Install Guide: Fortigate-300A Fortios 3.0 Mr6
Install Guide: Fortigate-300A Fortios 3.0 Mr6
Install Guide: Fortigate-300A Fortios 3.0 Mr6
FortiGate-300A
FortiOS 3.0 MR6
www.fortinet.com
FortiGate-300A Install Guide
FortiOS 3.0 MR6
31 January 2008
01-30006-0452-20080131
Trademarks
Fortinet, FortiGate and FortiGuard are registered trademarks and
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat
Management System, FortiGuard-Antispam, FortiGuard-Antivirus,
FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,
FortiManager, FortiOS, FortiPartner, FortiProtect, FortiReporter,
FortiResponse, FortiShield, and FortiVoIP, are trademarks of Fortinet, Inc.
in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of
their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
.
Contents
Contents.............................................................................................. 3
Introduction ........................................................................................ 7
Register your FortiGate unit ............................................................................. 7
About the FortiGate-300A ................................................................................. 8
About this document......................................................................................... 8
Document conventions.................................................................................. 8
Typographic conventions .............................................................................. 9
Further Reading ................................................................................................. 9
Fortinet Knowledge Center ......................................................................... 10
Comments on Fortinet technical documentation ......................................... 10
Customer service and technical support ...................................................... 10
Installing ........................................................................................... 11
Environmental specifications......................................................................... 11
Cautions and warnings ................................................................................... 12
Grounding ................................................................................................... 12
Rack mount instructions .............................................................................. 12
Mounting ..................................................................................................... 12
Plugging in the FortiGate................................................................................ 14
Connecting to the network .......................................................................... 14
Turning off the FortiGate unit......................................................................... 15
Configuring....................................................................................... 17
NAT vs. Transparent mode ............................................................................. 17
NAT mode ................................................................................................... 17
Transparent mode ....................................................................................... 18
Connecting to the FortiGate unit.................................................................... 18
Connecting to the web-based manager ...................................................... 18
Connecting to the CLI ................................................................................. 19
Configuring NAT mode ................................................................................... 20
Using the web-based manager ................................................................... 20
Configure the interfaces........................................................................ 20
Configure a DNS server........................................................................ 21
Adding a default route and gateway ..................................................... 21
Adding firewall policies ......................................................................... 22
Using the CLI .............................................................................................. 23
Configure the interfaces........................................................................ 23
Advanced configuration.................................................................. 33
Protection profiles........................................................................................... 33
Firewall policies............................................................................................... 34
Configuring firewall policies ........................................................................ 35
Antivirus options ............................................................................................. 35
AntiSpam options............................................................................................ 36
Web filtering..................................................................................................... 37
Logging ............................................................................................................ 38
Index.................................................................................................. 51
Introduction
Welcome and thank you for selecting Fortinet products for your real-time network
protection.
The FortiGate Unified Threat Management System improves network security,
reduces network misuse and abuse, and helps you use communications
resources more efficiently without compromising the performance of your
network. The FortiGate Unified Threat Management System are ICSA-certified for
firewall, IPSec, and antivirus services.
The FortiGate Unified Threat Management Systemis a dedicated, easily managed
security device that delivers a full suite of capabilities, which include:
• application-level services such as virus protection and content filtering
• network-level services such as firewall, intrusion detection, VPN and traffic
shaping
The FortiGate Unified Threat Management System uses Fortinet’s Dynamic
Threat Prevention System (DTPS™) technology, which leverages breakthroughs
in chip design, networking, security and content analysis. The unique ASIC-based
architecture analyzes content and behavior in real-time, enabling key applications
to be deployed right at the network edge where they are most effective at
protecting your networks.
Figure 1: FortiGate-300A
Document conventions
The following document conventions are used in this guide:
• In the examples, private IP addresses are used for both private and public IP
addresses.
• Notes and Cautions are used to provide important information:
Caution: Warns you about commands or procedures that could have unexpected or
! undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention Example
Keyboard input In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples config sys global
set ips-open enable
end
CLI command syntax config firewall policy
edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Document names FortiGate Administration Guide
Menu commands Go to VPN > IPSEC > Phase 1 and select Create New.
Program output Welcome!
Variables <address_ipv4>
Further Reading
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com.
The following FortiGate product documentation is available:
• FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
• FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including
how to define FortiGate protection profiles and firewall policies; how to apply
intrusion prevention, antivirus protection, web content filtering, and spam
filtering; and how to configure a VPN.
• FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
• FortiGate CLI Reference
Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
• FortiGate Log Message Reference
Available exclusively from the Fortinet Knowledge Center, the FortiGate Log
Message Reference describes the structure of FortiGate log messages and
provides information about the log messages that are generated by FortiGate
units.
• FortiGate High Availability User Guide
Contains in-depth information about the high availability feature and the
clustering protocol.
Installing
This chapter describes installing your FortiGate unit in your server room,
environmental specifications and how to mount the FortiGate in a rack if
applicable.
This chapter contains the following topics:
• Environmental specifications
• Cautions and warnings
• Plugging in the FortiGate
• Plugging in the FortiGate
• Turning off the FortiGate unit
Environmental specifications
• Operating temperature: 32 to 104°F (0 to 40°C)
If you install the FortiGate unit in a closed or multi-unit rack assembly, the
operating ambient temperature of the rack environment may be greater than
room ambient temperature. Therefore, make sure to install the equipment in
an environment compatible with the manufacturer's maximum rated ambient
temperature.
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 90% non-condensing
• Air flow - For rack installation, make sure that the amount of air flow required
for safe operation of the equipment is not compromised.
• For free-standing installation, make sure that the appliance has at least 1.5 in.
(3.75 cm) of clearance on each side to allow for adequate air flow and cooling.
This device complies with part FCC Class A, Part 15, UL/CUL, C Tick, CE
and VCCI. Operation is subject to the following two conditions:
• This device may not cause harmful interference, and
• This device must accept any interference received, including interference that
may cause undesired operation.
This equipment has been tested and found to comply with the limits for a Class B
digital device, pursuant to part 15 of the FCC Rules. These limits are designed to
provide reasonable protection against harmful interference in a residential
installation. This equipment generates, uses and can radiate radio frequency
energy and, if not installed and used in accordance with the instructions, may
cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this
equipment does cause harmful interference to radio or television reception, which
can be determined by turning the equipment off and on, the user is encouraged to
try to correct the interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Connect the equipment into an outlet on a circuit different from that to which
the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.
The equipment compliance with FCC radiation exposure limit set forth for
uncontrolled Environment.
Grounding
• Ensure the FortiGate unit is connected and properly grounded to a lightning
and surge protector. WAN or LAN connections that enter the premises from
outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s)
surge protector.
• Shielded Twisted Pair (STP) Ethernet cables should be used whenever
possible rather than Unshielded Twisted Pair (UTP).
• Do not connect or disconnect cables during lightning activity to avoid damage
to the FortiGate unit or personal injury.
Mounting
If required to fit into a rack unit, remove the rubber feet from the bottom of the
FortiGate unit.
The FortiGate unit can be placed on any flat surface, or mounted in a standard 19-
inch rack unit.
When placing the FortiGate unit on any flat, stable surface, ensure the unit has at
least 1.5 inches (3.75 cm) of clearance on each side to ensure adequate airflow
for cooling.
For rack mounting, use the mounting brackets and screws included with the
FortiGate unit.
Caution: Depending on the size of your FortiGate unit, avoid personal injury, you may
! require two or more people to install the unit in the rack.
2 Position the FortiGate unit in the rack to allow for sufficient air flow.
3 Line up the mounting bracket holes to the holes on the rack, ensuring the
FortiGate unit is level.
4 Finger tighten the screws to attach the FortiGate unit to the rack.
5 Once you verify the spacing of the FortiGate unit and that it is level, tighten the
screws with a screwdriver. Ensure that the screws are tight and not loose.
The following photos illustrate how the mounting brackets and FortiGate unit
should be attached to the rack.
Configuring
This section provides an overview of the operating modes of the FortiGate unit,
NAT/Route and Transparent, and how to configure the FortiGate unit for each
mode. There are two ways you can configure the FortiGate unit, using the
web-based manager or the command line interface (CLI). This section will step
through using both methods. Use whichever you are most comfortable with.
This section includes the following topics:
• NAT vs. Transparent mode
• Connecting to the FortiGate unit
• Verify the configuration
• Backing up the configuration
• Additional configuration
NAT mode
In NAT/Route mode, the FortiGate unit is visible to the network. Like a router, all
its interfaces are on different subnets.
In NAT mode, each port is on a different subnet, enabling you to have a single IP
address available to the public Internet. The FortiGate unit performs network
address translation before it sends and receives the packet to the destination
network.
In Route mode, there is no address translation.
Internal network
Internet 204.23.1.5 192.168.1.99
Router
192.168.1.20
NAT mode policies controlling
traffic between internal
and external networks.
You typically use NAT/Route mode when the FortiGate unit is operating as a
gateway between private and public networks. In this configuration, you would
create NAT mode firewall policies to control traffic flowing between the internal,
private network and the external, public network, usually the Internet.
Transparent mode
In Transparent mode, the FortiGate unit is invisible to the network. Similar to a
network bridge, all FortiGate interfaces must be on the same subnet. You only
have to configure a management IP address to make configuration changes. The
management IP address is also used for antivirus and attack definition updates.
Router 10.10.10.3
Transparent mode policies
controlling traffic between
internal and external networks.
You typically use the FortiGate unit in Transparent mode on a private network
behind an existing firewall or behind a router. The FortiGate unit performs firewall
functions, IPSec VPN, virus scanning, IPS web filtering, and Spam filtering.
To support a secure HTTPS authentication method, the FortiGate unit ships with a
self-signed security certificate, which is offered to remote clients whenever they
initiate a HTTPS connection to the FortiGate unit. When you connect, the
FortiGate unit displays two security warnings in a browser.
The first warning prompts you to accept and optionally install the FortiGate unit’s
self-signed security certificate. If you do not accept the certificate, the FortiGate
unit refuses the connection. If you accept the certificate, the FortiGate login page
appears. The credentials entered are encrypted before they are sent to the
FortiGate unit. If you choose to accept the certificate permanently, the warning is
not displayed again.
Just before the FortiGate login page is displayed, a second warning informs you
that the FortiGate certificate distinguished name differs from the original request.
This warning occurs because the FortiGate unit redirects the connection. This is
an informational message. Select OK to continue logging in.
4 Type admin in the Name field and select Login.
Note: The following procedure uses Microsoft Windows HypterTerminal software. You can
apply these steps to any terminal emulation program.
To configure interfaces
1 Go to System > Network > Interface.
2 Select the edit icon for an interface.
3 Set the Addressing Mode for the interface.
• For Manual addressing, enter the IP address and netmask for the interface.
• For DHCP addressing, select DHCP and complete the following:
Distance Enter the administrative distance, between 1 and 255 for the
default gateway retrieved from the DHCP server. The
administrative distance specifies the relative priority of a route
when there are multiple routes to the same destination. A
lower administrative distance indicates a more preferred route.
Retrieve default gateway Enable to retrieve a default gateway IP address from the
from server DHCP server. The default gateway is added to the static
routing table.
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP
server instead of the DNS server IP addresses on the DNS
page on System > Network > Options. On FortiGate-100
units and lower, you should also enable Obtain DNS server
address automatically in System > Network > Options.
Username Enter the username for the PPPoE server. This may have
been provided by your ISP.
Password Enter the password for the PPPoE server for the above user
name.
Unnumbered Specify the IP address for the interface. If your ISP has
assigned you a block of IP addresses, use one of these IP
addresses. Alternatively, you can use, or borrow, the IP
address of a configured interface on the router. You may need
to do this to minimize the number of unique IP addresses
within your network.
If you are borrowing an IP address remember the interface
must be enabled, or up to function correctly.
Initial Disc Timeout Initial discovery timeout in seconds. The time to wait before
starting to retry a PPPoE discovery. To disable the discovery
timeout, set the value to 0.
Initial PADT Timeout Initial PPPoE Active Discovery Terminate (PADT) timeout in
seconds. Use this timeout to shut down the PPPoE session if it
is idle for this number of seconds. Your ISP must support
PADT. To disable the PADT timeout, set the value to 0.
Distance Enter the administrative distance, between 1 and 255 for the
default gateway retrieved from the DHCP server. The
administrative distance specifies the relative priority of a route
when there are multiple routes to the same destination. A
lower administrative distance indicates a more preferred route.
Retrieve default gateway Enable to retrieve a default gateway IP address from the
from server DHCP server. The default gateway is added to the static
routing table.
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP
server instead of the DNS server IP addresses on the DNS
page on System > Network > Options. On FortiGate-100
units and lower, you should also enable Obtain DNS server
address automatically in System > Network > Options.
4 Select OK.
5 Repeat this procedure for each interface as required.
Note: If you change the IP address of the interface you are connecting to, you must
connect through a web browser again using the new address. Browse to https:// followed by
the new IP address of the interface. If the new IP address of the interface is on a different
subnet, you may have to change the IP address of your computer to the same subnet.
For an initial configuration, you must edit the factory configured static default route
to specify a different default gateway for the FortiGate unit. This will enable the
flow of data through the FortiGate unit.
For details on adding additional static routes, see the FortiGate Administration
Guide.
Note: If you change the IP address of the interface you are connecting to, you must
connect through a web browser again using the new address. Browse to https:// followed by
the new IP address of the interface. If the new IP address of the interface is on a different
subnet, you may have to change the IP address of your computer to the same subnet.
In the factory default configuration, entry number 1 in the Static Route list is
associated with a destination address of 0.0.0.0/0.0.0.0, which means any/all
destinations. This route is called the "static default route". If no other routes are
present in the routing table and a packet needs to be forwarded beyond the
FortiGate unit, the factory configured static default route causes the FortiGate unit
to forward the packet to the default gateway.
For an initial configuration, you must edit the factory configured static default route
to specify a different default gateway for the FortiGate unit. This will enable the
flow of data through the FortiGate unit.
For details on adding additional static routes, see the FortiGate Administration
Guide.
For the initial installation, a single firewall policy that enables all traffic through will
enable you to verify your configuration is working. On lower-end units such a
default firewall policy is already in place. For the higher end FortiGate units, you
will need to add a firewall policy.
The following steps add two policies that allows all traffic through the FortiGate
unit, to enable you to continue testing the configuration on the network.
Note that these policies allow all traffic through. No protection profiles have been
applied. Ensure you create additional firewall policies to accommodate your
network requirements.
Restoring a configuration
Should you need to restore the configuration file, use the following steps.
Additional configuration
With the FortiGate connected and allowing traffic to pass-through, there are a few
other configuration. While not mandatory, they will help in ensuring better control
with the firewall.
Note: If you choose the option Automatically adjust clock for daylight saving changes, the
system time must be manually adjusted after daylight savings time ends.
Configure FortiGuard
Configure the FortiGate unit to connect to the FortiGuard Distribution Network
(FDN) to update the antivirus, antispam and IPS attack definitions.
The FDN is a world wide network of FortiGuard Distribution Servers (FDS). When
the FortiGate unit connects to the FDN, it connects to the nearest FDS. To do this,
all FortiGate units are programmed with a list of FDS addresses sorted by nearest
time zone according to the time zone configured for the FortiGate unit.
Before you can begin receiving updates, you must register your FortiGate unit
from the Fortinet web page. For information about registering your FortiGate unit,
see “Register your FortiGate unit” on page 7.
Note: Updating antivirus definitions can cause a very short disruption in traffic currently
being scanned while the FortiGate unit applies the new signature database. Schedule
updates when traffic is light, for example overnight, to minimize any disruption.
Advanced configuration
The FortiGate unit and the FortiOS operating system provide a wide range of
features that enable you to control network and internet traffic and protect your
network. This chapter describes some of these options and how to configure
them.
This chapter includes
• Protection profiles
• Firewall policies
• Antivirus options
• AntiSpam options
• Web filtering
• Logging
Protection profiles
A protection profile is a group of settings you can adjust to suit your requirements
for network protection. Since protection profiles apply different protection settings
to traffic controlled by firewall policies, you can tailor the settings to the type of
traffic each policy handles.
Use protection profiles to configure:
• antivirus protection
• web filtering
• web category filtering
• spam filtering
• content archiving
• instant messaging filtering and access control
• P2P access and bandwidth control
• logging options for policies and configurations within the policies
• rate limiting for VoIP protocols.
Using protection profiles, you can customize types and levels of protection for
different firewall policies.
For example, while traffic between internal and external addresses might need
strict protection, traffic between trusted internal addresses might need moderate
protection. You can configure policies for different traffic services to use the same
or different protection profiles.
The FortiGate unit is preconfigured with four default protection profiles. In many
cases you can use these default protection profiles, or use them as a starting
point in creating your own.
Table 1: Default protection profiles
Strict Applies maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic.
The strict protection profile may not be useful under normal circumstances but
it is available when maximum protection is required.
Scan Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic.
Web Apply virus scanning and web content blocking to HTTP traffic.
Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no
content protection for content traffic is required. Add this protection profile to
firewall policies for connections between highly trusted or highly secure
networks where content does not need to be protected.
The best way to begin creating your own protection profile is to open a predefined
profile. This way you can see how a profile is set up, and then modify it suit your
requirements. You access Protection profile options by going to Firewall >
Protection Profile, and selecting Edit for one of the predefined profiles.
Protection profiles are used by the firewall policies to determine how network and
Internet traffic is controlled, scanned and when necessary, rejected. The
Protection Profiles can be considered the rules of the firewall policy. Because of
this, you should take some time to review the various options to consider what you
want the firewall policies to do. If, after setting the protection profile and firewall
policies, traffic is not flowing or flowing too much, verify your profile settings.
The number of options and configuration for the protection profile is too vast for
this document. For details on each protection profile feature and setting, see the
FortiGate Administration Guide or the FortiGate Online Help.
Firewall policies
Firewall policies are instructions the FortiGate unit uses to decide what to do with
a connection request. When the firewall receives a connection request, it analyzes
it to extract its source address, destination address, and port number.
For the connection through the FortiGate unit to be successful, the source
address, destination address, and service of the connection must match a firewall
policy. The policy directs the firewall action for the connection. The action can be
to allow the connection, deny the connection, require authentication before the
connection is allowed, or process the packet as an IPSec VPN connection.
You can configure each firewall policy to route connections or apply network
address translation (NAT) to translate source and destination IP addresses and
ports. You also add protection profiles to firewall policies to apply different
protection settings for the traffic controlled by firewall policies.
The FortiGate unit matches firewall policies by searching from the top of the
firewall policy list and moving down until it finds the first match, then performs the
required address translation, blocking and so on described by the protection
profile, then passes on the packet information. This is important, because once
the FortiGate unit finds a match to a policy, it will not continue down the list. You
need to arrange policies in the policy list from more specific to more general.
For example, if you have two policies, one that blocks specific URLs or IP
addresses, and another general policy that lets traffic through. If you put the
general policy at the top, the FortiGate unit will act on the general policy, figuring
the policy has been matched and potentially let the URLs or IPs you wanted
blocked through.
Note: No traffic will flow through a FortiGate unit until at least one firewall policy is added.
Antivirus options
The FortiGate unit’s antivirus configuration prevents malicious files from entering
and infecting your network environment.
The FortiGate unit uses a number of processes to scan files to ensure unwanted
files and potential attackers do not get through. The FortiGate unit scans using
these antivirus options:
• File pattern - The FortiGate will check the file against the file pattern setting
you have configured. You can set which file names or file types the FortiGate
unit looks for in the incoming traffic.
• Virus scan - The virus definitions are kept up to date through the FortiNet
Distribution Network. The list is updated on a regular basis so you do not have
to wait for a firmware upgrade. Note that you must register the FortiGate unit to
and purchase FortiGuard services to use virus scanning through the FDN.
AntiSpam options
The FortiGate unit’s antispam feature detects unsolicited commercial email by
identifying spam email messages and spam transmissions from known or
suspected spam servers.
This feature requires a FortiGuard subscription and a registered FortiGate unit.
When the FortiGate unit receives an email message, it verifies with the FortiGuard
server whether it is a valid email or a spam message. FortiGuard Antispam is one
of the features designed to manage spam. FortiGuard is an antispam system from
Fortinet that includes an IP address black list, a URL black list, and spam filtering
tools. The FortiGuard Center accepts submission of spam email messages as well
as well as reports of false positives.
Depending on how you configure the FortiGate unit, the FortiGate unit will either
tag the message with text so you can easily identify the spam, or delete the
message before it reaches the recipient.
The FortiGate unit also enables you to create your own spam filters using banned
words and black/white lists.
Banned word lists are specific words that may be typically found in email. The
FortiGate unit searches for words or patterns in email messages. If matches are
found, values assigned to the words are totalled. If the defined threshold value is
exceeded, the message is marked as spam. If no match is found, the email
message is passed along to the next filter.
You configure banned words by going to Antispam > Banned Word.
While FortiGuard services maintain a large list of known spammers, it is not
perfect. In some cases, some mail tagged as spam is an individual you want to
receive mail from, while email that is not caught by the spam filters or users you
don’t want to receive email from gets through to your inbox.
White lists and black lists enable you to maintain a list of email addresses that you
want (white list) or don’t want (black list) to receive email from. You can add or
remove addresses from lists as required. The FortiGate unit uses both an IP
address list and an email address list to filter incoming email, if enabled in the
protection profile.
When performing an IP address list check, the FortiGate unit compares the IP
address of the message's sender to the IP address list in sequence. If a match is
found, the action associated with the IP address is taken. If no match is found, the
message is passed to the next enabled spam filter.
When performing an email list check, the FortiGate unit compares the email
address of the message's sender to the email address list in sequence. If a match
is found, the action associated with the email address is taken. If no match is
found, the message is passed to the next enabled antispam filter.
To configure black/white lists, go to AntiSpam > Black/White List.
You enable antispam options for each mail service (POP3, IMAP and SMTP) in
the protection profile. To configure antispam protection profile settings, go to
Firewall > Protection Profile. Select edit for a profile and select the Spam
Filtering options.
For details on the antispam features and settings, see the FortiGate
Administration Guide or the FortiGate Online Help.
Web filtering
Web filtering is a method of controlling what web sites are viewable by users.
There are three main sections to web filtering: the Web Filter Content Block, the
URL Filter, and the FortiGuard Web filter. Each interact with each other in such a
way as to provide maximum control and protection for the Internet users.
Web filtering options are enabled and configured in the protection profile settings
by going to Firewall > Protection Profile. Select edit for a profile and selecting
either the FortiGuard Web Filtering options or the Web Filtering options. You need
to register your FortiGate unit and purchase FortiGuard services to use
FortiGuard Web Filtering.
Content blocking enables you to specify file types and words that the FortiGate
unit should block when encountered. With web content block enabled, every
requested web page is checked against the content block list. The score value of
each pattern appearing on the page is added, and if the total is greater than the
threshold value set in the protection profile, the page is blocked.
Logging
Logging is an indirect method of protecting your network. The FortiGate unit’s
robust logging features enable you to see the attacks, spam and virus activity is
occurring on your network. Using this information, you can then take the corrective
action necessary to resolve any problems before they become major problems.
With alert email, you can configure the FortiGate unit to send alert messages,
when specific events occur with specific frequency. By logging to a FortiAnalyzer
unit, you can run over 300 reports on various network traffic.
To configure logging, go to Log&Report > Log Setting.
For details and configuration options for the logging features and settings, see the
FortiGate Administration Guide or the FortiGate Online Help.
FortiGate Firmware
Fortinet periodically updates the FortiGate firmware to include new features and
address issues. After you have registered your FortiGate unit, you can download
FortiGate firmware updates is available for download at the support web site,
http://support.fortinet.com.
You can also use the instructions in this chapter to downgrade, or revert, to a
previous version. The FortiGate unit includes a number of firmware installation
options that enables you to test new firmware without disrupting the existing
installation, and load it from different locations as required.
Only FortiGate admin user and administrators whose access profiles contain
system read and write privileges can change the FortiGate firmware.
This section includes the following topics:
• Downloading firmware
• Using the web-based manager
• Using the CLI
• Installing firmware from a system reboot using the CLI
• Testing new firmware before installing
Downloading firmware
Firmware images for all FortiGate units is available on the Fortinet Customer
Support web site. You must register your FortiGate unit to access firmware
images. Register the FortiGate unit by visiting http://support.fortinet.com and
select Product Registration.
To download firmware
1 Log into the site using your user name and password.
2 Go to Firmware Images > FortiGate.
3 Select the most recent FortiOS version, and MR release and patch release.
4 Locate the firmware for your FortiGate unit, right-click the link and select the
Download option for your browser.
Note: Always review the Release Notes for a new firmware release before installing. The
Release Notes can include information that is not available in the regular documentation.
Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
Note: You can only save VPN certificates if you encrypt the file. Make sure the
configuration encryption is enabled so you can save the VPN certificates with the
configuration file. An encrypted file is ineffective if selected for the USB Auto-Install feature.
To backup configuration
1 Go to System > Maintenance > Backup and Restore.
2 Select USB Disk from the backup configuration to list.
3 Enter a file name for the configuration file.
4 Select Backup.
To restore configuration
1 Go to System > Maintenance > Backup and Restore.
2 Select USB Disk from the restore configuration from list.
3 Select a backup configuration file from the list.
4 Select Restore.
Note: You need an unencrypted configuration file for this feature. Also the default files,
image.out and system.conf, must be in the root directory of the USB key.
Note: Make sure at least FortiOS v3.0MR1 is installed on the FortiGate unit before
installing.
Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
To use the following procedure, you must have a TFTP server the FortiGate unit
can connect to.
The FortiGate unit uploads the firmware image file. After the file uploads, a
message similar to the following appears:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7 Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
8 Reconnect to the CLI.
9 To restore your previous configuration, if needed, use the command:
execute restore config <name_str> <tftp_ip4>
10 Update antivirus and attack definitions using the command:
execute update-now.
5 To confirm the FortiGate unit can connect to the TFTP server, use the following
command to ping the computer running the TFTP server. For example, if the IP
address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
6 Enter the following command to restart the FortiGate unit.
execute reboot
The FortiGate unit responds with the following message:
This operation will reboot the system!
Do you want to continue? (y/n)
7 Type y.
As the FortiGate unit starts, a series of system startup messages appears. When
the following messages appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiGate unit reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8 Type G to get to the new firmware image form the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter:
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type an IP address the FortiGate unit can use to connect to the TFTP server. The
IP address can be any IP address that is valid for the network the interface is
connected to. Make sure you do not enter the IP address of another device on this
network.
The following message appears:
Enter File Name [image.out]:
11 Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and a
message similar to the following appears:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
12 Type D.
The FortiGate unit installs the new firmware image and restarts. The installation
might take a few minutes to complete.
Note: You can only save VPN certificates if you encrypt the file. Make sure the
configuration encryption is enabled so you can save the VPN certificates with the
configuration file. An encrypted file is ineffective if selected for the USB Auto-Install feature.
Note: You need an unencrypted configuration file for this feature. Also the default files,
image.out and system.conf, must be in the root directory of the USB key.
Note: Make sure at least FortiOS v3.0MR1 is installed on the FortiGate unit before
installing.
Note: If you are trying to delete a configuration file from the CLI command interface, and
the filename contains spaces, you will need quotations around the filename before you can
delete the file from the FortiUSB key.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter:
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type an IP address of the FortiGate unit to connect to the TFTP server.
The IP address must be on the same network as the TFTP server, but make sure
you do not use the IP address of another device on the network.
The following message appears:
Enter File Name [image.out]:
Index
A F
adding a default route 21, 24 firewall policies 22, 25, 34
additional resources 9 firmware
admin password 30 backup and restore from USB 46
air flow 11 download 39
ambient temperature 11 from system reboot 44
antispam options 36 installing 44
re-installing current version 46
antivirus options 35
restore from CLI 46
auto-install 41 restoring previous config 46
auto-install from CLI 46 revert from CLI 43
reverting with web-based manager 40
B testing before use 47
testing new firmware 47
backing up 29
upgrade from CLI 42
upgrade with web-based manager 39
C upgrading using the CLI 42
certificate, security 19 FortiGuard 31
CLI 19 Fortinet Knowledge Center 10
upgrading the firmware 42 further reading 9
configure
backup 29 G
DNS 21, 24, 26
FortiGuard 31 gateway 21, 24
interfaces 20, 23 grounding 12
restore 30
connecting H
to the CLI 19 humidity 11
web-based manager 18
conventions
document 8
I
typographic 9 Initial Disc Timeout 20
customer service 10 interface, configure 23
interface, configuring 20
D
date and time 30 K
default Knowledge Center 10
adding a route 21, 24
default route 21, 24 L
DHCP 23
DNS override 20 logging 38
document conventions 8
documentation 9 M
domain name server management IP 26
configure 26
domain name server, configure 21, 24 N
downloading firmware 39
NAT mode 17
E
O
earthing 12
execute shutdown 15 operating temperature 11
P T
PADT timeout 21 technical support 10
password, changing 30 TFTP server 44
power off 15 time and date 30
PPPoE 24 time zone 30
protection profiles 33 Transparent mode 18
switching to 26
R typographic conventions 9
registering 7
U
restore 30
restoring unnumbered IP 20
previous firmware configuration 46 update signatures 31
reverting firmware 40 updating
antivirus and IPS, web-based manager 31
S upgrading
firmware using the CLI 42
security certificate 19 USB 46
shielded twisted pair 12 auto-install 41, 46
shut down 15 CLI commands 47
signatures, update 31 key 41
static route 21, 25
system reboot, installing 44 W
web filtering 37
web-based manager 18
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: