Inhaltszusammenfassung zur Seite Nr. 1
FortiGate 100
Installation and
Configuration Guide
POWER
INTERNAL EXTERNAL DMZ
STATUS
FortiGate User Manual Volume 1
Version 2.50 MR2
18 August 2003
Inhaltszusammenfassung zur Seite Nr. 2
© Copyright 2003 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 18 August 2003 Trademarks Products mentioned in this document are trademarks or registered trademark
Inhaltszusammenfassung zur Seite Nr. 3
Contents Table of Contents Introduction .......................................................................................................... 13 Antivirus protection ........................................................................................................... 13 Web content filtering ......................................................................................................... 14 Email filtering .......................................................................
Inhaltszusammenfassung zur Seite Nr. 4
Contents Planning your FortiGate configuration .............................................................................. 37 NAT/Route mode .......................................................................................................... 37 NAT/Route mode with multiple external network connections...................................... 38 Transparent mode......................................................................................................... 38 Configuration options
Inhaltszusammenfassung zur Seite Nr. 5
Contents Completing the configuration ............................................................................................ 61 Setting the date and time .............................................................................................. 61 Enabling antivirus protection......................................................................................... 61 Registering your FortiGate............................................................................................ 6
Inhaltszusammenfassung zur Seite Nr. 6
Contents Virus and attack definitions updates and registration ..................................... 91 Updating antivirus and attack definitions .......................................................................... 91 Connecting to the FortiResponse Distribution Network ................................................ 92 Configuring scheduled updates .................................................................................... 93 Configuring update logging ..........................
Inhaltszusammenfassung zur Seite Nr. 7
Contents Configuring routing.......................................................................................................... 115 Adding a default route................................................................................................. 116 Adding destination-based routes to the routing table.................................................. 116 Adding routes in Transparent mode............................................................................ 117 Configuring the
Inhaltszusammenfassung zur Seite Nr. 8
Contents Configuring policy lists .................................................................................................... 149 Policy matching in detail ............................................................................................. 149 Changing the order of policies in a policy list.............................................................. 149 Enabling and disabling policies................................................................................... 150 Addr
Inhaltszusammenfassung zur Seite Nr. 9
Contents Configuring LDAP support .............................................................................................. 177 Adding LDAP servers.................................................................................................. 177 Deleting LDAP servers................................................................................................ 178 Configuring user groups.................................................................................................. 1
Inhaltszusammenfassung zur Seite Nr. 10
Contents Configuring L2TP............................................................................................................ 213 Configuring the FortiGate unit as a L2TP gateway ..................................................... 214 Configuring a Windows 2000 client for L2TP.............................................................. 217 Configuring a Windows XP client for L2TP ................................................................. 218 Network Intrusion Detection System
Inhaltszusammenfassung zur Seite Nr. 11
Contents Exempt URL list .............................................................................................................. 243 Adding URLs to the exempt URL list .......................................................................... 243 Email filter........................................................................................................... 245 General configuration steps............................................................................................ 24
Inhaltszusammenfassung zur Seite Nr. 12
Contents 12 Fortinet Inc.
Inhaltszusammenfassung zur Seite Nr. 13
FortiGate-100 Installation and Configuration Guide Version 2.50 MR2 Introduction The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate Antivirus Firewalls are ICSA-certified fo
Inhaltszusammenfassung zur Seite Nr. 14
Introduction For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. You can use the feature to stop files that may contain new viruses. If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiGate
Inhaltszusammenfassung zur Seite Nr. 15
Introduction NAT/Route mode You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists. Firewall The FortiGate ICSA-certified firewall protects your computer networks from the hostile environment of the Internet. ICSA has granted FortiGate firewalls vers
Inhaltszusammenfassung zur Seite Nr. 16
Transparent mode Introduction Transparent mode Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies. The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. However, VPN and some advanced firewall features are only available in NAT/Route mode. Network intrusion detection The FortiG
Inhaltszusammenfassung zur Seite Nr. 17
Introduction Web-based manager • PPTP for easy connectivity with the VPN standard supported by the most popular operating systems. • L2TP for easy connectivity with a more secure VPN standard also supported by many popular operating systems. • Firewall policy based control of IPSec VPN traffic. • IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel. • VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one t
Inhaltszusammenfassung zur Seite Nr. 18
Command line interface Introduction Figure 1: The FortiGate web-based manager and setup wizard Command line interface You can access the FortiGate command line interface (CLI) by connecting a management computer serial port to the FortiGate RS-232 serial Console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network connected to the FortiGate, including the Internet. The CLI supports the same configuration and monitoring functionality as the web-
Inhaltszusammenfassung zur Seite Nr. 19
Introduction Logging and reporting Logging and reporting The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to: • report traffic that connects to the firewall, • report network services used, • report traffic permitted by firewall policies, • report traffic that was denied by firewall policies, • report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and we
Inhaltszusammenfassung zur Seite Nr. 20
Firewall Introduction DHCP server • Addition of a WINS server to DHCP configuration. • Reserve IP/MAC pair combinations for DHCP servers (CLI only). RIP • New RIP v1 and v2 functionality. See “RIP configuration” on page 121. SNMP • SNMP v1 and v2 support. • Support for RFC 1213 and RFC 2665 • Monitoring of all FortiGate configuration and functionality •See “Configuring SNMP” on page 134 Replacement messages You can customize messages sent by the FortiGate unit: • When a virus is detected, • Whe