INSTALL GUIDE FortiGate-110C FortiOS 3.0 MR6 www.fortinet.
FortiGate-110C Install Guide FortiOS 3.0 MR6 28 July 2008 01-30006-0481-20080728 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Contents Contents Contents.............................................................................................. 1 Introduction ........................................................................................ 5 Register your FortiGate unit ............................................................................. 5 About the FortiGate-110C ................................................................................. 6 About this document...............................................
Contents Configure a DNS server ....................................................................... 22 Adding a default route and gateway ..................................................... 22 Adding firewall policies ......................................................................... 23 Configuring Transparent mode...................................................................... 23 Using the web-based manager ...................................................................
Contents Installing firmware from a system reboot using the CLI.............................. 42 Restoring the previous configuration........................................................... Backup and Restore from a USB key ......................................................... Using the USB Auto-Install.......................................................................... Additional CLI Commands for a USB key ...................................................
Contents 4 FortiGate-110C FortiOS 3.
Introduction Register your FortiGate unit Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. The FortiGate Unified Threat Management System improves network security, reduces network misuse and abuse, and helps you use communications resources more efficiently without compromising the performance of your network. The FortiGate Unified Threat Management System are ICSA-certified for firewall, IPSec, and antivirus services.
About the FortiGate-110C Introduction About the FortiGate-110C The FortiGate-110C is an ideal solution for SMB and and Medium to large-sized Enterprises with distributed branch offices. The FortiGate-110C features dual WAN 10/100/1000 link support for redundant internet connections, and an integrated 8-port 10/100 switch that eliminates the need for an external hub or switch, giving networked devices a direct connection to the FortiGate-110C.
Introduction Further Reading Typographic conventions FortiGate documentation uses the following typographical conventions: Convention Example Keyboard input In the Gateway Name field, type a name for the remote VPN peer or client (for example, Central_Office_1).
Customer service and technical support Introduction • FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks. • FortiGate IPSec VPN User Guide Provides step-by-step instructions for configuring IPSec VPNs using the web-based manager.
Installing Environmental specifications Installing This chapter describes installing your FortiGate unit in your server room, environmental specifications and how to mount the FortiGate in a rack if applicable.
Cautions and warnings Installing • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help. The equipment compliance with FCC radiation exposure limit set forth for uncontrolled Environment. Cautions and warnings Review the following cautions before installing your FortiGate unit.
Installing Cautions and warnings When placing the FortiGate unit on any flat, stable surface, ensure the unit has at least 1.5 inches (3.75 cm) of clearance on each side to ensure adequate airflow for cooling. For rack mounting, use the mounting brackets and screws included with the FortiGate unit. ! Caution: Depending on the size of your FortiGate unit, avoid personal injury, you may require two or more people to install the unit in the rack.
Plugging in the FortiGate Installing Figure 3: Mounting in a rack Plugging in the FortiGate Use the following steps to connect the power supply to the FortiGate unit. To power on the FortiGate unit 1 Ensure the power switch, located at the back of the FortiGate unit is in the off position, indicated by the “O”. 2 Connect the power cord at the back of the FotiGate unit. 3 Connect the power cable to a power outlet.
Installing Turning off the FortiGate unit Turning off the FortiGate unit Always shut down the FortiGate operating system properly before turning off the power switch to avoid potential hardware problems. To power off the FortiGate unit 1 From the web-based manager, go to System > Status. 2 In the Unit Operation display, select Shutdown, or from the CLI enter: execute shutdown 3 Disconnect the power cables from the power supply. FortiGate-110C FortiOS 3.
Turning off the FortiGate unit 14 Installing FortiGate-110C FortiOS 3.
Configuring NAT vs. Transparent mode Configuring This section provides an overview of the operating modes of the FortiGate unit, NAT/Route and Transparent, and how to configure the FortiGate unit for each mode. There are two ways you can configure the FortiGate unit, using the web-based manager or the command line interface (CLI). This section will step through using both methods. Use whichever you are most comfortable with. This section includes the following topics: • NAT vs.
Connecting to the FortiGate unit Configuring Transparent mode In Transparent mode, the FortiGate unit is invisible to the network. Similar to a network bridge, all FortiGate interfaces must be on the same subnet. You only have to configure a management IP address to make configuration changes. The management IP address is also used for antivirus and attack definition updates. Figure 5: FortiGate unit in Transparent mode 10.10.10.1 Management IP Internet Gateway to public network 204.23.1.2 10.10.10.
Configuring Connecting to the FortiGate unit To support a secure HTTPS authentication method, the FortiGate unit ships with a self-signed security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two security warnings in a browser. The first warning prompts you to accept and optionally install the FortiGate unit’s self-signed security certificate.
Configuring NAT mode Configuring Configuring NAT mode Configuring NAT mode involves defining interface addresses and default routes, and simple firewall policies. You can use the web-based manager or the CLI to configure the FortiGate unit in NAT/Route mode. Using the web-based manager After connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiGate unit.
Configuring Configuring NAT mode Initial PADT Timeout Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. Your ISP must support PADT. To disable the PADT timeout, set the value to 0. Distance Enter the administrative distance, between 1 and 255 for the default gateway retrieved from the DHCP server.
Configuring NAT mode Configuring For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiGate unit. This will enable the flow of data through the FortiGate unit. For details on adding additional static routes, see the FortiGate Administration Guide. To modify the default gateway 1 Go to Router > Static.
Configuring Configuring NAT mode 3 Set the following and select OK. Source Interface Select the port connected to the Internet. Source Address All Destination Interface Select the port connected to the network. Destination Address All Schedule always Service Any Action Accept Firewall policy configuration is the same in NAT/Route mode and Transparent mode. Note that these policies allow all traffic through. No protection profiles have been applied.
Configuring NAT mode Configuring To set an interface to use PPPoE addressing config system interface edit external set mode pppoe set username set password set ipunnumbered set disc-retry-timeout set padt-retry-timeout set distance set defaultgw {enable | disable} set dns-server-override {enable | disable} end The CLI lists the IP address, netmask, and other settings for each of the FortiGate interfaces.
Configuring Configuring Transparent mode For an initial configuration, you must edit the factory configured static default route to specify a different default gateway for the FortiGate unit. This will enable the flow of data through the FortiGate unit. For details on adding additional static routes, see the FortiGate Administration Guide.
Configuring Transparent mode Configuring Using the web-based manager After connecting to the web-based manager, you can use the following procedures to complete the basic configuration of the FortiGate unit. Ensure you read the section “Connecting to the web-based manager” on page 16 before beginning. Switching to Transparent mode The FortiGate unit comes preset to NAT mode. You need to switch to Transparent mode. To switch to Transparent mode 1 Go to System > Status.
Configuring Configuring Transparent mode To add an outgoing traffic firewall policy 1 Go to Firewall > Policy. 2 Select Create New. 3 Set the following and select OK. Source Interface Select the port connected to the network. Source Address All Destination Interface Select the port connected to the Internet. Destination Address All Schedule always Service Any Action Accept To add an incoming traffic firewall policy 1 Go to Firewall > Policy. 2 Select Create New.
Configuring Transparent mode Configuring Configure a DNS server A DNS server is a service that converts symbolic node names to IP addresses. A domain name server (DNS server) implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet. DNS server IP addresses are typically provided by your internet service provider.
Configuring Verify the configuration Verify the configuration Your FortiGate unit is now configured and connected to the network. To verify the FortiGate unit is connected and configured correctly, use your web browser to browse a web site, or use your email client to send and receive email. If you cannot browse to the web site or retrieve/send email from your account, review the previous steps to ensure all information was entered correctly and try again. Remember, to verify the firewall policies.
Restoring a configuration Configuring Restoring a configuration Should you need to restore the configuration file, use the following steps. To restore the FortiGate configuration 1 Go to System > Maintenance > Backup & Restore. 2 Select to upload the restore file from your PC or a USB key. The USB Disk option will be grayed out if the FortiGate unit supports USB disks but none are connected. 3 Enter the path and file name of the configuration file, or select Browse to locate the file.
Configuring Additional configuration To change the administrator password 1 Go to System > Admin > Administrators. 2 Select Change Password and enter a new password. 3 Select OK. Alternatively, you can also add new administrator users by selecting Create New, however, you cannot remove the admin administrator. Applying a password for this account is recommended.
Additional configuration 30 Configuring FortiGate-110C FortiOS 3.
Advanced configuration Protection profiles Advanced configuration The FortiGate unit and the FortiOS operating system provide a wide range of features that enable you to control network and internet traffic and protect your network. This chapter describes some of these options and how to configure them.
Firewall policies Advanced configuration Web Apply virus scanning and web content blocking to HTTP traffic. Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content protection for content traffic is required. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. The best way to begin creating your own protection profile is to open a predefined profile.
Advanced configuration Antivirus options Configuring firewall policies To add or edit a firewall policy go to Firewall > Policy and select Edit on an existing policy, or select Create New to add a policy. The source and destination Interface/Zone match the firewall policy with the source and destination of a communication session. The Address Name matches the source and destination address of the communication session. Schedule defines when the firewall policy is enabled.
AntiSpam options Advanced configuration • Grayware - These are unsolicited commercial software programs that are installed on computers, often without the user's consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious ends. The FortiGate unit scans for known grayware executable programs in each enabled category.
Advanced configuration Web filtering Banned word lists are specific words that may be typically found in email. The FortiGate unit searches for words or patterns in email messages. If matches are found, values assigned to the words are totalled. If the defined threshold value is exceeded, the message is marked as spam. If no match is found, the email message is passed along to the next filter. You configure banned words by going to Antispam > Banned Word.
Logging Advanced configuration To configure content blocking, go to Web Filter > Content Block. URL filter enables you to control additional web sites that you can block or allow. This enables you greater control over certain URLs or sub-URLs. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead. To configure URL filters, go to Web Filter > URL Filter.
FortiGate Firmware Downloading firmware FortiGate Firmware Fortinet periodically updates the FortiGate firmware to include new features and address issues. After you have registered your FortiGate unit, you can download FortiGate firmware updates is available for download at the support web site, http://support.fortinet.com. You can also use the instructions in this chapter to downgrade, or revert, to a previous version.
Using the web-based manager FortiGate Firmware To download firmware 1 Log into the site using your user name and password. 2 Go to Firmware Images > FortiGate. 3 Select the most recent FortiOS version, and MR release and patch release. 4 Locate the firmware for your FortiGate unit, right-click the link and select the Download option for your browser. Note: Always review the Release Notes for a new firmware release before installing.
FortiGate Firmware Using the web-based manager Note: To use this procedure, you must log in using the admin administrator account, or an administrator account that has system configuration read and write privileges. To revert to a previous firmware version 1 Copy the firmware image file to the management computer. 2 Log into the FortiGate web-based manager. 3 Go to System > Status. 4 Under System Information > Firmware Version, select Update.
Using the CLI FortiGate Firmware Note: You need an unencrypted configuration file for this feature. Also the default files, image.out and system.conf, must be in the root directory of the USB key. Note: Make sure at least FortiOS v3.0MR1 is installed on the FortiGate unit before installing. To configure the USB Auto-Install 1 Go to System > Maintenance > Backup and Restore. 2 Select the blue arrow to expand the Advanced options.
FortiGate Firmware Using the CLI 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image Where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image image.out 192.168.1.
Installing firmware from a system reboot using the CLI 4 FortiGate Firmware Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168: execute ping 192.168.1.
FortiGate Firmware Installing firmware from a system reboot using the CLI If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file. Note: Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.
Installing firmware from a system reboot using the CLI 9 FortiGate Firmware Type the address of the TFTP server and press Enter: The following message appears: Enter Local Address [192.168.1.188]: 10 Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network. The following message appears: Enter File Name [image.
FortiGate Firmware Installing firmware from a system reboot using the CLI To restore configuration using the CLI 1 Log into the CLI. 2 Enter the following command to restore the configuration files: exec restore image usb The FortiGate unit responds with the following message: This operation will replace the current firmware version! Do you want to continue? (y/n) 3 Type y.
Testing new firmware before installing FortiGate Firmware Testing new firmware before installing You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed.
FortiGate Firmware Testing new firmware before installing 8 Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 9 Type the address of the TFTP server and press Enter: The following message appears: Enter Local Address [192.168.1.188]: 10 Type an IP address of the FortiGate unit to connect to the TFTP server.
Testing new firmware before installing 48 FortiGate Firmware FortiGate-110C FortiOS 3.
Index Index A F adding a default route 19, 22 additional resources 7 admin password 28 air flow 9 ambient temperature 9 antispam options 34 antivirus options 33 auto-install 39 auto-install from CLI 45 firewall policies 20, 23, 32 firmware backup and restore from USB 44 download 37 from system reboot 42 installing 42 re-installing current version 44 restore from CLI 44 restoring previous config 44 revert from CLI 41 reverting with web-based manager 38 testing before use 46 testing new firmware 46 upgrad
Index P T PADT timeout 19 password, changing 28 power off 13 PPPoE 22 protection profiles 31 technical support 8 TFTP server 42 time and date 28 time zone 28 Transparent mode 16 switching to 24 typographic conventions 7 R registering 5 restore 28 restoring previous firmware configuration 44 reverting firmware 38 S security certificate 17 shielded twisted pair 10 shut down 13 signatures, update 29 static route 19, 22 system reboot, installing 42 U unnumbered IP 18 update signatures 29 updating antivir
Index 61 FortiGate-110C FortiOS 3.
Index 62 FortiGate-110C FortiOS 3.
www.fortinet.
www.fortinet.