Recording logs Recording logs on a remote computer Recording logs in system memory Filtering log messages Configuring traffic logging Enabling traffic logging Configuring traffic filter settings Adding traffic filter entries Viewing logs saved to memory Viewing logs Searching logs Configuring alert email Adding alert email addresses Testing alert email Enabling alert email The FortiGate Antivirus Firewall supports network-based deployment of application-level services—including antivirus protection and full-scan content filtering.
FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.
Your FortiGate Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks.
The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration and maintenance.
The FortiGate model is an easy-to- deploy and easy-to-administer solution that delivers exceptional value and performance for small office, home office, and branch office applications.
FortiGate installation wizard guides users through a simple process that enables most installations to be up and running in minutes.
If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards an replacement message to the intended recipient. For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit.
You can use the feature to stop files that may contain new viruses. If the FortiGate unit contains a hard disk, infected or blocked files can be quarantined. The FortiGate administrator can download quarantined files, so that they can be virus scanned, cleaned, and forwarded to the intended recipient.
You can also configure the FortiGate unit to automatically delete quarantined files after a specified time period. The FortiGate unit can send email alerts to system administrators when it detects and removes a virus from a content stream. If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the FortiGate blocks the web page.
The blocked web page is replaced with a message that you can edit using the FortiGate web-based manager. You can configure URL blocking to block all or just some of the pages on a web site. Using this feature you can deny access to parts of a web site without denying access to it completely.
To prevent unintentional blocking of legitimate web pages, you can add URLs to an Exempt List that overrides the URL blocking and content blocking lists. Web content filtering also includes a script filter feature that can be configured to block unsecure web content such as Java Applets, Cookies, and ActiveX. If a match is found between a sender address pattern on the Email block list, or if an email is found to contain a word or phrase in the banned word list, the FortiGate adds a Email tag to subject line of the email.
Receivers can then use their mail client software to filter messages based on the Email tag. You can configure Email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentional tagging of email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned word lists.
After basic installation of the FortiGate unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can modify this firewall configuration to place controls on access to the Internet from the protected networks and to allow controlled access to internal networks.
Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the FortiGate unit are intelligently forwarded or blocked according to firewall policies.
The FortiGate unit can be inserted in your network at any point without the need to make changes to your network or any of its components. NIDS detection uses attack signatures to identify over attacks. You can enable and disable the attacks that the NIDS detects. You can also write your own user-defined detection attack signatures. NIDS prevention detects and prevents many common denial of service and packetbased attacks.
You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters. To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log and can be configured to send alert emails.
Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually, or you can configure the FortiGate to automatically check for and download attack definition updates. Using FortiGate virtual private networking VPN , you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.
Installation is quick and simple. The first time you turn on the FortiGate unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the setup wizard to customize FortiGate IP addresses for your network, and the FortiGate unit is set to protect your network.
You can then use the web-based manager to customize advanced FortiGate features to meet your needs. The web-based manager supports multiple languages. You can use the web-based manager for most FortiGate configuration settings.
You can also use the web-based manager to monitor the status of the FortiGate unit. Configuration changes made with the web-based manager are effective immediately without the need to reset the firewall or interrupt service. Once a satisfactory configuration has been established, it can be downloaded and saved. The saved configuration can be restored at any time. The CLI supports the same configuration and monitoring functionality as the web-based manager.
In addition, you can use the CLI for advanced configuration options not available from the web-based manager. The FortiGate supports logging of various categories of traffic and of configuration changes. You can configure logging to:.
Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiGates to log the most recent events and attacks detected by the NIDS to shared system memory.
This section presents a brief summary of some of the new features in FortiOS v2. You can register your FortiGate unit and get access to other technical support resources. New features include:. This installation and configuration guide describes how to install and configure the. This chapter also contains procedures for connecting to the FortiGate tech support webs site and for registering your FortiGate unit.
This chapter describes setting system time, adding and changed administrative users, configuring SNMP, and editing replacement messages. You enter restore config myfile. You can enter set system opmode nat or set system opmode transparent. Describes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and email content passing through the FortiGate unit.
Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit. Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference. The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit.
You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet. This chapter describes unpacking, setting up, and powering on your FortiGate Antivirus Firewall. When you have completed the procedures in this chapter, you can proceed to one of the following:. The FortiGate unit can be installed on any stable surface. Make sure that the appliance has at least 1. The FortiGate unit starts up. The Power and Status lights light.
The Status light flashes while the FortiGate unit is starting up and remains lit when the system is up and running. Use the following procedure to connect to the web-based manager for the first time. Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4. The Register Now window is displayed. Use the information on this window to register your FortiGate unit so that Fortinet can contact you for firmware updates.
You must also register to receive updates to the FortiGate virus and attack definitions. As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI.
Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service. The following prompt appears:. The FortiGate unit is shipped with a factory default configuration. This default configuration allows you to connect to and use the FortiGate web-based manager to configure the FortiGate unit onto your network.
To configure the FortiGate unit onto your network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configuring routing if required.
If you are planning on operating the FortiGate unit in Transparent mode, you can switch to transparent mode from the factory default configuration and then configure the FortiGate unit onto your network in Transparent mode. Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiGate unit.
The factory default firewall configuration includes a single network address translation NAT policy that allows users on your internal network to connect to the external network, and stops users on the external network from connecting to the internal network. You can add more policies to provide more control of the network traffic passing through the FortiGate unit.
The factory default content profiles can be used to quickly apply different levels of antivirus protection, web content filtering, and email filtering to the network traffic controlled by firewall policies. This configuration allows you to connect to the FortiGate unit web-based manager and establish the configuration required to connect the FortiGate unit to your network.
Ping management access means this interface responds to ping requests. If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Table 3. You can use content profiles to apply different protection settings for content traffic controlled by firewall policies. You can use content profiles for:. Using content profiles you can build up protection configurations that can be easily applied to different types of Firewall policies.
This allows you to customize different types and different levels of protection for different firewall policies. For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection. You can configure policies for different traffic services to use the same or different content profiles.
You would not use the strict content profile under normal circumstances, but it is available if you are having extreme problems with viruses and require maximum content screening protection. Use the web content profile to apply antivirus scanning and Web content blocking to.
HTTP content traffic. You can add this content profile to firewall policies that control. Use the unfiltered content profile if you do not want to apply any content protection to content traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected.
Before beginning to configure the FortiGate unit, you need to plan how to integrate the unit into your network. Among other things, you have to decide whether or not the unit will be visible to the network, which firewall functions it will provide, and how it will control the traffic flowing between its interfaces. Your configuration plan is dependent upon the operating mode that you select. Like a router, all of its interfaces are on different subnets.
You can add security policies to control whether communications through the FortiGate unit operate in NAT mode or in route mode.
In NAT mode, the FortiGate performs network address translation before the packet is sent to the destination network. In route mode, no translation takes place. By default, the FortiGate unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured more security policies.
In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network usually the Internet. If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them. For example, you could create the following configuration:.
You must configure routing to support redundant internet connections. Routing can be used to automatically re-direct connections from an interface if its connection to the external network fails.
You would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network usually the Internet. In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all of FortiGate interfaces must be on the same subnet.
You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates.
You would typically use the FortiGate unit in Transparent mode on a private network behind an existing firewall or behind a router. You can connect up to three network segments to the FortiGate unit to control traffic between these network segments.
You can use the web-based manager setup wizard or the command line interface CLI for the basic configuration of the FortiGate unit. Using the wizard, you can also add DNS server IP addresses and a default route for the external interface.
If you are configuring the FortiGate unit to operate in Transparent mode, you can switch to Transparent mode from the web-based manager and then use the Setup Wizard to add the administration password, the management IP address and gateway, and the DNS server addresses. If you are configuring the FortiGate unit to operate in Transparent mode, you can use the CLI to switch to Transparent mode, Then you can add the administration password, the management IP address and gateway, and the DNS server addresses.
Now that your FortiGate unit is operating, you can proceed to configure it to connect to networks:. From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiGate unit. Select the Next button to step through the wizard pages.
Note: If you use the setup wizard to configure internal server settings, the FortiGate unit adds port forwarding virtual IPs and firewall policies for each server.
If you used the setup wizard to change the IP address of the internal interface, you must reconnect to the web-based manager using a new IP address.
As an alternative to using the setup wizard, you can configure the FortiGate unit using the command line interface CLI.
Use the information that you gathered in Table 10 on page 43 to complete the following procedures. When you have completed the initial configuration, you can connect the FortiGate unit between your internal network and the Internet. Note: You can also connect both the external and DMZ interfaces to different Internet connections to provide a redundant connection to the Internet. Connect to the public switch or router provided by your Internet Service Provider. You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network.
For your internal network, change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiGate internal interface. For your external network, route all packets to the FortiGate external interface. Make sure that the connected FortiGate unit is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address.
Use the information in this section to complete the initial configuration of the FortiGate unit. Use the following procedure to configure the DMZ interface using the web-based manager.
For effective scheduling and logging, the FortiGate system date and time should be accurate. You can either manually set the system date and time or you can configure the FortiGate unit to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server. To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet:.
Registration consists of entering your contact information and the serial numbers of the FortiGate units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiGate units in a single session without re-entering your contact information.
If it finds new versions, the FortiGate unit automatically downloads and installs the updated definitions. This section describes some basic routing and firewall policy configuration examples for a FortiGate unit with multiple connections to the Internet see Figure 8. In this topology, the organization operating the FortiGate unit uses two Internet service providers to connect to the Internet.
By adding ping servers to interfaces, and by configuring routing you can control how traffic uses each Internet connection. With this routing configuration is place you can proceed to create firewall policies to support multiple internet connections. This section provides some examples of routing and firewall configurations to configure the FortiGate unit for multiple internet connections. The examples below show how to configure destination-based routing and policy routing to control different traffic patterns.
Welcome to ManualMachine. We have sent a verification link to to complete your registration. Log In Sign Up. Forgot password? Enter your email address and check your inbox. Please check your email for further instructions. Enter a new password. FortiGate All rights reserved. Contents Table of Contents Introduction FortiGate Installation and Configuration Guide 3. Contents Completing the configuration FortiGate Installation and Configuration Guide 5.
Contents Configuring routing FortiGate Installation and Configuration Guide 7. FortiGate Installation and Configuration Guide 9. Contents Exempt URL list FortiGate Installation and Configuration Guide The FortiGate installation wizard guides users through a simple process that enables most installations to be up and running in minutes.
Introduction For extra protection, you also configure antivirus protection to block files of specified file types from passing through the FortiGate unit. Transparent mode Introduction Transparent mode Transparent mode provides the same basic firewall protection as NAT mode.
Network intrusion detection The FortiGate Network Intrusion Detection System NIDS is a real-time network intrusion detection sensor that detects and prevents a wide variety of suspicious network activity. VPN Using FortiGate virtual private networking VPN , you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.
Secure installation, configuration, and management Installation is quick and simple. Introduction Logging and reporting Logging and reporting The FortiGate supports logging of various categories of traffic and of configuration changes. Logging and Reporting Introduction About this document This installation and configuration guide describes how to install and configure the FortiGate Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet.
Comments on Fortinet technical documentation Introduction. Trademarks Products mentioned in this document are trademarks. Mounting The FortiGate unit can be installed on any stable surface. Off The FortiGate unit is powered off. Status Flashing The FortiGate unit is starting up. Internal Green The correct cable is in use, and the connected equipment has External power.
DMZ Flashing Network activity at this interface. Getting started Connecting to the web-based manager Use the following procedure to connect to the web-based manager for the first time. Connecting to the web-based manager 1 Set the IP address of the computer with an ethernet connection to the static IP address The FortiGate login is displayed. Figure 3: FortiGate login. You can use any terminal emulation program.
The following prompt appears: FortiGate login: 7 Type admin and press Enter twice. The following prompt appears: Type? Factory default FortiGate configuration settings The FortiGate unit is shipped with a factory default configuration.
Getting started Factory default Transparent mode network configuration Factory default Transparent mode network configuration If you switch the FortiGate unit to Transparent mode, it has the default network configuration listed in Table 3.
Mask: 0. This means that Schedule the firewall policy is valid at all times. Schedule Always The policy schedule. Always means that the policy is valid at any time. Service ANY The policy service. ANY means that this policy processes connections for all services. NAT is not available for Transparent mode policies. Factory default content profiles Getting started Table 4: Factory default firewall configuration Continued Traffic Shaping Traffic shaping is not selected.
The policy does not apply traffic shaping to the traffic controlled by the policy. You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy. Authentication Authentication is not selected. Users do not have to authenticate with the firewall before connecting to their destination address.
You can configure user groups and select this option to require users to authenticate with the firewall before they can connect through the firewall. This policy does not include a content profile that applies antivirus protection, web content filtering, or email filtering to content traffic processed by this policy.
You can select this option and select a content profile to apply different levels of content protection to traffic processed by this policy. Log Traffic Log Traffic is not selected. This policy does not record messages to the traffic log for the traffic processed by this policy. You can configure FortiGate logging and select Log Traffic to record all connections through the firewall that are accepted by this policy.
Factory default content profiles You can use content profiles to apply different protection settings for content traffic controlled by firewall policies. Factory default content profiles Getting started Web content profile Use the web content profile to apply antivirus scanning and Web content blocking to HTTP content traffic.
You can add this content profile to firewall policies that control HTTP traffic. Figure 6: Example Transparent mode network configuration. Getting started Configuration options You can connect up to three network segments to the FortiGate unit to control traffic between these network segments.
Configuration options Getting started. Starting the setup wizard 1 Select Easy Setup Wizard the middle button in the upper-right corner of the web-based manager. Reconnecting to the web-based manager If you used the setup wizard to change the IP address of the internal interface, you must reconnect to the web-based manager using a new IP address.
Using the command line interface As an alternative to using the setup wizard, you can configure the FortiGate unit using the command line interface CLI.
To connect the FortiGate unit: 1 Connect the Internal interface to the hub or switch connected to your internal network. Completing the configuration Use the information in this section to complete the initial configuration of the FortiGate unit.
Setting the date and time For effective scheduling and logging, the FortiGate system date and time should be accurate. Configuration example: Multiple connections to the Internet This section describes some basic routing and firewall policy configuration examples for a FortiGate unit with multiple connections to the Internet see Figure 8. You can only view or download manuals with.
Sign Up and get 5 for free. Upload your files to the site. You get 1 for each file you add. In its default these network segments. Firewall policies control communications through the FortiGate unit. No traffic can pass through the FortiGate unit until you add firewall policies.
In Route mode, no translation takes place. Use it to configure the administrator password, the interface and default gateway addresses, and the DNS server addresses. The CLI is a full-featured management tool. Use it to configure the administrator password, the interface addresses, the default gateway address, and the DNS server addresses. The management IP address and netmask must be valid for the network you will be managing the FortiGate unit from.
Connect the FortiGate internal interface to a management computer Ethernet interface. Use a cross-over Ethernet cable to connect the devices directly. Use straight-through Ethernet cables to connect the devices through a hub or switch.
Configure the management computer to be on the same subnet as the internal interface of the FortiGate unit. To do this, change the IP address of the management computer to Type admin in the Name field and select Login. Select Change Password for the admin administrator and enter a new password.
To configure interfaces 1. Select the edit icon for each interface to configure. Set the addressing mode for the interface. See the online help for information. To configure a Default Gateway 1. Set a default gateway and select apply. To change the administrator password 1. To change the management interface 1. Enter the Management IP address and netmask that you recorded above and select Apply.
Start a terminal emulation program HyperTerminal on the management computer. At the Login: prompt, type admin and press Enter twice no password required. Configure the FortiGate internal interface.
You have finished configuring the basic settings. Your network is now protected from Internetbased threats.
0コメント