubleshooting. You can connect to the CLI using an, RS-232 serial console connection, over a TCP/IP network using Telnet or SSH. Configuration changes made within the CLI also take effect immediately, without resetting the unit or interrupting service. FortiExplorer FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate unit over a standard USB connection. Once you have installed FortiExplorer software on a PC running Windows or Mac OS X and established a USB connection between the PC and your FortiGate unit you can use FortiExplorer to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer configuration wizard to quickly set up the FortiGate unit and connect to the web-based manager or CLI. Revision History Registering your Fortinet product Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions. For more information Fortinet Knowledge Base The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com. Table 1: FortiGate Cookbook Revision History Version Changes 01-500-153797-20121231 Initial Version
  10. 10. For more information Introduction 10 FortiGateCookbook http://docs.fortinet.com/ Training Fortinet Training Services provides courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email training@fortinet.com. Documentation The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to- date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Base. Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide - Technical Support Requirements.
  11. 11. FortiOS Cookbook FortiOS 5.0.1 11 http://docs.fortinet.com/ Installing and setup of a new FortiGate unit Most people purchase a FortiGate unit with the intention of creating a secure connection between a protected private network and the Internet. And in most cases they want the FortiGate unit to hide the IP addresses of the private network from the Internet. This chapter describes how to install a new FortiGate appliance with this configuration, called NAT/Route mode and describes how to troubleshoot NAT/Route mode installations. In addition this chapter describes a basic Transparent mode FortiGate installation in which a FortiGate unit provides security services to a network without requiring any changes to the network. This chapter also describes some basic procedures often required after installing a FortiGate unit, including checking the firmware version and upgrading the firmware, and troubleshooting FortiGuard services. This chapter includes the following basic installation and setup examples: • Connecting a private network to the Internet in NAT/Route mode • Connecting a private network to the Internet in one step • Changing the address of an internal network using the setup wizard • Troubleshooting NAT/Route mode installations • Inserting a FortiGate unit into a network without changing the network configuration (transparent mode) • Troubleshooting transparent mode installations • Verifying the current firmware version and upgrading • Setting up and troubleshooting FortiGuard services • Setting up an administrator account on the FortiGate unit
  12. 12. Connecting a private network to the Internet in NAT/Route mode 12 FortiGateCookbook http://docs.fortinet.com/ Connecting a private network to the Internet in NAT/Route mode Problem Connect and configure a new FortiGate unit to securely connect a private network to the Internet. The FortiGate unit should also protect the private network from Internet threats but still allow anyone on the private network to freely connect to the Internet. Solution Most commonly, FortiGate units are installed as a gateway or router between a private network and the Internet. The FortiGate unit operates NAT/Route mode to hide the addresses of the private network from prying eyes on the Internet. 1 Connect the FortiGate wan1 interface to your ISP-supplied equipment. FortiGate Unit in NAT/Route mode Gate Unitt Route mode NAT between private internal network and the Internet internal 192.168.1.99 w an1 172.20.120.14 G atew ay 172.20.120.2 P rivate in tern aln etw o rk 1 9 2 .1 6 8 .1 .0 /2 5 5 .2 5 5 .2 5 5 .0 WAN1 Internal Internal Network ISP Modem
  13. 13. Connecting a private network to the Internet in NAT/Route mode FortiOS 5.0.1 13 http://docs.fortinet.com/ 2 Connect the internal network to the FortiGate internal interface. 3 Power on the ISP's equipment, the FortiGate unit, and the PCs on the Internal network. 4 From a PC on the Internal network, connect to the FortiGate web-based manager. You can configure the PC to get its IP address using DHCP and then browse to https://192.168.1.99. You could also give the PC a static IP address on the 192.168.1.0/255.255.255.0 subnet. 5 Login using admin and no password. 6 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: 7 Edit the internal interface and change the following settings: 8 Go to Router > Static > Static Route and select Create New to add the following default route. For desktop FortiGate units, go to System > Network > Routing. 9 Go to System > Network > DNS and add Primary and Secondary DNS servers. 10 Go to Policy > Policy > Policy and select Create New. 11 Leave the Policy Type as Firewall and leave the Policy Subtype as Address. Addressing mode Manual IP/Netmask 172.20.120.14/255.255.255.0 Addressing mode Manual IP/Netmask 192.168.1.99/255.255.255.0 Destination IP/Mask 0.0.0.0/0.0.0.0 Device wan1 Gateway 172.20.120.2 A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally you would have only one default route. If the static route list already contains a default route, you can edit it or delete it and add a new one.
  14. 14. Connecting a private network to the Internet in NAT/Route mode 14 FortiGateCookbook http://docs.fortinet.com/ 12 Add the following security policy that allows users on the private network to access the Internet. 13 Select Enable NAT and Use Destination Interface Address. 14 Select OK. Results Open a web browser and browse to www.fortinet.com. Go to Policy > Policy > Policy. Right-click on the column headings and select Column Settings and add the Count column. This information shows the packet counts for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Policy Monitor to view the sessions being processed by the FortiGate unit. Incoming Interface internal Source Address All Outgoing Interface wan1 Destination Address All Schedule always Service ALL Action ACCEPT Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you and as soon as your FortiGate unit is connected and the computers on your internal network are configured, they should be able to access the Internet. This policy allows all traffic out with no other restrictions. While a good policy to use to test internet connectivity, it is highly recommended that you configure security policies that scan for viruses and other threats, and limit such global use.
  15. 15. Connecting a private network to the Internet in NAT/Route mode FortiOS 5.0.1 15 http://docs.fortinet.com/ The source address of most sessions is an address on the 192.168.1.0 internal network. The source NAT IP for most sessions is 172.20.120.14; the IP address added to the wan1 interface. The policy ID is 1, which is the ID of the security policy added. A graph of active session for each policy is also available. Since there is only one policy, the graph contains only one entry. You can select the bar graph for policy 1 to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in “Troubleshooting NAT/Route mode installations” on page 20 to find the problem.
  16. 16. Connecting a private network to the Internet in one step 16 FortiGateCookbook http://docs.fortinet.com/ Connecting a private network to the Internet in one step Problem To use as few steps as possible to get a FortiGate unit up and running and providing internet connectivity for a private network. Solution If your Internet service provider uses DHCP to automatically provide Internet connectivity, only one FortiGate configuration step is required to get a FortiGate unit up and running and allowing connections from a private network to the Internet. The solution involves connecting FortiGate unit to your ISP and your Internal network, configuring the computers on your internal network to get their IP configuration automatically (using DHCP), and then powering on the FortiGate unit and configuring it to get network settings from your ISP using DHCP. 1 Connect the FortiGate wan1 interface to your ISP-supplied equipment. 2 Connect the internal network to the FortiGate internal interface. 3 Power on the ISP's equipment, the FortiGate unit, and the PCs in the Internal network. FortiGate Unit in NAT/Route mode FortiGatee UUnit Internal 192.168.1.99 D H C P S erver W A N 1 D H C P ad d ress m od e C o m p u ters o n th e p rivate n etw o rk g et IP co n fig u raito n au to m atically fro m D H C P IS P p ro vid es IP co n ig u ratio n w ith D H C P In tern aln etw o rk ad d resess 1 9 2 .1 6 8 .1 .0 /2 5 5 .2 5 5 .2 5 5 .0 To use this one-step configuration solution, the default configuration of your FortiGate unit must include a DHCP server for the internal interface and a default security policy that allows all sessions from the internal network to the Internet. This default configuration is available on many desktop FortiGate and FortiWifi models.
  17. 17. Connecting a private network to the Internet in one step FortiOS 5.0.1 17 http://docs.fortinet.com/ 4 If required, configure the PCs to get their IP network configuration automatically using DHCP. All of the PCs should acquire an IP address on the 192.168.1.0/255.255.255.0 network. 5 On one of the PCs, start a web browser and browse to https://192.168.1.99. 6 Log in to the FortiGate web-based manager by entering admin as the Name and leaving the password blank. 7 Go to System > Network > Interface and Edit the wan1 interface. 8 Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server, and Override internal DNS. 9 Select OK. Results On any of the PCs connected to the FortiGate internal interface, open a web browser and browse to any Internet website. You should also be able to connect to the Internet using FTP or any other protocol or connection method. Go to Policy > Monitor > Policy Monitor to view the sessions being processed by the FortiGate unit. WAN1 Internal Internal Network ISP Modem If your ISP uses PPPoE or manual addressing you can configure the wan1 interface for these options instead of DHCP.
  18. 18. Connecting a private network to the Internet in one step 18 FortiGateCookbook http://docs.fortinet.com/ The source address of most sessions are an address on the 192.168.1.0 network. The source NAT IP for most sessions are the IP address acquired by the wan1 interface. The policy ID is 1, which is the ID of the default security policy that allows users in the internal network to connect to the Internet. You can also see results by going to Policy > Policy > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down to get more info about the current sessions. Other dashboard widgets display session history, traffic history and per-IP bandwidth usage. What if it didn’t work? If the connection is not woring, use the following steps to ensure the configuration is correct: 1 Verify that the wan1 interface is getting IP configuration settings from the ISP. Log in to the web-based manager and go to System > Network > Interface > wan1. Confirm that the Addressing Mode is set to DHCP and information similar to the following appears showing that the wan1 interface has acquired an IP address, one or more DNS server IP addresses, and a default gateway from the ISP. If the IP address seems incorrect or is missing, select Renew to renew the lease and get new IP configuration information from the ISP. If you cannot get a valid IP address in this manner, the FortiGate unit cannot communicate with the ISP’s DNS server.
  19. 19. Connecting a private network to the Internet in one step FortiOS 5.0.1 19 http://docs.fortinet.com/ Make sure the options to retrieve a default gateway and override the internal DNS are selected. If your ISP does not supply a DNS server through DHCP, you can go to System > Network > DNS and manually add one or more DNS server IP addresses for the FortiGate unit to use. These DNS server IP addresses are also used by the FortiGate DHCP server to provide the IP configuration for PCs on the internal network. If your ISP does not supply a default gateway through DHCP you can go to Router > Static > Static Route (desktop FortiGate units, go to System > Network > Routing) and manually add a default route that points from the wan1 interface to the ISP’s default gateway. 2 If the internal network is configured to get IP addresses from the FortiGate DHCP server, go to System > Network > DHCP Server and Edit the DHCP server for the internal interface. Verify that the DHCP server configuration uses the system DNS setting. Go to System > Monitor > DHCP Monitor to view information about the PCs that have been configured by the FortiGate unit DHCP server. There should be one entry here for each PC on the network that should have gotten its address using DHCP. Check the network configuration of the PCs on the internal network to make sure they are getting the correct IP configuration from the FortiGate DHCP server. If they are not, they may not be able to communicate with the FortiGate internal interface. Attempt to renew their DHCP lease, check other network configuration settings on the PC, and verify the physical connections are correct. If this does not solve the problem, use the steps described in “Troubleshooting NAT/Route mode installations” on page 20 to find and fix the problem. The Use System DNS Setting DHCP server option causes the FortiGate DHCP server to supply the DNS IP addresses in the System > Network > DNS page of the web-based manager. If Override internal DNS is selected for a FortiGate interface that gets its configuration from a DHCP server, the DNS server IP addresses acquired from the ISP are supplied by the FortiGate DHCP server instead. If a PC on the internal network sends a DHCP request to the FortiGate unit before it has acquired DNS IP addresses from the ISP, then the FortiGate unit sends the DNS IP addresses DNS web-based manager page. To make sure the PCs receive the correct DNS server IP addresses, you can update the PCs DHCP leases.
  20. 20. Troubleshooting NAT/Route mode installations 20 FortiGateCookbook http://docs.fortinet.com/ Troubleshooting NAT/Route mode installations Problem You have set up a FortiGate NAT/Route configuration, and devices on the private network cannot connect to the Internet. Solution Use the following steps to find and fix the problem that is preventing users from connecting to the Internet. 1 Check the physical network connections between the PC and the FortiGate unit, as well as between the FortiGate unit and your ISP’s equipment. The Unit Operation dashboard widget indicates the connection status of FortiGate network interfaces (System > Dashboard > Status). 2 Check the ISP-supplied equipment to make sure it is operating correctly. 3 Verify that you can connect to the internal IP address of the FortiGate unit. For example, use a browser to connect to the web-based manager from the FortiGate internal interface by browsing to its IP address (for example, https://192.168.1.99). From the PC, ping the internal interface IP address. For example: ping 192.168.1.99 If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure cables are connected and all network equipment, such as switches, is powered on and operating. Go to the next step when you can connect to the internal interface. 4 Check the configuration of the FortiGate interface that connects to the Internet to make sure it includes the proper addressing mode. • If the addressing mode is manual, make sure the IP address and netmask is correct. • If the addressing mode is DHCP, see “What if it didn’t work?” on page 18. FortiGate Unit in NAT/Route mode Gate Unitt Route mode N AT betw een private internalnetw ork and the Internet internal 192.168.1.99 w an1 172.20.120.14 G atew ay 172.20.120.2 P rivate in tern aln etw o rk 1 9 2 .1 6 8 .1 .0 /2 5 5 .2 5 5 .2 5 5 .0
  21. 21. Troubleshooting NAT/Route mode installations FortiOS 5.0.1 21 http://docs.fortinet.com/ 5 To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address or domain name on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet. 6 Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example: ping www.fortinet.com ping: cannot resolve www.fre.com: Unknown host 7 Verify the security policy configuration. • Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Right-click on the column headings and select Column Settings and add the Count column. Check the Count column to see if the policy has been processing traffic. Check the configuration of the policy to make sure it is similar to the following and that Enable NAT and Use Destination Interface Address is selected: 8 Verify the static routing configuration. Go to Router > Static > Static Route (for desktop FortiGate units, go to System > Network > Routing) and verify that the default route is correct. Go to Router > Monitor > Router Monitor (on desktop FortiGate units, the monitor is located in System > Network > Routing) and take a look at the routing monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see at least two connected routes, one for each connected FortiGate interface. 9 Disable web filtering. If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. It is possible that FortiGuard Web Filtering produced a rating error for the web site and the default web filter profile is configured to block access to sites when a rating error occurs. A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Security Profiles > Web Filter > Profile, and in the default profile, select Advanced Filter and enable Allow Websites When a Rating Error Occurs. Incoming Interface internal Source Address all Outgoing Interface wan1 Destination Address all Schedule always Service ALL Action ACCEPT
  22. 22. Troubleshooting NAT/Route mode installations 22 FortiGateCookbook http://docs.fortinet.com/ Other things you can try: • Verify that you can connect to the wan1 IP address of the FortiGate unit. Once you have established that the internal network is operating, try pinging the FortiGate wan1 interface IP address (for example, ping 172.20.120.12). (The wan1 interface responds to pings if ping administrative access is selected for that interface (go to System > Network > Interface and edit the wan1 interface to enable ping administrative access). If you cannot connect to the wan1 interface, the FortiGate unit is not allowing internal to wan1 sessions. • Verify that you can connect to the gateway provided by your ISP.
  23. 23. Inserting a FortiGate unit into a network without changing the network configuration (transparent mode) FortiOS 5.0.1 23 http://docs.fortinet.com/ Inserting a FortiGate unit into a network without changing the network configuration (transparent mode) Problem How to connect and configure a new FortiGate unit to protect a private network without changing the network configuration. The network is connected to the Internet using a router that performs NAT. This solution requires adding network security without replacing the router. The FortiGate unit will block access from the Internet to the private network while allowing users on the private network to connect to the Internet. The FortiGate unit will also monitor application usage and find and remove viruses. Solution Install a FortiGate unit in transparent mode between the internal network and the router. Add a security policy to the FortiGate unit that allows users on the internal network to connect to the Internet and add virus scanning and application control to this security policy. No network changes are required, except to provide the FortiGate unit with a management IP address. FortiGate Unit in Transparent mode Management IP 10.31.101.40 rtiGate Unit iinn Security policies allow traffic between network segmentsInternal network 10.31.101.0/255.255.255.0 Router 10.31.101.100 Changing to transparent mode removes most configuration changes made in NAT/Route mode. If you want to keep your current NAT/Mode configuration you should backup your configuration from the System Information dashboard widget before proceeding.
  24. 24. Inserting a FortiGate unit into a network without changing the network configuration (transparent mode) 24 FortiGateCookbook http://docs.fortinet.com/ 1 Connect a PC to the FortiGate internal interface. 2 Connect to the FortiGate web-based manager. Log in using admin and no password. 3 Go to System > Dashboard > Status > System Information and for Operation Mode select Change and configure the following: 4 Select OK. 5 Log in to the web-based manager by browsing to https://10.31.101.40. You will need to change the IP address of the PC to an address on the 10.31.101.0/255.255.255.0 subnet. 6 Go to System > Network > DNS and add Primary and Secondary DNS servers. 7 Go to Policy > Policy > Policy and select Create New. 8 Leave the Policy Type as Firewall and leave the Policy Subtype as Address to add the following security policy that allows users on the private network to access the Internet. 9 Select Enable Antivirus and select Enable Application Control. 10 Select OK. 11 Connect the FortiGate unit between the network and the router. Connect the wan1 interface to the router internal interface. Connect the internal network to the FortiGate internal interface. Operation Mode Transparent Management IP/Netmask 10.31.101.40/255.255.255.0 Default Gateway 10.31.101.100 Incoming Interface internal Source Address All Outgoing Interface wan1 Destination Address All Schedule always Service ALL Action ACCEPT
  25. 25. Inserting a FortiGate unit into a network without changing the network configuration (transparent mode) FortiOS 5.0.1 25 http://docs.fortinet.com/ Results From a PC on the internal network, open a web browser and browse to www.fortinet.com. You should also be able to connect to the site. Go to Policy > Policy > Policy. Right-click on the column headings and select Column Settings and add the Count column. Check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Policy Monitor to view the sessions being processed by the FortiGate unit. The source address of most sessions should be an address on the 10.31.10.0 network. The Src NAT IP and Src NAT port columns are blank because no NAT it taking place. The policy ID is 1, which is usually the ID of first security policy that you added. You can also see results by viewing the graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for policy 1 to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If a FortiGate unit operating in transparent mode is installed between a DHCP server and PCs that get their address by DHCP, you must add a security policy to allow the DHCP server’s response to get back through the FortiGate unit from the DHCP server to the DHCP client. The internal to wan1 policy allows the DHCP request to get from the client to the server, but the response from the server is a new session, not a typical response to the originating request, so the FortiGate unit will not accept this new session unless you add a wan1 to internal policy with the service set to DHCP. If you can browse the Internet from the internal network, your configuration is successful. If you cannot, try the steps described in “Troubleshooting transparent mode installations” on page 26 to find the problem.
  26. 26. Troubleshooting transparent mode installations 26 FortiGateCookbook http://docs.fortinet.com/ Troubleshooting transparent mode installations Problem You set up a basic FortiGate transparent mode configuration, and traffic will not pass through the FortiGate unit. Solution Use the following steps to find and fix the problem that is preventing users from connecting through the FortiGate unit. 1 Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. The Unit Operation dashboard widget indicates the connection status of FortiGate network interfaces. 2 Check the router and ISP-supplied equipment to make sure it is operating correctly. 3 Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the internal network. From the internal network, ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on and operating. Go to the next step when you can connect to the internal interface. 4 To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet. FortiGate Unit in Transparent mode Management IP 10.31.101.40 rtiGate Unit iinn Security policies allow traffic between network segmentsInternal network 10.31.101.0/255.255.255.0 Router 10.31.101.100
  27. 27. Troubleshooting transparent mode installations FortiOS 5.0.1 27 http://docs.fortinet.com/ 5 Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example: ping www.fortinet.com ping: cannot resolve www.fre.com: Unknown host 6 Verify the security policy configuration. • Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Right-click on the column headings and select Column Settings and add the Count column. Check the Count column to see if the policy has been processing traffic. Check the configuration of the policy to make sure it is similar to the following: 7 Verify the static routing configuration. Go to System > Network > Routing Table and verify that the default route is correct. 8 Disable web filtering. If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. It is possible that FortiGuard Web Filtering produced a rating error for the web site and the default web filter profile is configured to block access to sites when a rating error occurs. A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Security Profiles > Web Filter > Profile, and in the default profile, select Advanced Filter and enable Allow Websites When a Rating Error Occurs. 9 Verify that you can connect to the gateway provided by your ISP. Try pinging the default gateway IP address from a PC on the internal network. Incoming Interface internal Source Address all Outgoing Interface wan1 Destination Address all Schedule always Service ALL Action ACCEPT
  28. 28. Troubleshooting transparent mode installations 28 FortiGateCookbook http://docs.fortinet.com/ 10 Check the FortiGate bridge table. The bridge table is a list of MAC addresses of devices on the same network as the FortiGate unit and the FortiGate interfaces from which each MAC address was found. The FortiGate unit uses this table to determine where to forward a packet. If a the MAC address of a specific device is getting added to in the bridge table, then packets to that MAC address will be blocked. This may appear as traffic going to a MAC address, but no reply traffic coming back. In this situation, check the bridge table to ensure the correct MAC addresses have been added to the bridge table. Use the following CLI command to check the bridge table associated with the root VDOM. diagnose netlink brctl name host root.b show bridge control interface root.b host. fdb: size=2048, used=25, num=25, depth=1 Bridge root.b host table port no device devname mac addr ttl attributes 3 4 wan1 00:09:0f:cb:c2:77 88 3 4 wan1 00:26:2d:24:b7:d3 0 3 4 wan1 00:13:72:38:72:21 98 4 3 internal 00:1a:a0:2f:bc:c6 6 1 6 dmz 00:09:0f:dc:90:69 0 Local Static 3 4 wan1 c4:2c:03:0d:3a:38 81 3 4 wan1 00:09:0f:15:05:46 89 3 4 wan1 c4:2c:03:1d:1b:10 0 2 5 wan2 00:09:0f:dc:90:68 0 Local Static If your device’s MAC address is not listed, the FortiGate unit cannot find the device on the network. This could indicate that the device is not connected or not operating. Check the device’s network connections and make sure it is operating correctly.
  29. 29. Verifying the current firmware version and upgrading FortiOS 5.0.1 29 http://docs.fortinet.com/ Verifying the current firmware version and upgrading Problem Fortinet has released a new version of FortiOS. You want to know what firmware version is currently running on your FortiGate unit and how to upgrade to the latest version. Solution View the current firmware version from the web-based manager and CLI. Download a new version of FortiOS from the Fortinet Customer Support web site and install it from the web-based manager. You must register your FortiGate unit to access firmware images. Register the FortiGate unit by visiting http://support.fortinet.com and select Product Registration. 1 Log in to the web-based manager and view the dashboard System Information widget to see the Firmware Version currently installed on your FortiGate unit. From the FortiGate CLI you can also enter the following command. The first output line indicates FortiOS firmware version installed on your FortiGate unit: get system status Version: Fortigate-60C v4.0,build0458,110627 (MR3 Patch 1) Virus-DB: 11.00773(2010-05-04 13:32) Extended DB: 0.00000(2010-03-16 10:31) IPS-DB: 3.00000(2011-05-18 15:09) FortiClient application signature package: 1.421(2011-09-08 10:19) Serial-Number: FGT60C3G10002814 BIOS version: 04000010 Log hard disk: Need format Internal Switch mode: switch Hostname: FGT60C3G10002814 Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable Always review the Release Notes before installing a new firmware version. They provide the recommended upgrade path for the firmware release as well as additional information not available in other documentation. Only perform a firmware upgrade during a maintenance window.
  30. 30. Verifying the current firmware version and upgrading 30 FortiGateCookbook http://docs.fortinet.com/ FIPS-CC mode: disable Current HA mode: standalone Distribution: International Branch point: 458 Release Version Information: MR3 Patch 1 System time: Wed Sep 14 13:07:27 2011 2 To download a newer firmware version, browse to http://support.fortinet.com and select a Download Firmware Images link. 3 Log in using your Fortinet account user name and password. 4 Go to Download Firmware Images > FortiGate. 5 Select FortiGate firmware images and browse to the FortiOS firmware version that you want to install. 6 Locate and download the firmware for your FortiGate unit. 7 Download and read the Release Notes for this firmware version. Always review the Release Notes before installing a new firmware version in case you cannot update to the new firmware release from the one currently running. 8 Backup your configuration from the System Information dashboard widget. 9 Go to System > Dashboard > Status. 10 Under System Information > Firmware Version, select Update. 11 Locate the downloaded firmware image file and select OK. Results The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes. From the FortiGate web-based manager, go to System > Dashboard > Status. In the System Information widget, the Firmware Version will show the updated version of FortiOS (or from the CLI enter get system status). What if it doesn’t work? There is a possibility that the firmware upgrade from the web-based manager does not load properly. If this occurs, you may find that the FortiGate will not boot, or continuously reboots. It is best to perform a fresh install of the firmware from a reboot using the CLI. This procedure installs a firmware image and resets the FortiGate unit to default settings. For this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. Installing FortiGate firmware from a TFTP server This procedure requires a TFTP server that you can connect to from the FortiGate unit. The TFTP server should be on the same subnet as the management interface. 1 Connect to the CLI using the RJ-45 to DB-9 or null modem cable. 2 Make sure the TFTP server is running and copy the firmware image file to the TFTP server.
  31. 31. Verifying the current firmware version and upgrading FortiOS 5.0.1 31 http://docs.fortinet.com/ 3 Enter the following command to restart the FortiGate unit. execute reboot 4 When prompted by the FortiGate unit to reboot, type y. 5 As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears: Press any key to display configuration menu.......... Immediately press any key to interrupt the system startup. If you successfully interrupt the startup process, the messages similar to the following appear (depending on the FortiGate BIOS version): [G]: Get firmware image from TFTP server. [F]: Format boot device. [B[: Boot with backup firmware and set as default [C]: Configuration and information [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G, F, Q, or H: 6 Type G to get to the new firmware image form the TFTP server. 7 When prompted, enter the TFTP server IP address, and local FortiGate IP address. 8 Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file. 9 When prompted how to save the default firmware, type D to load it as the default. The FortiGate unit installs the new firmware image and restarts. You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network. When loading the firmware using this method, the existing configuration is reset to defaults. You will need to reconfigure the IP addresses and load the configuration file from the System Information widget on the Dashboard.
  32. 32. Setting up and troubleshooting FortiGuard services 32 FortiGateCookbook http://docs.fortinet.com/ Setting up and troubleshooting FortiGuard services Problem You want to confirm that your FortiGate unit is receiving FortiGuard services. You also want to be able to troubleshoot issues that arise if antivirus or IPS updates or web filtering or email filtering lookups are not available. Solution If you have purchased FortiGuard services and registered your FortiGate unit it should automatically connect to the FortiGuard Distribution Network (FDN) and display license information about your FortiGuard services. Verify whether the FortiGate unit is communicating with the FDN by checking the License Information dashboard widget. The FortiGate unit automatically connects with the FortiGuard network to verify the FortiGuard Services status for the FortiGate unit. Any subscribed services should have a green check mark beside them, indicating that connections are successful. A grey X indicates that the FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered. A red X indicates that the FortiGate unit was able to connect but that a subscription has expired, or has not been activated. Use the following steps to troubleshoot FortiGuard services. 1 Verify that you have registered your FortiGate unit, purchased FortiGuard services, and that the services have not expired. You can verify the support status for your FortiGate unit at the Fortinet Support website (https://support.fortinet.com/). 2 Verify the status of the FortiGuard services on the FortiGate unit. You can view the status of FortiGuard services from the License Information dashboard widget or from the System > Config > FortiGuard page. The status information displayed here should match the information on the support site. If the information doesn’t match there may be a problem with communication between the FortiGate unit and the FortiGuard network. You can also view the FortiGuard connection status by going to System > Config > FortiGuard. FortiGuard Network
  33. 33. Setting up and troubleshooting FortiGuard services FortiOS 5.0.1 33 http://docs.fortinet.com/ 3 Verify that the FortiGate unit can communicate with the Internet. The FortiGate unit should be able to communicate with the FortiGuard network if it can communicate with the Internet. 4 Go to Router > Monitor > Routing Monitor (For desktop FortiGate units, go to System > Network > Routing) and verify that a default route is available and configured correctly. 5 Go to System > Network > DNS and make sure the primary and secondary DNS servers are correct, as provided by your ISP. The FortiGate unit connects to the FortiGuard network using a domain name, not a numerical IP address. If the FortiGate interface connected to the Internet gets its IP address using DHCP, you should make sure Override internal DNS is selected so that the FortiGate unit gets its DNS server IP addresses from the ISP using DHCP. 6 Verify that the FortiGate unit can connect to the DNS servers using the execute ping command to ping them. 7 You can also attempt a traceroute from FortiGate CLI to an external network using a domain name for a location, for example, enter the command: execute traceroute www.fortiguard.com If the command cannot find the numeric IP address of www.fortiguard.com, then the FortiGate unit cannot connect to the configured DNS servers. 8 Make sure that at least one security policy includes antivirus. If no security policies include antivirus, the antivirus database may not be updated. 9 Verify that the FortiGate unit can communicate with the FortiGuard network. At System > Config > FortiGuard > Antivirus and IPS Options, you can select Update now to force an immediate update of the antivirus and IPS databases. After a few minutes, you can verify if the updates were successful. 10 Test the availability of web filtering and email filtering lookups from System > Config > FortiGuard > Web Filtering and Email Filtering options by selecting the Test Availability button. If the test is not successful, try changing the port that is used for web filtering and email filtering lookups. The FortiGate unit uses port 53 or 8888 to communicate with the FortiGuard network and some ISPs may block one of these ports. 11 Determine if there is anything upstream that might be blocking FortiGuard traffic, either on the network or on the ISP’s network. Many firewalls block all ports by default, and often ISPs block low-numbered ports (such as 53). FortiGuard uses port 53 by default, so if it is being blocked, you need to either open the port or change the port used by the FortiGate unit.
  34. 34. Setting up and troubleshooting FortiGuard services 34 FortiGateCookbook http://docs.fortinet.com/ 12 Change the FortiGuard source port. It is possible ports that are used to contact the FortiGuard network are being changed before reaching FortiGuard, or on the return trip, before reaching your FortiGate unit. A possible solution for this is to use a fixed-port at the NAT firewall to ensure the port number remains the same. FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. You can select a different source port range for the FortiGate unit to use. If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports such as 2048-20000, using the following CLI command: config system global set ip-src-port-range 2048-20000 end Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. 13 Display the FortiGuard server list The get webfilter status CLI command shows the list of FortiGuard servers that the FortiGate unit can connect to. The command should show more than one server. get webfilter status Locale : english License : Contract Expiration : Thu Oct 9 02:00:00 2012 Hostname : service.fortiguard.net -=- Server List (Wed Sep 14 14:39:46 2011) -=- IP Weight RTT Flags TZ Packets Curr Lost Total Lost 69.20.236.179 30 3 -5 30491 0 9 174.137.33.92 0 91 -8 8794 0 7 208.91.112.196 0 62 -8 146 0 2 69.20.236.180 30 4 -5 11620 0 9 209.222.147.36 30 22 -5 8799 0 11 66.117.56.42 30 24 -5 8792 0 9 66.117.56.37 30 24 -5 8793 0 10 69.20.236.182 30 4 -5 11332 0 7 69.195.205.101 30 32 -5 8810 0 27 80.85.69.37 80 85 0 8800 0 17 80.85.69.41 80 85 0 8804 0 21 80.85.69.40 80 88 0 8808 0 25 62.209.40.72 90 109 1 8791 0 8 208.91.112.194 118 128 DI -8 12713 0 3912 116.58.208.39 160 276 8 8805 0 22 Hostname is the name of the FortiGuard server the FortiGate unit will attempt to contact. The Server List includes the IP addresses of alternate servers if the first entry cannot be reached. In this example, the IP addresses are not public addresses.
  35. 35. Setting up and troubleshooting FortiGuard services FortiOS 5.0.1 35 http://docs.fortinet.com/ The following flags in get webfilter status indicate the server status: • D - the server was found through the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with D and will be used first for INIT requests before falling back to the other servers. • I - the server to which the last INIT request was sent. • F - the server has not responded to requests and is considered to have failed. • T - the server is currently being timed.
  36. 36. Setting up an administrator account on the FortiGate unit 36 FortiGateCookbook http://docs.fortinet.com/ Setting up an administrator account on the FortiGate unit Problem You want to add a new FortiGate administrator login that has super administrator access to all FortiGate features. You also want to be able to identify individual administrators instead of allowing multiple uses of the admin administrator account. Solution Create a new administrator with the super_admin profile, to enable full access to all FortiGate features. 1 Go to System > Admin > Administrators and select Create New to add the following administrator: 2 Select OK. FortiG ate U nit D H C P S erver InternalN etw ork adm in_profile adm inistrators Administrator Terry_White Type Regular Password password Confirm Password password Admin Profile super_admin
  37. 37. Setting up an administrator account on the FortiGate unit FortiOS 5.0.1 37 http://docs.fortinet.com/ Results Log in to the FortiGate using the user name of Terry_White and the password of password. As this administrator, you can view all web-based manager pages and change all FortiGate configuration settings. From the FortiGate web-based manager,go to Log & Report > Event Log > System to verify that the login activity occurred. Select the log entry to view detailed information, which indicates the admin user connected. The Message field indicates that Terry White logged in successfully from 192.168.1.1. Administrator names and passwords are case-sensitive. You cannot include the < > ( ) # ” characters in an administrator name or password. Spaces are allowed, however, not as the first or last character. Spaces in a name or password can be confusing and require the use of quotes to enter the name in the CLI. The admin profile dictates what parts of the FortiGate configuration the administrator can see and configure from web-based manager and CLI. You can add multiple profiles and assign users and administrators different profiles, depending on what they are tasked to do with the FortiGate unit.
  38. 38. Setting up an administrator account on the FortiGate unit 38 FortiGateCookbook http://docs.fortinet.com/ Go to System > Dashboard > Status, and view the System Information widget. The Current Administrator field indicates the number of administrators logged in. Selecting Details shows Terry White logged in as an administrator.
  39. 39. Setting up an administrator account on the FortiGate unit FortiOS 5.0.1 39 http://docs.fortinet.com/
  40. 40. FortiOS Cookbook FortiOS 5.0.1 40 http://docs.fortinet.com/ Advanced FortiGate installation and setup FortiGate units can be deployed in many ways to meet a wide range of advanced requirements. This chapter samples some of advanced configurations that include advanced NAT and transparent mode configurations, high availability, VLANs and Virtual Domains (VDOMs). This chapter also includes two sections that describe how to use the FortiGate packet sniffer and one that describes using the diagnose debug tools. This chapter includes the following advanced installation and setup examples: • Connecting to two ISPs for redundant Internet connections • Using a modem as a redundant Internet connection • Distributing sessions between dual redundant Internet connections with usage-based ECMP • Protecting a web server on a DMZ network • Protecting an email server with a FortiGate unit without changing the network (transparent Mode) • Using port pairing to simplify a transparent mode installation • Connecting networks without translating addresses (FortiGate unit in Route mode) • Setting up the explicit web proxy for users on a private network • Setting up web caching of Internet content for users on a private network • Employing high availability to improve network reliability • Upgrading the firmware installed on a FortiGate HA cluster • Connecting multiple networks to a FortiGate interface using virtual LANs • Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit • Setting up an administrator account for monitoring firewall activity and basic maintenance • Enhancing FortiGate Security • Creating a local DNS server listing for internal sites and servers • Using a MAC address to reserve an IP address using DHCP • Setting up the FortiGate unit to send SNMP traps • Troubleshooting by sniffing packets (packet capture) • Advanced troubleshooting by sniffing packets (packet capture) • Debugging FortiGate configurations • Quick reference to common diagnose commands
  41. 41. Connecting to two ISPs for redundant Internet connections FortiOS 5.0.1 41 http://docs.fortinet.com/ Connecting to two ISPs for redundant Internet connections Problem Create a redundant Internet connection with your FortiGate unit, so that if the primary internet connection fails, some or all traffic automatically switches to the backup Internet connection and when the primary Internet connection is restored, traffic automatically switches back to it. Solution This solution describes how to improve the reliability of a network’s connection to the Internet by using two Internet connections to two different ISPs. In this solution, the primary ISP is connected to wan1 with a static IP and the backup ISP is connected to wan2 using DHCP. To allow the internal network to use wan1 to connect to the Internet add internal to wan1 security policies. Add duplicate internal to wan2 security policies to use wan2 to connect to the Internet. Backup ISP Primary ISP Internal 192.168.1.99 W A N 1 172.20.120.14 G atew ay 172.20.120.2 W A N 2 D H C P InternalN etw ork 192.168.1.0/255.255.255.0 You can choose to reduce the amount of traffic when the wan2 interface is operating by adding fewer security polices for connections to the wan2 interface. You could also use techniques such as traffic shaping to limit the amount of traffic processed by the wan2 interface. You could also add security policies that include FortiGuard web filtering or other web filtering techniques to block popular but less important websites. Application control could also be used to limit the applications that can be used when traffic is using the wan2 interface. If you are using a desktop FortiGate unit, go to System > Admin > Settings, and select Dynamic Routing, then Apply.
  42. 42. Connecting to two ISPs for redundant Internet connections 42 FortiGateCookbook http://docs.fortinet.com/ Configuring the primary Internet connection to use wan1 1 Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the internal network to the internal interface. 2 From a PC on the Internal network, log in to the FortiGate web-based manager using admin and no password. 3 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: 4 Edit the internal interface and change the following settings: 5 Go to Router > Static > Static Route and select Create New to add the following default route. 6 Go to System > Network > DNS and add Primary and Secondary DNS servers. Addressing mode Manual IP/Netmask 172.20.120.14/255.255.255.0 Addressing mode Manual IP/Netmask 192.168.1.99/255.255.255.0 Destination IP/Mask 0.0.0.0/0.0.0.0 Device wan1 Gateway 172.20.120.2 WAN1 Internal Internal Network Primary ISP
  43. 43. Connecting to two ISPs for redundant Internet connections FortiOS 5.0.1 43 http://docs.fortinet.com/ 7 Go to Policy > Policy > Policy and select Create New. 8 Leave the Policy Type as Firewall and leave the Policy Subtype as Address. 9 Add the following security policy that allows users on the private network to access the Internet through the wan1 interface. 10 Select Enable NAT and Use Destination Interface Address. 11 Select OK. Adding the backup Internet connection using wan2 1 Connect the wan2 interface to your backup ISP-supplied equipment. 2 Log in to the web-based manager. 3 Go to System > Network > Interface and Edit the wan2 interface. 4 Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server. Clear the checkbox for Override internal DNS. 5 Select OK. If everything is connected correctly, the wan2 interface should acquire an IP address from the ISP’s DHCP server. This can take a few minutes, you can select the Status link to refresh the display. Eventually, an Obtained IP/Netmask will appear. If the ISP’s DHCP server supplies DNS server IP addresses and a default gateway, they will also appear. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you. Incoming Interface internal Source Address All Outgoing Interface wan1 Destination Address All Schedule always Service ALL Action ACCEPT Make sure Retrieve Default Gateway from server is selected so that a default route is added to the routing table. Normally in a dual Internet configuration, you would not select Override internal DNS because you would not want the FortiGate unit to use the backup ISP’s DNS servers.
  44. 44. Connecting to two ISPs for redundant Internet connections 44 FortiGateCookbook http://docs.fortinet.com/ 6 Go to Policy > Policy > Policy and select Create New. 7 Leave the Policy Type as Firewall and leave the Policy Subtype as Address. 8 Add the following security policy that allows users on the private network to access the Internet through the wan2 interface. 9 Select Enable NAT and Use Destination Interface Address. 10 Select OK. Incoming Interface internal Source Address All Outgoing Interface wan2 Destination Address All Schedule always Service ALL Action ACCEPT WAN 1 Internal Internal Network Primary ISPWAN 2 Backup ISP
  45. 45. Connecting to two ISPs for redundant Internet connections FortiOS 5.0.1 45 http://docs.fortinet.com/ Set the default primary route to wan1 and add a ping server for wan1 and wan2 As a result of this configuration, the FortiGate unit will have two default routes, one that directs traffic to wan1 and one that directs traffic to wan2. The default route to wan2 is obtained from the backup ISP’s DHCP server. The ping servers verify the ability of the wan1 and wan2 interfaces to connect to the Internet. 1 Go to Router > Static > Static Route and Edit the wan1 default route. 2 Set the Distance to 10. 3 Go to System > Network > Interface list. Edit the wan2 interface and set the distance to 20 (or any number higher than 10). 4 To confirm which default route is now actually being used by the FortiGate unit, go to Router > Monitor > Routing Monitor to view the current FortiGate routing table. Routes that are not active do not appear on the routing monitor. In this example, only the one static route should appear: the wan1 default route. Its distance should be 10. Connected routes for the connected interfaces should also appear. 5 Go to Router > Static > Settings and select Create New and add the wan1 ping server: Because the wan2 default route is acquired from the ISP using DHCP, the distance of the wan2 default route must be changed by editing the wan2 interface. If you edit the wan2 interface and set the distance to a lower value, for example, five, the wan1 default route is removed from the router monitor and is replaced with the wan2 default route, because the wan2 route has the lower distance. You can also have both default routes appear in the router monitor by setting their distances to the same value, for example. 10. When both routes have the same distance, this is known as equal cost multi path (ECMP) routing and both default routes are used. Sessions are load balanced between them. For an example, see “Distributing sessions between dual redundant Internet connections with usage-based ECMP” on page 54. Interface wan1 Ping Server 172.20.120.2 Detect Protocol ICMP Ping Ping Interval (seconds) 5 Failover Threshold 5
  46. 46. Connecting to two ISPs for redundant Internet connections 46 FortiGateCookbook http://docs.fortinet.com/ 6 Select Create New and add the wan2 ping server. The wan2 ping server is optional for this configuration. However adding the wan2 ping server means the FortiGate unit will record even log messages when the wan2 ping server can’t reach its destination. Results If the wan1 ping server can connect to its ping server IP address the routing monitor appears as shown above with a default route to the wan1 interface. All traffic to the Internet uses the wan1 interface and the internal to wan1 security policy. You can verify this by viewing the routing monitor and by going to Policy > Policy > Policy. Right-click on the column headings and select Column Settings and add the Count column. In the Count column, the internal to wan1 policy count will increase, while the internal to wan2 count will not. If you change the network so that the wan1 ping server cannot connect to its ping server IP address, (for example, by physically disconnecting the cable from the wan1 interface), the default route should change to the wan2 interface (called default route failover): An event log message similar to the following will also be recorded. 2011-08-24 10:16:39 log_id=0100020001 type=event subtype=system pri=critical vd=root interface="wan1" status=down msg="Ping peer: (172.20.120.14->172.20.120.2 ping-down)" With the wan2 link active, attempt to connect to the Internet from the Internal network. If you can connect, this confirms that the dual Internet connection configuration is correct. View the security policy count column for the internal to wan2 policy. The count will be increasing, indicating that this policy is accepting traffic. When you restore the wan1 interface’s connection, the ping server will detect that network traffic is restored and the routing table will revert to including the wan1 default route. All new sessions will use the internal to wan1 security policy. Sessions that were established using the internal to wan2 security policy will continue to use this policy and the wan2 interface until they are terminated. However, all new sessions will use the internal to wan1 security policy. Outgoing sessions and their responses that are in progress during a failover will have to be restarted after the failover, since responses to traffic sent out on one interface will not come back on another. Interface wan2 Ping Server 10.41.101.100 Detect Protocol ICMP Ping Ping Interval (seconds) 5 Failover Threshold 5
  47. 47. Connecting to two ISPs for redundant Internet connections FortiOS 5.0.1 47 http://docs.fortinet.com/ Changing this redundant Internet configuration to use ECMP The basic redundant Internet connection scenario described in this section is effective for many networks. However, to potentially improve default route failover performance and to reduce the number of fail overs for incoming connections when the primary ISP fails and reconnects you could implement Equal Cost Multipath (ECMP) routing. You could implement a basic ECMP configuration of this redundant Internet connection scenario by setting the distances for both default routes to the same value and setting the priority of the default route to the primary ISP to a lower value than the priority of the default route to the backup ISP. The route with the lowest priority value is considered the best route. Use the following steps to modify the configuration. 1 Go to Router > Static > Static Route and Edit the wan1 default route. 2 Set the Distance to 10 and the Priority to 5 3 Enter the following CLI command to edit the distance and priority of the wan2 default route. config system interface edit wan2 set distance 10 set priority 20 end Since the wan1 default route has the lowest priority it is considered the best route and all traffic heading from the private network for the Internet uses the wan1 interface. During a failover, incoming sessions received by a firewall VIP security policy from the wan1 interface before the failover may be sent out the wan2 interface after the failover. Outbound sessions initiated by the server and sent out the VIP security policy will have their source IP address modified according to the interface that sends the session to the Internet. If the wan1 link fails, outgoing VIP sessions automatically fail over to wan2. The source address of these sessions depends on the address defined in the firewall VIP. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in “Troubleshooting NAT/Route mode installations” on page 20 to find the problem. Because the wan2 default route is acquired from the ISP using DHCP, the priority of the wan2 default route must be changed by editing the wan2 interface from the CLI.
  48. 48. Connecting to two ISPs for redundant Internet connections 48 FortiGateCookbook http://docs.fortinet.com/ A number of ECMP scenarios are available. For another, see “Distributing sessions between dual redundant Internet connections with usage-based ECMP” on page 54. When two different distances are used on the wan1 and wan2 default routes, traffic originating from the Internet can only be responded to by the interface with the default route with the lowest distance metric (wan1). If a user from the Internet has established a connection to the Internal network through the wan1 interface, the user would lose their connection if the wan1 connection to the Internet fails. After a brief interruption the user would automatically re-connect through the wan2 interface. When the wan1 Internet connection comes back, the user’s connection would be interrupted a second time because it would have to switch back to the wan1 interface since the wan2 interface would no longer be able to process traffic. When ECMP is implemented, both interfaces are able to respond to traffic initiated from the Internet as the routing is based on the session tables. The user would still lose their connection when the wan1 Internet connection fails, but after connecting through the wan2 interface the user’s connection would be able to continue on the wan2 interface after the wan1 connection was restored resulting in only a single interruption.
  49. 49. Using a modem as a redundant Internet connection FortiOS 5.0.1 49 http://docs.fortinet.com/ Using a modem as a redundant Internet connection Problem Create a backup Internet connection using a modem so that if the primary internet connection fails, some or all traffic automatically switches to the backup modem Internet connection. When the primary Internet connection is restored, traffic automatically switches back to it. Solution This solution describes how to improve the reliability of a network’s connection to the Internet by using two Internet connections. The primary internet connection is to the wan1 interface and the backup internet connection is a dial-up connection using a modem and the FortiGate modem interface. The modem interface is configured to be redundant for the wan1 interface and a ping server is added for the wan1 interface. When the ping server determines that the wan1 interface cannot connect to the Internet, the FortiGate unit dials the modem and the modem becomes the active Internet connection. Backup ISP Primary ISP Internal 192.168.1.99 W A N 1 172.20.120.14 G atew ay 172.20.120.2 M od em In tern alN etw o rk 1 9 2 .1 6 8 .1 .0 /2 5 5 .2 5 5 .2 5 5 .0 You can choose to reduce the amount of traffic when the modem interface is operating, by adding fewer security polices for connections to the modem interface. You could also use techniques such as traffic shaping to limit the amount of traffic processed by the modem interface. You could also add security policies that include FortiGuard web filtering or other web filtering techniques to block popular, but less important websites. Application control could also be used to limit the applications that can be used when traffic is using the modem interface. If you are using a desktop FortiGate unit, go to System > Admin > Settings, and select Dynamic Routing, then Apply.
  50. 50. Using a modem as a redundant Internet connection 50 FortiGateCookbook http://docs.fortinet.com/ Configuring the primary Internet connection to use wan1 1 Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the internal network to the internal interface. 2 From a PC on the Internal network, log in to the FortiGate web-based manager using admin and no password. 3 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: 4 Edit the internal interface and change the following settings: 5 Go to Router > Static > Static Route and select Create New to add the following default route. Addressing mode Manual IP/Netmask 172.20.120.14/255.255.255.0 Addressing mode Manual IP/Netmask 192.168.1.99/255.255.255.0 Destination IP/Mask 0.0.0.0/0.0.0.0 Device wan1 Gateway 172.20.120.2 W AN 1 Internal InternalN etw ork Prim ary ISP
  51. 51. Using a modem as a redundant Internet connection FortiOS 5.0.1 51 http://docs.fortinet.com/ 6 Go to Router > Static > Settings, select Create New, and add the following ping server: 7 Go to System > Network > DNS and add Primary and Secondary DNS servers. 8 Go to Policy > Policy > Policy and select Create New. 9 Leave the Policy Type as Firewall and leave the Policy Subtype as Address. 10 Add the following security policy that allows users on the private network to access the Internet through the wan1 interface. 11 Select Enable NAT and Use Destination Interface Address. 12 Select OK. Configuring the modem interface as the backup Internet connection The modem interface will not appear in the web-based manager until enabled in the CLI. To enable the modem interface enter the CLI commands: config system modem set status enable end You will need to log out of the FortiGate and log back in to see the modem configuration page at System > Network > Modem. Note that the modem interface is only available when the FortiGate unit is in NAT mode. Interface wan1 Ping Server 172.20.120.2 Detect Protocol ICMP Ping Ping Interval (seconds) 5 Failover Threshold 5 Incoming Interface internal Source Address all Outgoing Interface wan1 Destination Address all Schedule always Service ALL Action ACCEPT
  52. 52. Using a modem as a redundant Internet connection 52 FortiGateCookbook http://docs.fortinet.com/ Connect a USB modem to the USB port, or insert an express card modem into the express card slot of the FortiGate unit. You may have to restart the FortiGate unit after connecting an external modem. 1 Go to System > Network > Modem. 2 Configure the following modem settings: 3 Configure the External Modem settings. 4 Select Apply. 5 Go to Policy > Policy > Policy and select Create New. 6 Leave the Policy Type as Firewall and leave the Policy Subtype as Address. Primary Modem External Modem Mode Redundant Redundant for wan1 Dial Mode Dial on demand Idle Timeout 5 minutes Redial Limit None Phone Number 555 555 1212 User Name ISP_user Password Passw0rd W AN 1 Internal InternalN etw ork Prim ary ISP M odem Interface M odem B ackup ISP
  53. 53. Using a modem as a redundant Internet connection FortiOS 5.0.1 53 http://docs.fortinet.com/ 7 Add the following security policy that allows users on the private network to access the Internet through the modem interface. 8 Select Enable NAT and Use Destination Interface Address. 9 Select OK. With this configuration, if the wan1 interface becomes disconnected, the modem will automatically dial up and attempt to connect to an ISP. If the connection is successful, the modem interface will be configured via PPPoE from the ISP and a default route pointing to the modem interface will be added to the routing table. All traffic destined for the Internet will then use the modem interface as long as it is accepted by an internal to modem security policy. Results Test default route failover by physically disconnecting the wan1 interface cable. The modem will dial in and when connected, the routing monitor wil show the modem default route. Connect to the Internet and verify that the connection works and that traffic is accepted by an internal to modem security policy. Incoming Interface internal Source Address all Outgoing Interface modem Destination Address all Schedule always Service ALL Action ACCEPT With the modem dialed in if you cannot connect to the Internet, try the steps described in “Troubleshooting NAT/Route mode installations” on page 20 to find the problem.
  54. 54. Distributing sessions between dual redundant Internet connections with usage-based ECMP 54 FortiGateCookbook http://docs.fortinet.com/ Distributing sessions between dual redundant Internet connections with usage-based ECMP Problem Your organization uses two different ISPs for reliability and you want to make efficient use of these two Internet connections by distributing sessions to both, without allowing either one to become overloaded. Solution Use spillover (also known as usage-based) Equal Cost Multipath (ECMP) routing route. When one Internet connection reaches a defined traffic level, sessions spill over to the other connection. 1 Go to Router > Static > Static Route, select Create New to add default route for the wan1 interface: Backup ISP Primary ISP Internal 192.168.1.99 W A N 1 172.20.120.14 G atew ay 172.20.120.2 W A N 2 172.30.120.10 G atew ay 172.30.120.2 In tern alN etw o rk 1 9 2 .1 6 8 .1 .0 /2 5 5 .2 5 5 .2 5 5 .0 If you are using a desktop FortiGate unit, go to System > Admin > Settings, and select Dynamic Routing, then Apply. Destination IP/Mask 0.0.0.0/0.0.0.0 Device wan1 Gateway 172.20.120.2 Distance 10
  55. 55. Distributing sessions between dual redundant Internet connections with usage-based ECMP FortiOS 5.0.1 55 http://docs.fortinet.com/ Select OK and select Create New. 2 Create the default route for the wan2 interface: 3 Go to Router > Static > Settings and select Spillover as the ECMP Load Balance Method. 4 Under Dead Gateway Detection, select Create New to add the dead gateway detection for the wan1 interface.: 5 Select OK and select Create New to add the dead gateway detection for the wan2 interface: 6 Select OK. 7 In the interface table, double-click wan1 and enter the Spillover Threshold to 10000 kbits/s and select Edit. Destination IP/Mask 0.0.0.0/0.0.0.0 Device wan2 Gateway 172.30.120.2 Distance 10 For ECMP to work, both default routes must have the same Distance and Priority. Interface wan1 Ping Server 172.20.120.2 Detect Protocol ICMP Ping Ping Interval 5 Failover Threshold 5 Interface wan2 Ping Server 172.30.120.2 Detect Protocol ICMP Ping Ping Interval 5 Failover Threshold 5

×