Fortigate cookbook 506

4,358 views

Published on

Fortigate cookbook 506

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,358
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
67
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Fortigate cookbook 506

  1. 1. The FortiGate Cookbook ™ FortiOS 4.0 MR3 A P r a c t i c a l G u i d e t o G e t t i n g t h e B e s t f r o m Yo u r F o r t i G a t e Fortinet Publishing
  2. 2. FortiGate Cookbook A Practical Guide to Getting the best from Your FortiGate FortiOS 4.0 MR3 1 June 2012 01-432-153797-20120601 Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
  3. 3. FortiOS Cookbook Contents Introduction 6 About FortiGate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Administrative interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 The basics of installing and initial setup of a new FortiGate unit Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode . . . . . . . . . . . . . . . . . . . . . . Connecting a private network to the Internet in one step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the address of an internal network in one step using the FortiGate setup wizard . . . . . . . . . . . . . . . . . . . Troubleshooting NAT/Route mode installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode) . . . . . . . Troubleshooting Transparent mode installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verifying the current firmware version and upgrading the FortiOS firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up and troubleshooting FortiGuard services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up an administrator account on the FortiGate unit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced FortiGate installation and setup 13 14 18 22 24 27 31 34 37 41 44 Connecting a FortiGate unit to two ISPs for redundant Internet connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Using a modem for a redundant Internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Distributing sessions between dual redundant Internet connections with usage-based ECMP . . . . . . . . . . . . . . . . 58 Protecting a web server on a DMZ network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Protecting an email server with a FortiGate unit without changing the network (Transparent Mode) . . . . . . . . . . . . 69 Using port pairing to simplify a Transparent mode installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Connecting networks without translating addresses (FortiGate unit in Route mode) . . . . . . . . . . . . . . . . . . . . . . . . 81 Setting up the explicit web proxy for users on a private network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting up web caching of Internet content for users on a private network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Employing high availability (HA) to improve network reliability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Upgrading the firmware installed on a FortiGate HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Connecting multiple networks to a FortiGate interface using virtual LANs (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . 98 Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit . . . . . . . . . . . . . . . . . . . 103 Setting up an administrator account for monitoring firewall activity and basic maintenance . . . . . . . . . . . . . . . . . 110 Enhancing FortiGate Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Creating a local DNS server listing for internal web sites and servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Assigning IP addresses according to a MAC address using DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Setting up the FortiGate unit to send SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Troubleshooting by sniffing packets (packet capture) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Advanced troubleshooting by sniffing packets (packet capture) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 FortiOS 4.0 MR3 http://docs.fortinet.com/ 3
  4. 4. Contents Creating, saving, and using packet capture filters (sniffing packets from the web-based manager) . . . . . . . . . . . . 135 Debugging FortiGate configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Quick reference to common diagnose commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 WiFi Networking 146 Setting up secure WiFi access on your FortiWiFi unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up secure WiFi on your FortiGate unit using a FortiAP unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Improving WiFi security with WPA-Enterprise security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up secure WiFi with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up secure WiFi with a captive portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sharing the same subnet for WiFi and wired clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up a WiFi network with an external DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authenticating WiFi users with Windows AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using security policies and firewall objects to control traffic 181 Limiting employees’ Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restricting Internet access per IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Excluding selected users from UTM filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verifying that traffic is accepted by a security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Arranging security policies in the correct order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Allowing DNS queries to only one approved DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Extending AirPlay and AirPrint communication through a FortiWiFi unit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ensuring sufficient and consistent bandwidth for VoIP traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using geographic addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Providing Internet access for your private network users (static source NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT) . . . . . . . . Dynamic source NAT without changing the source port (one-to-one source NAT) . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic source NAT using the central NAT table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Allowing access to a web server on an internal network when you only have one Internet IP address . . . . . . . . . . Allowing Internet access to a web server on a protected network when you only have one Internet  IP address, using port translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Allowing Internet access to a web server on a protected network when you have an IP address for the web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring port forwarding to open ports on a FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamic destination NAT for a range of IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UTM Profiles 185 189 193 196 201 204 208 216 220 222 225 228 231 234 237 240 243 247 250 Protecting your network from viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protecting your network against greyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protecting your network against legacy viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the maximum file size that the AV scanner examines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blocking files that are too large to scan for viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Improving FortiGate performance with flow-based UTM scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Limiting the types of web sites your users can visit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overriding FortiGuard web filtering for selected users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prevent offensive search results in Google, Bing and Yahoo search engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Finding the FortiGuard web filter category of a URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing the web sites your users have visited. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using FortiGuard web filtering to block access to web proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blocking access to streaming media using web filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 147 150 155 158 162 166 170 174 252 255 256 258 260 261 263 265 267 268 270 272 273 FortiGate Cookbook  http://docs.fortinet.com/
  5. 5. Contents Blocking access to specific web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blocking all web sites except those you specify using a whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring FortiGuard web filtering to check IP addresses as well as URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring FortiGuard web filtering to check images as well as URLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applying ratings to HTTP redirects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Visualizing the applications on your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preventing the use of instant messaging clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blocking access to social media web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blocking peer-to-peer file sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using IPS to protect a web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring IPS to stop traffic if the scanner fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protecting against denial of service (DoS) attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filtering incoming spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use DLP to track personal information in HTTP traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blocking outgoing email containing sensitive information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the FortiGate vulnerability scanner to check your network for vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . SSL VPN Setting up remote web browsing for internal sites through SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using SSL VPN to provide protected Internet access for remote users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head  office servers for remote users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN . . . . . . . . IPsec VPN Protecting communication between offices across the Internet using IPsec VPN. . . . . . . . . . . . . . . . . . . . . . . . . . Using FortiClient VPN for secure remote access to an office network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPsec VPN for a secure connection using an iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPsec VPN for a secure connection using an Android device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network . . . . . . . . . . . . . . . . . . . . . . . . . Redundant OSPF routing over IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Creating a security policy to identify users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identify users and restrict access to websites by category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a security policy to identify users, restrict access to certain websites, and control use of  applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring FSSO for single sign-on user access in a Windows AD environment. . . . . . . . . . . . . . . . . . . . . . . . . . Authenticating with FortiAuthenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding FortiToken two-factor authentication to a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stopping the “Connection is untrusted” message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging and Reporting Understanding log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a backup log solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alert email notification of SSL VPN login failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modifying the default FortiOS UTM report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing the log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index FortiOS 4.0 MR3 http://docs.fortinet.com/ 274 276 278 280 281 282 284 285 286 288 291 292 294 295 297 298 300 301 306 310 315 317 318 323 330 336 341 346 352 353 355 357 360 363 366 369 371 372 377 380 383 385 387 5
  6. 6. FortiOS Cookbook Introduction The FortiGate Cookbook provides administrators who are new to FortiGate appliances with examples of how to implement many basic and advanced FortiGate configurations. FortiGate products offer administrators a wealth of features and functions for securing their networks, but to cover the entire scope of configuration possibilities would easily surpass the limits set forth for this book. Fortunately, much more information can be obtained in the FortiOS Handbook. The latest version is available from the Fortinet Technical Documentation website (http://docs.fortinet.com) and is also accessible as FortiGate online help. rk o .0 w 55 et 2 n 5. al 25 r n 5. te 5 in 0/2 te 1. va 8. ri 6 P .1 2 9 17 17 2. FortiGate Unit Gate t in NAT/Route mode Route 20 . w G 12 an 2. a 0 1 20 te .1 .1 wa 4 20 y .2 19 2. in 16 te 8. rn 1. al 99 1 NA T in b and ternaetwee the l ne n pr Inte two ivat rne rk e t This cookbook contains a series of sections (or recipes) that describe how to solve problems. Each section begins with a description of the problem and is followed by a step-by-step solution. Most sections conclude with results that describe how to verify that the problem was successfully resolved. Many sections also contain troubleshooting information, best practices and additional details about the FortiGate features used to solve the problem. Scattered throughout this document you will also find dedicated troubleshooting sections and sections that describe FortiGate troubleshooting features such as the packet sniffer and diagnose debug command. This FortiGate Cookbook was written for FortiOS 4.0 MR3 patch 2 (FortiOS 4.3.2). The solutions in this document should also work with more recent FortiOS 4.0 MR3 firmware versions, possibly with minor adjustments. FortiOS 4.0 MR3 http://docs.fortinet.com/ 6
  7. 7. Introduction About FortiGate A PDF copy of this document is available from the FortiGate Cookbook website (http://docs.fortinet.com/cookbook.html). You can send comments about this document and ideas for new recipes to techdoc@fortinet.com. New recipes may be published on the FortiGate Cookbook website and added to future versions of the cookbook. The FortiGate CookBook videos are visual and audio versions of recipes found in the FortiGate CookBook. All of the Cookbook videos are available from http://docs.fortinet.com/cookbook_video.html. We add new videos regularly. About the IP addresses used in the cookbook To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918. Most of the examples in this document use 192, 172, or 10 - the non-public addresses covered in RFC 1918. In most of the examples in this cookbook, the 172.20.120.0 network is equivalent to the Internet. About FortiGate A FortiGate appliance represents the latest response to the ever changing Internet security threat landscape. You already know quite well how Internet security covers a wide range of disciplines across a broad set of services, protocols and network topologies. The FortiGate appliance is designed specifically to cover a wide range of solutions for your networking requirements, from the smallest office to the largest Internet service provider. Comprising custom designed silicon and a dedicated operating system this combination of FortiGate, FortiASIC and FortiOS provides a wide range of solutions that scale from the smallest office to the largest internet service provider. APPLICATION CONTROL Internal network FortiGate Unit FortiOS 4.0 MR3 http://docs.fortinet.com/ 7
  8. 8. Administrative interfaces Introduction The FortiOS feature set is constantly evolving and today provides both IPv6 as well as IPv4 protection, high availability, a full suite of dynamic routing protocols, traffic shaping, IPsec and SSL VPN, user authentication, WAN optimization, and secure WiFi. UTM has been extended beyond virus scanning and web filtering to include intrusion protection, application control, endpoint security, and data leak prevention. Application control combined with a whole host of monitoring functions and network vulnerability scanning provides a complete and detailed picture of the traffic on your networks allowing you to detect and isolate threats before they happen and take action to control traffic as it passes through your network. The advanced capabilities of your FortiGate appliance require an equally advanced and global presence for ensuring as complete a defence as possible. Updated many times a day, the FortiGuard network provides a series of databases which are either installed directly or queried on demand to realize the goal of complete content protection. Whether you are scanning for hundreds of thousands of viruses, checking millions of URLs or looking for that next SPAM outbreak FortiGuard is the place to turn. To ease the introduction of your new FortiGate units they have been designed to operate in what we call NAT/Route mode or Transparent mode. In NAT/Route mode the FortiGate unit functions as a router connecting two or more different networks together. Using static and advanced dynamic routing, in NAT/Route mode the FortiGate unit routes packets between its attached networks. You can also use security policies and firewall objects to apply network address translation (NAT) to traffic as it passes back and forth between different networks. NAT hides addresses on private networks to improve security and also simplifies routing between networks. In Transparent mode the FortiGate unit is installed in a network transparently to layer 3, without changing the IP addressing of the network in any way. Its presence on the network restricted to a single management IP address. In transparent mode, traffic can pass through the FortiGate unit without any address translation or routing taking place. Administrative interfaces A full set of options is available to configure and manage FortiGate units including the web-based manager for visual management, the CLI for command-line-based management, and FortiExplorer which allows management over a USB connection. Web-based Manager Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point and click, drag and drop interface that provides quick access to most FortiGate configuration settings and includes a configuration wizard and complementary visual monitoring and management tools. Using the web-based manager you can for example, add a security policy to monitor application activity on a network, view the results of this application monitoring policy, and then add additional policies or change the existing policy to block or limit the traffic produced by some applications. The web-based manager also provides a wide range of monitoring and reporting tools that provide detailed information about traffic and events on the FortiGate unit. All aspects of FortiGate operation can be monitored from the web-based manager. Specialized monitoring pages are available for most features. 8 FortiGate Cookbook  http://docs.fortinet.com/
  9. 9. Introduction Revision History You access the web-based manager using HTTP or a secure HTTPS connection from any web browser. By default you can access the web-based manager by connecting to the FortiGate interface usually attached to a protected network. Configuration changes made from the web-based manager take effect immediately, without resetting the unit or interrupting service. CLI As its name implies the command line interface (CLI) provides a text-based command line configuration interface to the FortiGate unit. You can configure all FortiGate configuration options from the CLI using config commands. The CLI also includes get commands for viewing the configuration and getting status information, execute commands for performing immediate operations including setting the date and time, backing up and restoring the configuration, testing network connections, and so on, and diagnose commands for advanced FortiGate monitoring and troubleshooting. You can connect to the CLI using an, RS-232 serial console connection, over a TCP/IP network using Telnet or SSH. Configuration changes made within the CLI also take effect immediately, without resetting the unit or interrupting service. FortiExplorer FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate unit over a standard USB connection. Once you have installed FortiExplorer software on a PC running Windows or Mac OS X and established a USB connection between the PC and your FortiGate unit you can use FortiExplorer to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer configuration wizard to quickly set up the FortiGate unit and connect to the web-based manager or CLI. Revision History Table 1: FortiGate Cookbook Revision History Version 01-432-153797-20120601 Changes New Recipes: • • “Redundant OSPF routing over IPsec VPN” on page 346 • 01-432-153797-20120501 “Extending AirPlay and AirPrint communication through a FortiWiFi unit” on page 208 “Configuring FSSO for single sign-on user access in a Windows AD environment” on page 360 New Recipes: • • FortiOS 4.0 MR3 http://docs.fortinet.com/ “Protecting your network from viruses” on page 252 “Use DLP to track personal information in HTTP traffic” on page 295 9
  10. 10. Registering your Fortinet product Introduction Table 1: FortiGate Cookbook Revision History Version Changes 01-432-153797-20120601 New Recipes: • “Setting up the explicit web proxy for users on a private network” on page 86 • “Setting up web caching of Internet content for users on a private network” on page 88 • “Enhancing FortiGate Security” on page 113 • “Setting up secure WiFi with RADIUS” on page 158 • “Excluding selected users from UTM filtering” on page 193 • “Using IPS to protect a web server” on page 288 • “Authenticating with FortiAuthenticator” on page 363 Entire document reformatted to a new page size. Many errors corrected, customer comments incorporated. Affected sections include: • • All of the chapter “SSL VPN” on page 300 • 01-432-153797-20111021 Many of the recipes in the chapter “Using security policies and firewall objects to control traffic” on page 181 All of the chapter “IPsec VPN” on page 317 Initial Version Registering your Fortinet product Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions. For more information Fortinet Knowledge Base The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com. 10 FortiGate Cookbook  http://docs.fortinet.com/
  11. 11. Introduction For more information Training Fortinet Training Services provides courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email training@fortinet.com. Documentation The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-todate versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Base. Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide Technical Support Requirements. FortiOS 4.0 MR3 http://docs.fortinet.com/ 11
  12. 12. For more information 12 Introduction FortiGate Cookbook  http://docs.fortinet.com/
  13. 13. FortiOS Cookbook The basics of installing and initial setup of a new FortiGate unit Most people purchase a FortiGate unit with the intention of creating a secure connection between a protected private network and the Internet. And in most cases they want the FortiGate unit to hide the IP addresses of the private network from the Internet. This chapter describes how to install a new FortiGate appliance with this configuration, called NAT/Route mode and describes how to troubleshoot NAT/Route mode installations. In addition this chapter describes a basic Transparent mode FortiGate installation in which a FortiGate unit provides security services to a network without requiring any changes to the network. This chapter also describes some basic procedures often required after installing a FortiGate unit, including checking the firmware version and upgrading the firmware, and troubleshooting FortiGuard services. This chapter includes the following basic installation and setup examples: • Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode • Connecting a private network to the Internet in one step • Changing the address of an internal network in one step using the FortiGate setup wizard • Troubleshooting NAT/Route mode installations • Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode) • Troubleshooting Transparent mode installations • Verifying the current firmware version and upgrading the FortiOS firmware • Setting up and troubleshooting FortiGuard services • Setting up an administrator account on the FortiGate unit FortiOS 4.0 MR3 http://docs.fortinet.com/ 13
  14. 14. Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode Problem How to connect and configure a new FortiGate unit to securely connect a private network to the Internet. The FortiGate unit should also protect the private network from Internet threats but still allow anyone on the private network to freely connect to the Internet. 17 17 2. 20 . w G 12 an 2. a 0 1 20 te .1 .1 wa 4 20 y .2 19 2. in 16 te 8. rn 1. al 99 e at iv pr k n or t ee tw ne tw ne er be nal Int AT er e N int d th an rk o .0 w 55 et 2 n 5. al 25 r n 5. te 5 in 0/2 te 1. va 8. ri 6 P .1 2 9 1 FortiGate Unit Gate t Route in NAT/Route mode Solution Most commonly, FortiGate units are installed as a gateway or router between a private network and the Internet. The FortiGate unit operates in what is called NAT/Route mode to hide the addresses of the private network from prying eyes on the Internet. 1 Connect the FortiGate wan1 interface to your ISP-supplied equipment. wan1 Internal Internal Network 14 FortiGate Cookbook  http://docs.fortinet.com/
  15. 15. Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode 2 Connect the internal network to the FortiGate internal interface. 3 Power on the ISP's equipment, the FortiGate unit, and the PCs on the Internal network. 4 From a PC on the Internal network, connect to the FortiGate web-based manager. You can configure the PC to get its IP address using DHCP and then browse to https://192.168.1.99. You could also give the PC a static IP address on the 192.168.1.0/255.255.255.0 subnet. 5 Login using admin and no password. 6 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: Addressing mode IP/Netmask 7 Manual 172.20.120.14/255.255.255.0 Edit the internal interface and change the following settings: Addressing mode IP/Netmask 8 Manual 192.168.1.99/255.255.255.0 Go to Router > Static > Static Route and select Create New to add the following default route. Destination IP/Mask 0.0.0.0/0.0.0.0 Device wan1 Gateway 172.20.120.2 A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally you would have only one default route. If the static route list already contains a default route, you can edit it or delete it and add a new one. 9 FortiOS 4.0 MR3 http://docs.fortinet.com/ Go to System > Network > DNS and add Primary and Secondary DNS servers. 15
  16. 16. Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode 10 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet. Source Interface/Zone internal Source Address All Destination Interface/Zone wan1 Destination Address All Schedule always Service ANY Action ACCEPT 11 Select Enable NAT and Use Destination Interface Address. 12 Select OK to save the security policy. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you and as soon as your FortiGate unit is connected and the computers on your internal network are configured, they should be able to access the Internet. Results On the PC that you used to connect to the FortiGate internal interface, open a web browser and browse to any Internet website. You should also be able to connect to the Internet using FTP or any other protocol or connection method. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. 16 FortiGate Cookbook  http://docs.fortinet.com/
  17. 17. Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode The source address of most sessions should be an address on the 192.168.1.0 network. The source NAT IP for most sessions should be 172.20.120.14 (or the IP address added to the wan1 interface). The policy ID should be 1, which is the ID of the default security policy that allows users in the internal network to connect to the Internet. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for policy 1 to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in “Troubleshooting NAT/Route mode installations” on page 24 to find the problem. FortiOS 4.0 MR3 http://docs.fortinet.com/ 17
  18. 18. Connecting a private network to the Internet in one step Connecting a private network to the Internet in one step Problem To use as few steps as possible to get a FortiGate unit up and running and providing internet connectivity for a private network. D W D AN H 1 C P ad H d C P S re ss er m ve r od e In 19 ter 2. na 16 l 8. 1. 99 ss se .0 re 5 d .25 ad 55 rk 2 o 5. w 5 et 2 n .0/ al .1 r n 68 te .1 In 92 1 te n va o ri it p ra P e u C th fig H n n D o co m r s I P f ro te u et lly p g a m k ic o r at C wo m et to n au FortiGate Unit e Unit in NAT/Route mode IP HC es D d h vi it ro w p n P tio IS ra u ig n co P Solution If your Internet service provider uses DHCP to automatically provide Internet connectivity, only one FortiGate configuration step is required to get a FortiGate unit up and running and allowing connections from a private network to the Internet. The solution involves connecting FortiGate unit to your ISP and your Internal network, configuring the computers on your internal network to get their IP configuration automatically (using DHCP), and then powering on the FortiGate unit and configuring it to get network settings from your ISP using DHCP. To use this one-step configuration solution, the default configuration of your FortiGate unit must include a DHCP server for the internal interface and a default security policy that allows all sessions from the internal network to the Internet. This default configuration is available on many SMB/SOHO FortiGate and FortiWifi models. 1 2 18 Connect the FortiGate wan1 interface to your ISP-supplied equipment. Connect the internal network to the FortiGate internal interface. FortiGate Cookbook  http://docs.fortinet.com/
  19. 19. Connecting a private network to the Internet in one step 3 Power on the ISP's equipment, the FortiGate unit, and the PCs in the Internal network. wan1 Internal Internal Network 4 If required, configure the PCs to get their IP network configuration automatically using DHCP. All of the PCs should acquire an IP address on the 192.168.1.0/255.255.255.0 network. 5 On one of the PCs, start a web browser and browse to https://192.168.1.99. 6 Log in to the FortiGate web-based manager by entering admin as the Name and leaving the password blank. 7 Go to System > Network > Interface and Edit the wan1 interface. 8 Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server, and Override internal DNS. 9 Select OK to save the changes. If your ISP uses PPPoE or manual addressing you can configure the wan1 interface for these options instead of DHCP. Results On any of the PCs connected to the FortiGate internal interface, open a web browser and browse to any Internet website. You should also be able to connect to the Internet using FTP or any other protocol or connection method. FortiOS 4.0 MR3 http://docs.fortinet.com/ 19
  20. 20. Connecting a private network to the Internet in one step Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. The source address of most sessions should be an address on the 192.168.1.0 network. The source NAT IP for most sessions should be the IP address acquired by the wan1 interface. The policy ID should be 1, which is the ID of the default security policy that allows users in the internal network to connect to the Internet. You can also see results by going to Policy > Policy > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down to get more info about the current sessions. Other dashboard widgets display session history, traffic history and per-IP bandwidth usage. What if it didn’t work? Use the following steps: 1 Verify that the wan1 interface is getting IP configuration settings from the ISP. Log in to the web-based manager and go to System > Network > Interface > wan1. Confirm that the Addressing Mode is set to DHCP and information similar to the following appears showing that the wan1 interface has acquired an IP address, one or more DNS server IP addresses, and a default gateway from the ISP. If the IP address seems incorrect or is missing, select Renew to renew the lease and get new IP configuration information from the ISP. If you cannot get a valid IP address in this manner, the FortiGate unit cannot communicate with the ISP’s DNS server. 20 FortiGate Cookbook  http://docs.fortinet.com/
  21. 21. Connecting a private network to the Internet in one step Make sure the options to retrieve a default gateway and override the internal DNS are selected. If your ISP does not supply a DNS server through DHCP, you can go to System > Network > DNS and manually add one or more DNS server IP addresses for the FortiGate unit to use. These DNS server IP addresses are also used by the FortiGate DHCP server to provide the IP configuration for PCs on the internal network. If your ISP does not supply a default gateway through DHCP you can go to Router > Static > Static Route and manually add a default route that points from the wan1 interface to the ISP’s default gateway. 2 If the internal network is configured to get IP addresses from the FortiGate DHCP server, go to System > Network > DHCP Server and Edit the DHCP server for the internal interface. Verify that the DHCP server configuration uses the system DNS setting. Go to System > Monitor > DHCP Monitor to view information about the PCs that have been configured by the FortiGate unit DHCP server. There should be one entry here for each PC on the network that should have gotten its address using DHCP. Check the network configuration of the PCs on the internal network to make sure they are getting the correct IP configuration from the FortiGate DHCP server. If they are not, they may not be able to communicate with the FortiGate internal interface. Attempt to renew their DHCP lease, check other network configuration settings on the PC, and verify the physical connections are OK. The Use System DNS Setting DHCP server option causes the FortiGate DHCP server to supply the DNS IP addresses in the System > Network > DNS page of the web-based manager. If Override internal DNS is selected for a FortiGate interface that gets its configuration from a DHCP server, the DNS server IP addresses acquired from the ISP are supplied by the FortiGate DHCP server instead. If a PC on the internal network sends a DHCP request to the FortiGate unit before it has acquired DNS IP addresses from the ISP, then the FortiGate unit sends the DNS IP addresses DNS web-based manager page. To make sure the PCs receive the correct DNS server IP addresses, you can update the PCs DHCP leases. If this does not solve the problem, use the steps described in “Troubleshooting NAT/Route mode installations” on page 24 to find and fix the problem. FortiOS 4.0 MR3 http://docs.fortinet.com/ 21
  22. 22. Changing the address of an internal network in one step using the FortiGate setup wizard Changing the address of an internal network in one step using the FortiGate setup wizard Problem od e m ve er re ss S P d C W D AN H 1 C P ad H D es g 0 an 5. ch 5 .2 ss 5 .0 re 5 5 d 5.2 5 .2 ad 25 5 5 rk / o .0 .2 w .1 to 55 et 8 /2 n .16 .0 al 2 0 r n 19 .5 8 te I n ro m . 1 6 f 2 9 1 In ch ter an na r 19 19 2. ge l IP 2. 16 d a 16 8. fro dd 8. 1.9 m re ss 50 9 .1 to 0 To use as few steps as possible to quickly change the subnet address of an internal network and all of the devices connected to it. FortiGate Unit in NAT/Route mode IP HC es D d h vi it ro w p n P tio IS ra u ig n co P Solution Use the FortiGate setup wizard to change the IP address of the FortiGate internal interface and change the network addresses that the FortiGate DHCP server provides for devices on the Internal network. Renew the DHCP leases of the devices on the internal network so that they acquire new IP addresses. You may need to change the address of an internal network if you have two different internal networks and you want to allow communication between them. The FortiGate setup wizard deletes all security policies and adds a single security policy configured by the wizard to allow Internet access from the Internal network. You might not want to use this solution if you have added custom security policies. However, this solution can be convenient if you have not added very many security policies. A more cumbersome solution would be to manually change the IP address of the FortiGate internal interface and then manually change the IP address of a PC on the internal network. Then you would need to re-log into the web-based manager and change the configuration of the DHCP server. This process involves a number of tedious steps; using the wizard simplifies the process to a few simple steps. 1 2 22 From a PC on the internal network, log in to the FortiGate web-based manager. Select the Wizard icon. FortiGate Cookbook  http://docs.fortinet.com/
  23. 23. Changing the address of an internal network in one step using the FortiGate setup wizard 3 Page through the wizard without making any changes until you get to the Local Area Network (LAN) Settings page. 4 Change the settings as follows: IP Address Netmask 5 192.168.50.10 255.255.255.0 Enable DHCP should be selected. Change the following settings: Start Address End Address 6 192.168.50.20 192.168.50.60 Continue to step through the wizard without making any other changes. Most wizard pages display the current configuration and allow you to change it. If you don’t make any changes, the wizard does not change that configuration element. One exception to this is the Internet Access Policy wizard page. The settings on this page are applied to the security policy configuration of the FortiGate unit. All existing security policies are removed and replaced with a single security policy using the settings selected on this wizard page. 7 Renew the DHCP lease for the devices on the internal network. You may have to restart them, or bring there interfaces down and back up to do this. Results All devices on the internal network (including the FortiGate internal interface) are now on the 192.168.50.0/255.255.255.0 subnet. From any device on the internal network, try connecting to the Internet. Log in to the FortiGate web-based manager by browsing to https://192.168.50.10. Go to System > Network > Interface and verify that the IP address of the internal interface has been changed to 192.168.50.10. Also verify that the configuration of other interfaces has not been changed. Go to System > Network > DHCP Server and Edit the DHCP server for the internal interface. The IP range should be changed to the range specified in the wizard, and the default gateway should be changed to the new internal interface IP address. Go to System > Monitor > DHCP Monitor and verify that devices on the internal network have acquired a new address from the FortiGate DHCP server. Go to Policy > Policy > Policy and verify that the policy list includes one security policy that allows users on the internal network to access the Internet. Attempt to connect to the Internet from any device on the Internal network. If you can’t connect from a device on the internal network to the Internet, see “Troubleshooting NAT/Route mode installations” on page 24. FortiOS 4.0 MR3 http://docs.fortinet.com/ 23
  24. 24. Troubleshooting NAT/Route mode installations Troubleshooting NAT/Route mode installations Problem You have set up a FortiGate NAT/Route configuration, and devices on the private network cannot connect to the Internet. e at iv pr k n or t ee tw ne tw ne er be nal Int AT er e N int d th an rk o .0 w 55 et 2 n 5. al 25 r n 5. te 5 in 0/2 te 1. va 8. ri 6 P .1 2 9 17 17 2. 20 . w G 12 an 2. a 0 1 20 te .1 .1 wa 4 20 y .2 19 2. in 16 te 8. r n 1. al 99 1 FortiGate Unit Gate t in NAT/Route mode Route Solution Use the following steps to find and fix the problem that is preventing users from connecting to the Internet. 1 Check the physical network connections between the PC and the FortiGate unit, as well as between the FortiGate unit and your ISP’s equipment. The Unit Operation dashboard widget indicates the connection status of FortiGate network interfaces (System > Dashboard > Status). 2 Check the ISP-supplied equipment to make sure it is operating correctly. 3 Verify that you can connect to the internal IP address of the FortiGate unit. For example, use a web browser to connect to the web-based manager from the FortiGate internal interface by browsing to its IP address (for example, https://192.168.1.99). From the PC, ping the internal interface IP address. For example: ping 192.168.1.99 If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure cables are connected and all network equipment, such as switches, is powered on and operating. Go to the next step when you can connect to the internal interface. 4 24 Check the configuration of the FortiGate interface connected to the Internal network. FortiGate Cookbook  http://docs.fortinet.com/
  25. 25. Troubleshooting NAT/Route mode installations 5 Check the configuration of the FortiGate interface that connects to the Internet to make sure it includes the proper addressing mode. • If the addressing mode is manual, make sure the IP address and netmask is correct. • If the addressing mode is DHCP, see “What if it didn’t work?” on page 20. 6 To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address or domain name on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet. 7 Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example: ping www.fortinet.com ping: cannot resolve www.fre.com: Unknown host 8 Verify the security policy configuration. • Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Check the Count column to see if the policy has been processing traffic. Check the configuration of the policy to make sure it is similar to the following and that Enable NAT and Use Destination Interface Address is selected: Source Interface/Zone Source Address all Destination Interface/Zone wan1 Destination Address all Schedule always Service ANY Action 9 internal ACCEPT Verify the static routing configuration. Go to Router > Static > Static Route and verify that the default route is correct. Go to Router > Monitor > Router Monitor and take a look at the routing monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see at least two connected routes, one for each connected FortiGate interface. FortiOS 4.0 MR3 http://docs.fortinet.com/ 25
  26. 26. Troubleshooting NAT/Route mode installations 10 Disable web filtering. If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. This can happen for a number of reasons. If disabling web filtering allows you to connect to the Internet with a web browser, then the web filter profile selected in the policy was blocking access to the site you were attempting to connect to. This could happen because the configuration of the default web filter profile is blocking access to your site. Its also possible that FortiGuard Web Filtering produced a rating error for the web site and the default web filter profile is configured to block access to sites when a rating error occurs. A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Profiles > Web Filter > Profile, and in the default profile, select Advanced Filter and enable the Allow Websites When a Rating Error Occurs option. Other things you can try: • • 26 Verify that you can connect to the wan1 IP address of the FortiGate unit. Once you have established that the internal network is operating, you could try pinging the FortiGate wan1 interface IP address (for example, ping 172.20.120.12). (The wan1 interface responds to pings if ping administrative access is selected for that interface (go to System > Network > Interface and edit the wan1 interface to enable ping administrative access)). If you cannot connect to the wan1 interface, the FortiGate unit is not allowing internal to wan1 sessions. Verify that you can connect to the gateway provided by your ISP. FortiGate Cookbook  http://docs.fortinet.com/
  27. 27. Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode) Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode) Problem How to connect and configure a new FortiGate unit to protect a private network without changing the configuration of the network. The network is connected to the Internet using a router that performs NAT. 10 Se c be allo urity twe w p seg en traffi olicie s me netw c nts or k .31 Int .10 er n 1.0 al n /25 etw 5.2 ork 55 .25 5.0 10 FortiGate Unit in rtiGate in Transparent mode Management IP 10.31.101.40 Ro ute .3 0 1.1 1.1 00 r This solution requires adding network security without replacing the router. The FortiGate unit should block access from the Internet to the private network but allow users on the private network to connect to the Internet. The FortiGate unit should also monitor application usage and find and remove viruses. Solution Watch the video: http://docs.fortinet.com/cb/inst1.html Install a FortiGate unit in Transparent mode between the internal network and the router. Add a security policy to the FortiGate unit that allows users on the internal network to connect to the Internet and add virus scanning and application control to this security policy. No network changes are required, except to provide the FortiGate unit with a management IP address. Changing to Transparent mode removes most configuration changes made in NAT/Route mode. If you want to keep your current NAT/Mode configuration you should backup your FortiGate NAT/Route mode configuration from the System Information dashboard widget. FortiOS 4.0 MR3 http://docs.fortinet.com/ 27
  28. 28. Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode) 1 Connect a PC to the FortiGate internal interface. 2 Power on the FortiGate unit and PC. 3 Connect to the FortiGate web-based manager. You can configure the PC to get its IP address using DHCP and then browse to https://192.168.1.99. You could also give the PC a static IP address on the 192.168.1.0/255.255.255.0 subnet. Log in using admin and no password. 4 Go to System > Dashboard > Status > System Information and beside Operation Mode select Change and configure the following: Operation Mode Transparent Management IP/Netmask 10.31.101.40/255.255.255.0 Default Gateway 10.31.101.100 5 Select OK to switch to Transparent mode. 6 Log in to the web-based manager by browsing to https://10.31.101.40. You will need to change the IP address of the PC to an address on the 10.31.101.0/255.255.255.0 subnet. 7 Go to System > Network > DNS and add Primary and Secondary DNS servers. 8 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet. Source Interface/Zone Source Address All Destination Interface/Zone wan1 Destination Address All Schedule always Service ANY Action 9 internal ACCEPT Select UTM. Select Enable Antivirus and select Enable Application Control. 10 Select OK to save the security policy. 11 Power off the FortiGate unit. 28 FortiGate Cookbook  http://docs.fortinet.com/
  29. 29. Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode) 12 Connect the FortiGate unit between the network and the router. Router wan1 internal Internal Network Connect the wan1 interface to the router internal interface. Connect the internal network to the FortiGate-60C internal interface switch. If the Internal network consists of only five devices, they can all be connected to the internal interface switch. 13 Power on the FortiGate unit. Results From a PC on the internal network, open a web browser and browse to any Internet website. You should also be able to connect to the Internet using FTP or any other protocol or connection method. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. FortiOS 4.0 MR3 http://docs.fortinet.com/ 29
  30. 30. Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode) The source address of most sessions should be an address on the 10.31.10.0 network. The Src NAT IP and Src NAT port columns are blank because no NAT it taking place. The policy ID should usually be 1, which is usually the ID of first security policy that you added. You can also see results by going to Policy > Monitor > Policy Monitor, to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for policy 1 to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If a FortiGate unit operating in Transparent mode is installed between a DHCP server and PCs that get their address by DHCP, you must add a security policy to allow the DHCP server’s response to get back through the FortiGate unit from the DHCP server to the DHCP client. The internal to wan1 policy allows the DHCP request to get from the client to the server, but the response from the server is a new session, not a typical response to the originating request, so the FortiGate unit will not accept this new session unless you add a wan1 to internal policy with the service set to DHCP. If you can browse the Internet from the internal network, your configuration is successful. If you cannot, try the steps described in “Troubleshooting Transparent mode installations” on page 31 to find the problem. 30 FortiGate Cookbook  http://docs.fortinet.com/
  31. 31. Troubleshooting Transparent mode installations Troubleshooting Transparent mode installations Problem You set up a basic FortiGate Transparent mode configuration, and traffic will not pass through the FortiGate unit. .3 1. 10 1. 10 0 .31 Int .10 er n 1.0 al n /25 etw 5.2 ork 55 .25 5.0 10 10 Se c be allo urity twe w p seg en traffi olicie s me netw c nts or k FortiGate Unit in rtiGate in Transparent mode Management IP 10.31.101.40 Ro ute r Solution Use the following steps to find and fix the problem that is preventing users from connecting through the FortiGate unit. 1 Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. The Unit Operation dashboard widget indicates the connection status of FortiGate network interfaces. 2 Check the router and ISP-supplied equipment to make sure it is operating correctly. 3 Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the Internal network. From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on and operating. Go to the next step when you can connect to the internal interface. 4 FortiOS 4.0 MR3 http://docs.fortinet.com/ To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet. 31
  32. 32. Troubleshooting Transparent mode installations 5 Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example: ping www.fortinet.com ping: cannot resolve www.fre.com: Unknown host 6 Verify the security policy configuration. • Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Check the Count column to see if the policy has been processing traffic. Check the configuration of the policy to make sure it is similar to the following: Source Interface/Zone Source Address all Destination Interface/Zone wan1 Destination Address all Schedule always Service ANY Action 7 internal ACCEPT Verify the static routing configuration. Go to System > Network > Routing Table and verify that the default route is correct. 8 Disable web filtering. If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. If disabling web filtering allows you to connect to the Internet with a web browser, then the web filter profile selected in the policy was blocking access to the site you were attempting to connect to. This could happen because the configuration of the default web filter profile is blocking access to your site. Its also possible that FortiGuard Web Filtering produced a rating error for the web site and the default web filter profile is configured to block access to sites when a rating error occurs. A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Profiles > Web Filter > Profile, and in the default profile, select Advanced Filter and enable the Allow Websites When a Rating Error Occurs option. 9 32 Verify that you can connect to the gateway provided by your ISP. Try pinging the default gateway IP address from a PC on the internal network. FortiGate Cookbook  http://docs.fortinet.com/
  33. 33. Troubleshooting Transparent mode installations 10 Confirm that the FortiGate unit can connect to the FortiGuard network. Once registered, the FortiGate unit obtains antivirus and application control and other updates from the FortiGuard network. Once the FortiGate unit is on your network, you should confirm that it can reach the FortiGuard network. The FortiGate unit must be able to connect to the network from its management IP address. If the following tests provide incorrect results, the FortiGate unit cannot connect to the Internet from its management IP address. Check the FortiGate unit’s default route to make sure it is correct. Check your Internet firewall to make sure it allows connections from the FortiGate management IP address to the Internet. First, check the License Information dashboard widget to make sure the status of all FortiGuard services matches the services that you have purchased. The FortiGate unit connects to the FortiGuard network to obtain this information. Go to System > Config > FortiGuard. Open web filtering and email options and select Test Availability. After a minute the web-based manager should indicate that the connection was successful. 11 Check the FortiGate bridge table. The bridge table is a list of MAC addresses of devices on the same network as the FortiGate unit and the FortiGate interfaces from which each MAC address was found. The FortiGate unit uses this table to determine where to forward a packet. If a the MAC address of a specific device is getting added to in the bridge table, then packets to that MAC address will be blocked. This may appear as traffic going to a MAC address, but no reply traffic coming back. In this situation, check the bridge table to ensure the correct MAC addresses have been added to the bridge table. Use the following CLI command to check the bridge table associated with the root VDOM. diagnose netlink brctl name host root.b show bridge control interface root.b host. fdb: size=2048, used=25, num=25, depth=1 Bridge root.b host table port no device devname mac addr ttl 3 4 wan1 00:09:0f:cb:c2:77 88 3 4 wan1 00:26:2d:24:b7:d3 0 3 4 wan1 00:13:72:38:72:21 98 4 3 internal 00:1a:a0:2f:bc:c6 1 6 dmz 00:09:0f:dc:90:69 0 3 4 wan1 c4:2c:03:0d:3a:38 81 3 4 wan1 00:09:0f:15:05:46 89 3 4 wan1 c4:2c:03:1d:1b:10 0 2 5 wan2 00:09:0f:dc:90:68 0 attributes 6 Local Static Local Static If your device’s MAC address is not listed, the FortiGate unit cannot find the device on the network. This could indicate that the device is not connected or not operating. Check the device’s network connections and make sure it is operating correctly. FortiOS 4.0 MR3 http://docs.fortinet.com/ 33
  34. 34. Verifying the current firmware version and upgrading the FortiOS firmware Verifying the current firmware version and upgrading the FortiOS firmware Problem Fortinet has released a new version of FortiOS. You want to know what firmware version is currently running on your FortiGate unit and how to upgrade to the latest version. Solution View the current firmware version from the web-based manager and CLI. Download a new version of FortiOS from the Fortinet Customer Support web site and install it from the web-based manager. Firmware images for all FortiGate units are available on the Fortinet Customer Support web site. You must register your FortiGate unit to access firmware images. Register the FortiGate unit by visiting http://support.fortinet.com and select Product Registration. Always review the Release Notes before installing a new firmware version. They provide the recommended upgrade path for the firmware release as well as additional information not available in other documentation. Only perform a firmware upgrade during a maintenance window. 1 Log in to the web-based manager and view the dashboard System Information widget to see the Firmware Version currently installed on your FortiGate unit. From the FortiGate CLI you can also enter the following command. The first output line indicates FortiOS firmware version installed on your FortiGate unit: get system status Version: Fortigate-60C v4.0,build0458,110627 (MR3 Patch 1) Virus-DB: 11.00773(2010-05-04 13:32) Extended DB: 0.00000(2010-03-16 10:31) IPS-DB: 3.00000(2011-05-18 15:09) FortiClient application signature package: 1.421(2011-09-08 10:19) Serial-Number: FGT60C3G10002814 BIOS version: 04000010 Log hard disk: Need format Internal Switch mode: switch Hostname: FGT60C3G10002814 Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable 34 FortiGate Cookbook  http://docs.fortinet.com/
  35. 35. Verifying the current firmware version and upgrading the FortiOS firmware Current HA mode: standalone Distribution: International Branch point: 458 Release Version Information: MR3 Patch 1 System time: Wed Sep 14 13:07:27 2011 2 To download a newer firmware version, browse to http://support.fortinet.com and select a Download Firmware Images link. 3 Log in using your Fortinet account user name and password. 4 Go to Download Firmware Images > FortiGate. 5 Select FortiGate firmware images and browse to the FortiOS firmware version that you want to install (for example, browse to FortiGate/v4.00/4.0MR3/MR3_Patch_1). 6 Locate and download the firmware for your FortiGate unit. 7 Download and read the Release Notes for this firmware version. Always review the Release Notes before installing a new firmware version in case you cannot update to the new firmware release from the one currently running. 8 Backup your configuration from the System Information dashboard widget. Always remember to back up your configuration before doing any firmware upgrades. 9 Go to System > Dashboard > Status. 10 Under System Information > Firmware Version, select Update. 11 Find the firmware image file that you downloaded and select OK to upload and install the firmware build on the FortiGate unit. Results The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes. From the FortiGate web-based manager, go to System > Dashboard > Status. In the System Information widget, the Firmware Version will show the updated version of FortiOS (or from the CLI enter get system status). What if it doesn’t work? There is a possibility that the firmware upgrade from the web-based manager does not load properly. If this occurs, you may find that the FortiGate will not boot, or continuously reboots. It is best to perform a fresh install of the firmware from a reboot using the CLI. This procedure installs a firmware image and resets the FortiGate unit to default settings. For this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. FortiOS 4.0 MR3 http://docs.fortinet.com/ 35
  36. 36. Verifying the current firmware version and upgrading the FortiOS firmware Installing FortiGate firmware from a TFTP server This procedure requires a TFTP server that you can connect to from the FortiGate unit. The TFTP server should be on the same subnet as the management interface. 1 Connect to the CLI using the RJ-45 to DB-9 or null modem cable. 2 Make sure the TFTP server is running and copy the firmware image file to the TFTP server. 3 Enter the following command to restart the FortiGate unit. execute reboot 4 When prompted by the FortiGate unit to reboot, type y. 5 As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears: Press any key to display configuration menu.......... Immediately press any key to interrupt the system startup. You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command. If you successfully interrupt the startup process, the messages similar to the following appear (depending on the FortiGate BIOS version): [G]: [F]: [B[: [C]: [Q]: [H]: Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default Configuration and information Quit menu and continue to boot with default firmware. Display this list of options. Enter G, F, Q, or H: 6 Type G to get to the new firmware image form the TFTP server. 7 When prompted, enter the TFTP server IP address, and local FortiGate IP address. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network. 8 Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file. 9 When prompted how to save the default firmware, type D to load it as the default. The FortiGate unit installs the new firmware image and restarts. When loading the firmware using this method, the existing configuration is reset to defaults. You will need to reconfigure the IP addresses and load the configuration file from the System Information widget on the Dashboard. 36 FortiGate Cookbook  http://docs.fortinet.com/
  37. 37. Setting up and troubleshooting FortiGuard services Setting up and troubleshooting FortiGuard services Problem You want to confirm that your FortiGate unit is receiving FortiGuard services. You also want to be able to troubleshoot issues that arise if antivirus or IPS updates or web filtering or email filtering lookups are not available. FortiGuard Network Solution If you have purchased FortiGuard services and registered your FortiGate unit it should automatically connect to the FortiGuard Distribution Network (FDN) and display license information about your FortiGuard services. Verify whether the FortiGate unit is communicating with the FDN by checking the License Information dashboard widget. The FortiGate unit automatically connects with the FortiGuard network to verify the FortiGuard Services status for the FortiGate unit. FortiOS 4.0 MR3 http://docs.fortinet.com/ 37
  38. 38. Setting up and troubleshooting FortiGuard services Any subscribed services should have a green check mark beside them, indicating that connections are successful. A grey X indicates that the FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered. A red X indicates that the FortiGate unit was able to connect but that a subscription has expired, or has not been activated. Use the following steps to troubleshoot FortiGuard services. 1 Verify that you have registered your FortiGate unit, purchased FortiGuard services, and that the services have not expired. You can verify the support status for your FortiGate unit at the Fortinet Support website (https://support.fortinet.com/). 2 Verify the status of the FortiGuard services on the FortiGate unit. You can view the status of FortiGuard services from the License Information dashboard widget or from the System > Config > FortiGuard page. The status information displayed here should match the information on the support site. If the information doesn’t match there may be a problem with communication between the FortiGate unit and the FortiGuard network. You can also view the FortiGuard connection status by going to System > Config > FortiGuard. 3 Verify that the FortiGate unit can communicate with the Internet. The FortiGate unit should be able to communicate with the FortiGuard network if it can communicate with the Internet. 4 38 Go to Router > Monitor > Routing Monitor (NAT/Route mode) or System > Network > Routing Table and verify that a default route is available and configured correctly. FortiGate Cookbook  http://docs.fortinet.com/
  39. 39. Setting up and troubleshooting FortiGuard services 5 Go to System > Network > DNS and make sure the primary and secondary DNS servers are correct, as provided by your ISP. The FortiGate unit connects to the FortiGuard network using a domain name, not a numerical IP address. If the FortiGate interface connected to the Internet gets its IP address using DHCP, you should make sure Override internal DNS is selected so that the FortiGate unit gets its DNS server IP addresses from the ISP using DHCP. 6 Verify that the FortiGate unit can connect to the DNS servers using the execute ping command to ping them. 7 You can also attempt a traceroute from FortiGate CLI to an external network using a domain name for a location, for example, enter the command: execute traceroute www.fortiguard.com 8 9 If the command cannot find the numeric IP address of www.fortiguard.com, then the FortiGate unit cannot connect to the configured DNS servers. Make sure that at least one security policy includes antivirus. If no security policies include antivirus, the antivirus database may not be updated. Verify that the FortiGate unit can communicate with the FortiGuard network. At System > Config > FortiGuard > Antivirus and IPS Options, you can select Update now to force an immediate update of the antivirus and IPS databases. After a few minutes, you can verify if the updates were successful. 10 Test the availability of web filtering and email filtering lookups from System > Config > FortiGuard > Web Filtering and Email Filtering options by selecting the Test Availability button. If the test is not successful, try changing the port that is used for web filtering and email filtering lookups. The FortiGate unit uses port 53 or 8888 to communicate with the FortiGuard network and some ISPs may block one of these ports. 11 Determine if there is anything upstream that might be blocking FortiGuard traffic, either on the network or on the ISP’s network. Many firewalls block all ports by default, and often ISPs block low-numbered ports (such as 53). FortiGuard uses port 53 by default, so if it is being blocked, you need to either open the port or change the port used by the FortiGate unit. 12 Change the FortiGuard source port. It is possible ports that are used to contact the FortiGuard network are being changed before reaching FortiGuard, or on the return trip, before reaching your FortiGate unit. A possible solution for this is to use a fixed-port at the NAT firewall to ensure the port number remains the same. FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. You can select a different source port range for the FortiGate unit to use. If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports such as 2048-20000, using the following CLI command: config system global set ip-src-port-range 2048-20000 end FortiOS 4.0 MR3 http://docs.fortinet.com/ 39
  40. 40. Setting up and troubleshooting FortiGuard services Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. 13 Display the FortiGuard server list The get webfilter status CLI command shows the list of FortiGuard servers that the FortiGate unit can connect to. The command should show more than one server. get webfilter status Locale : english License : Contract Expiration : Thu Oct 9 02:00:00 2012 Hostname : service.fortiguard.net -=- Server List (Wed Sep 14 14:39:46 2011) -=IP 69.20.236.179 174.137.33.92 208.91.112.196 69.20.236.180 209.222.147.36 66.117.56.42 66.117.56.37 69.20.236.182 69.195.205.101 80.85.69.37 80.85.69.41 80.85.69.40 62.209.40.72 208.91.112.194 116.58.208.39 Weight 30 0 0 30 30 30 30 30 30 80 80 80 90 118 160 RTT Flags 3 91 62 4 22 24 24 4 32 85 85 88 109 128 DI 276 TZ -5 -8 -8 -5 -5 -5 -5 -5 -5 0 0 0 1 -8 8 Packets 30491 8794 146 11620 8799 8792 8793 11332 8810 8800 8804 8808 8791 12713 8805 Curr Lost Total Lost 0 9 0 7 0 2 0 9 0 11 0 9 0 10 0 7 0 27 0 17 0 21 0 25 0 8 0 3912 0 22 Hostname is the name of the FortiGuard server the FortiGate unit will attempt to contact. The Server List includes the IP addresses of alternate servers if the first entry cannot be reached. In this example, the IP addresses are not public addresses. The following flags in get webfilter status indicate the server status: • D - the server was found through the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with D and will be used first for INIT requests before falling back to the other servers. • I - the server to which the last INIT request was sent. • F - the server has not responded to requests and is considered to have failed. • T - the server is currently being timed. 40 FortiGate Cookbook  http://docs.fortinet.com/
  41. 41. Setting up an administrator account on the FortiGate unit Setting up an administrator account on the FortiGate unit Problem You want to add a new FortiGate administrator login that has super administrator access to all FortiGate features. You also want to be able to identify individual administrators instead of allowing multiple uses of the admin administrator account. e fil ro o r s _p at in tr m nis ad mi ad In te rn al N et w or k t ni U r e ve at er iG S rt P Fo HC D Solution Create a new administrator with the super_admin profile, to enable full access to all FortiGate features. 1 Go to System > Admin > Administrators and select Create New to add the following administrator: Administrator Type password Confirm Password password Admin Profile FortiOS 4.0 MR3 http://docs.fortinet.com/ Regular Password 2 Terry_White super_admin Select OK to save the administrator. 41
  42. 42. Setting up an administrator account on the FortiGate unit Administrator names and passwords are case-sensitive. You cannot include the < > ( ) # ” characters in an administrator name or password. Spaces are allowed, but not as the first or last character. Spaces in a name or password can be confusing and require the use of quotes to enter the name in the CLI. The admin profile dictates what parts of the FortiGate configuration the administrator can see and configure from web-based manager and CLI. You can add multiple profiles and assign users and administrators different profiles, depending on what they are tasked to do with the FortiGate unit. Results Log in to the FortiGate using the user name of Terry_White and the password of password. As this administrator, you can view all web-based manager pages and change all FortiGate configuration settings. From the FortiGate web-based manager,go to Log&Report > Event Log to verify that the login activity occurred. Select the log entry to view detailed information, which indicates the admin user connected. The Message field indicates that Terry White logged in successfully from 192.168.1.1. 42 FortiGate Cookbook  http://docs.fortinet.com/
  43. 43. Setting up an administrator account on the FortiGate unit Go to System > Dashboard > Status, and view the System Information widget. The Current Administrator field indicates the number of administrators logged in. Selecting Details shows Terry White logged in as an administrator. FortiOS 4.0 MR3 http://docs.fortinet.com/ 43
  44. 44. FortiOS Cookbook Advanced FortiGate installation and setup FortiGate units can be deployed in many ways to meet a wide range of advanced requirements. This chapter samples some of advanced configurations that include advanced NAT and Transparent mode configurations, high availability, VLANs and Virtual Domains (VDOMs). This chapter also includes two sections that describe how to use the FortiGate packet sniffer and one that describes using the diagnose debug tools. This chapter includes the following advanced installation and setup examples: • Connecting a FortiGate unit to two ISPs for redundant Internet connections • Using a modem for a redundant Internet connection • Distributing sessions between dual redundant Internet connections with usage-based ECMP • Protecting a web server on a DMZ network • Protecting an email server with a FortiGate unit without changing the network (Transparent Mode) • Using port pairing to simplify a Transparent mode installation • Connecting networks without translating addresses (FortiGate unit in Route mode) • Setting up the explicit web proxy for users on a private network • Setting up web caching of Internet content for users on a private network • Employing high availability (HA) to improve network reliability • Upgrading the firmware installed on a FortiGate HA cluster • Connecting multiple networks to a FortiGate interface using virtual LANs (VLANs) • Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit • Setting up an administrator account for monitoring firewall activity and basic maintenance • Enhancing FortiGate Security • Creating a local DNS server listing for internal web sites and servers • Assigning IP addresses according to a MAC address using DHCP • Setting up the FortiGate unit to send SNMP traps • Troubleshooting by sniffing packets (packet capture) • Advanced troubleshooting by sniffing packets (packet capture) • Creating, saving, and using packet capture filters (sniffing packets from the web-based manager) • Debugging FortiGate configurations • Quick reference to common diagnose commands FortiOS 4.0 MR3 http://docs.fortinet.com/ 44
  45. 45. Connecting a FortiGate unit to two ISPs for redundant Internet connections Connecting a FortiGate unit to two ISPs for redundant Internet connections Problem W 17 AN G 2. 1 17 ate 20 2. w .12 20 ay 0 .1 .1 4 20 .2 Primary ISP W D AN H 2 C P .0 k 5 or 25 w 5. et 5 N .2 al 55 rn /2 te .0 In 8.1 16 2. 19 In 19 ter 2. na 16 l 8. 1. 9 9 Create a backup Internet connection with your FortiGate unit, so that if the primary internet connection fails, some or all traffic automatically switches to the backup Internet connection and when the primary Internet connection is restored, traffic automatically switches back to it. Backup ISP Solution Watch the video: http://docs.fortinet.com/cb/inst2.html This solution describes how to improve the reliability of a network’s connection to the Internet by using two Internet connections to two different ISPs. In this solution, the primary ISP is connected to wan1 with a static IP and the backup ISP is connected to wan2 using DHCP. To allow the internal network to use wan1 to connect to the Internet add internal to wan1 security policies. Add duplicate internal to wan2 security policies to use wan2 to connect to the Internet. You can choose to reduce the amount of traffic when the wan2 interface is operating by adding fewer security polices for connections to the wan2 interface. You could also use techniques such as traffic shaping to limit the amount of traffic processed by the wan2 interface. You could also add security policies that include FortiGuard web filtering or other web filtering techniques to block popular but less important websites. Application control could also be used to limit the applications that can be used when traffic is using the wan2 interface. FortiOS 4.0 MR3 http://docs.fortinet.com/ 45
  46. 46. Connecting a FortiGate unit to two ISPs for redundant Internet connections Configuring the primary Internet connection to use wan1 1 Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the internal network to the internal interface. Internal Network internal wan1 Primary ISP 2 From a PC on the Internal network, log in to the FortiGate web-based manager using admin and no password. 3 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: Addressing mode IP/Netmask 4 Manual 172.20.120.14/255.255.255.0 Edit the internal interface and change the following settings: Addressing mode IP/Netmask 5 Manual 192.168.1.99/255.255.255.0 Go to Router > Static > Static Route and select Create New to add the following default route. Destination IP/Mask Device wan1 Gateway 46 0.0.0.0/0.0.0.0 172.20.120.2 FortiGate Cookbook  http://docs.fortinet.com/
  47. 47. Connecting a FortiGate unit to two ISPs for redundant Internet connections 6 Go to System > Network > DNS and add Primary and Secondary DNS servers. 7 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan1 interface. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you. Source Interface/Zone internal Source Address All Destination Interface/Zone wan1 Destination Address All Schedule always Service ANY Action ACCEPT 8 Select Enable NAT and Use Destination Interface Address. 9 Select OK to save the security policy. Adding the backup Internet connection using wan2 1 Connect the wan2 interface to your backup ISP-supplied equipment. 2 Log in to the web-based manager. 3 Go to System > Network > Interface and Edit the wan2 interface. 4 Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server. Clear the checkbox for Override internal DNS. 5 Select OK to save the changes. If everything is connected correctly, the wan2 interface should acquire an IP address from the ISP’s DHCP server. This can take a few minutes, you can select the Status link to refresh the display. Eventually, an Obtained IP/Netmask should appear. If the ISP’s DHCP server supplies DNS server IP addresses and a default gateway, they should also appear. Make sure Retrieve Default Gateway from server is selected so that a default route is added to the routing table. Normally in a dual Internet configuration, you would not select Override internal DNS because you would not want the FortiGate unit to use the backup ISP’s DNS servers. FortiOS 4.0 MR3 http://docs.fortinet.com/ 47
  48. 48. Connecting a FortiGate unit to two ISPs for redundant Internet connections Internal Network internal wan2 wan1 Primary ISP Backup ISP 6 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan2 interface. Source Interface/Zone internal Source Address All Destination Interface/Zone wan2 Destination Address All Schedule always Service ANY Action ACCEPT 7 8 48 Select Enable NAT and Use Destination Interface Address. Select OK to save the security policy. FortiGate Cookbook  http://docs.fortinet.com/
  49. 49. Connecting a FortiGate unit to two ISPs for redundant Internet connections Set the default route to wan1 to be the primary default route and add a ping server for wan1 and a ping server for wan2 As a result of this configuration, the FortiGate unit will have two default routes, one that directs traffic to wan1 and one that directs traffic to wan2. The default route to wan2 is obtained from the backup ISP’s DHCP server. The ping servers verify the ability of the wan1 and wan2 interfaces to connect to the Internet. Because the wan2 default route is acquired from the ISP using DHCP, the distance of the wan2 default route must be changed by editing the wan2 interface. 1 Go to Router > Static > Static Route and Edit the wan1 default route, select Advanced and set the Distance to 10. The distance may already be set to 10 so you may not actually have to change it. 2 Go to System > Network > Interface list. Edit the wan2 interface and set the distance to 20 (or any number higher than 10). 3 To confirm which default route is now actually being used by the FortiGate unit, go to Router > Monitor > Routing Monitor to view the current FortiGate routing table. Routes that are not active do not appear on the routing monitor. In this example, only the one static route should appear: the wan1 default route. Its distance should be 10. Connected routes for the connected interfaces should also appear. If you edit the wan2 interface and set the distance to a lower value (say 5), the wan1 default route is removed from the router monitor and is replaced with the wan2 default route (because the wan2 route has the lower distance). You can also have both default routes appear in the router monitor by setting their distances to the same value (say 10). When both routes have the same distance, this is known as equal cost multi path (ECMP) routing and both default routes are used. Sessions are load balanced between them. For an example, see “Distributing sessions between dual redundant Internet connections with usage-based ECMP” on page 58. FortiOS 4.0 MR3 http://docs.fortinet.com/ 49
  50. 50. Connecting a FortiGate unit to two ISPs for redundant Internet connections 4 Go to Router > Static > Settings and select Create New and add the wan1 ping server: Interface Ping Server 172.20.120.2 Detect Protocol ICMP Ping Ping Interval (seconds) 5 Failover Threshold 5 wan1 5 Select Create New and add the wan2 ping server. The wan2 ping server is optional for this configuration. However adding the wan2 ping server means the FortiGate unit will record even log messages when the wan2 ping server can’t reach its destination. Interface wan2 Ping Server 10.41.101.100 Detect Protocol ICMP Ping Ping Interval (seconds) 5 Failover Threshold 5 Results If the wan1 ping server can connect to its ping server IP address the routing monitor appears as shown above with a default route to the wan1 interface. All traffic to the Internet uses the wan1 interface and the internal to wan1 security policy. You can verify this by viewing the routing monitor and by going to Policy > Policy > Policy and viewing the Count column for the internal to wan1 and internal to wan2 policies while connecting to the Internet. The internal to wan1 policy count should increase, while the internal to wan2 count should not. If you change the network so that the wan1 ping server cannot connect to its ping server IP address, (for example, by physically disconnecting the cable from the wan1 interface), the default route should change to the wan2 interface (called default route failover): An event log message similar to the following should also be recorded. 2011-08-24 10:16:39 log_id=0100020001 type=event subtype=system pri=critical vd=root interface="wan1" status=down msg="Ping peer: (172.20.120.14->172.20.120.2 ping-down)" 50 FortiGate Cookbook  http://docs.fortinet.com/

×