FCC ID: RZW-FORTIWIFI-60 Wireless Firewall

by: Fortinet, Inc latest update: 2004-04-30 model: FORTIWIFI-60

One grant has been issued under this FCC ID on 04/30/2004 (this is the only release in 2004 for this grantee). Public details available include manuals, internal & external photos, and frequency information. some products also feature user submitted or linked drivers, troubleshooting guides, password defaults, instructions, & warrantee terms.

permalink for this FCC identifier

search for: Repair details

from iFixIt

Trade-in? Recycling locations

eg for Slack usage

all	frequencies			exhibits	applications
		manuals

all exhibits 9
1 ~ 2004-04-30 9

app s				submitted / available
1	users manual 1	Users Manual	pdf	1.67 MiB
1	users manual 2	Users Manual	pdf	1.73 MiB
1		Test Report	pdf
1		Test Setup Photos	pdf
1		Cover Letter(s)	pdf
1		External Photos	pdf
1		ID Label/Location Info	native
1		ID Label/Location Info	native
1		Internal Photos	pdf

exhibit
download
text

users manual 1

Users Manual

pdf

1.67 MiB

FortiWiFi 60 Installation and Configuration Guide INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 FortiWiFi User Manual Volume 1 Version 2.50 3 March 2004 Copyright 2003 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-60 Installation and Configuration Guide Version 2.50 MR2 18 August 2003 Trademarks Products mentioned in this document are trademarks or registered t This device complete with part 15 of the FCC rules. Operations is subject to the following two conditions:

holders. Regulatory Compliance This device complies with part 15 of the FCC rules. Operation is subject to the following two condigions:

(1) This Device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause accept any interference received, including interference that may cause undesired operation. NOTE: The manufacturer is not responsible for any radio or TV interference caused by unauthorized modifications to this equipment. Such modifications could void the users authority to operate the equipment. please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com. Contents Table of Contents Introduction .......................................................................................................... 13 Antivirus protection ........................................................................................................... 14 Web content filtering ......................................................................................................... 14 Email filtering .................................................................................................................... 15 Firewall.............................................................................................................................. 15 NAT/Route mode .......................................................................................................... 16 Transparent mode......................................................................................................... 16 Network intrusion detection............................................................................................... 16 VPN................................................................................................................................... 16 Secure installation, configuration, and management........................................................ 17 Web-based manager .................................................................................................... 17 Command line interface ................................................................................................ 18 Logging and reporting ................................................................................................... 19 Document conventions ..................................................................................................... 19 Fortinet documentation ..................................................................................................... 20 Comments on Fortinet technical documentation........................................................... 20 Customer service and technical support........................................................................... 21 Getting started ..................................................................................................... 23 Warnings........................................................................................................................... 23 Package contents ............................................................................................................. 24 Mounting ........................................................................................................................... 24 Powering on...................................................................................................................... 25 Connecting to the web-based manager............................................................................ 26 Connecting to the command line interface (CLI)............................................................... 27 Factory default FortiWiFi configuration settings................................................................ 28 Factory default DHCP configuration ............................................................................. 28 Factory default NAT/Route mode network configuration .............................................. 29 Factory default Transparent mode network configuration............................................. 30 Factory default firewall configuration ............................................................................ 31 Factory default content profiles..................................................................................... 33 Planning the FortiWiFi configuration................................................................................. 35 NAT/Route mode .......................................................................................................... 35 Transparent mode......................................................................................................... 36 Configuration options .................................................................................................... 37 FortiGate model maximum values matrix ......................................................................... 39 Next steps......................................................................................................................... 40 NAT/Route mode installation.............................................................................. 41 Installing the FortiWiFi unit using the default configuration............................................... 41 Changing the default configuration ............................................................................... 42 FortiWiFi-60 Installation and Configuration Guide 3 Contents Preparing to configure NAT/Route mode.......................................................................... 42 Advanced NAT/Route mode settings............................................................................ 43 DMZ interface ............................................................................................................... 44 Wireless settings........................................................................................................... 44 Using the setup wizard...................................................................................................... 44 Starting the setup wizard .............................................................................................. 44 Reconnecting to the web-based manager .................................................................... 44 Using the command line interface..................................................................................... 45 Configuring the FortiWiFi unit to operate in NAT/Route mode...................................... 45 Connecting the FortiWiFi unit to your networks ................................................................ 47 Configuring your networks ................................................................................................ 48 Completing the configuration ............................................................................................ 49 Configuring the DMZ interface ...................................................................................... 49 Configuring the WLAN interface ................................................................................... 49 Configuring the WAN2 interface ................................................................................... 49 Setting the date and time .............................................................................................. 50 Changing antivirus protection ....................................................................................... 50 Registering your FortiWiFi unit...................................................................................... 50 Configuring virus and attack definition updates ............................................................ 50 Configuration example: Multiple connections to the Internet ............................................ 51 Configuring Ping servers............................................................................................... 52 Destination based routing examples............................................................................. 53 Policy routing examples ................................................................................................ 56 Firewall policy example................................................................................................. 57 Transparent mode installation............................................................................ 59 Preparing to configure Transparent mode ........................................................................ 59 Wireless settings........................................................................................................... 59 Using the setup wizard...................................................................................................... 60 Changing to Transparent mode .................................................................................... 60 Starting the setup wizard .............................................................................................. 60 Reconnecting to the web-based manager .................................................................... 60 Using the command line interface..................................................................................... 61 Changing to Transparent mode .................................................................................... 61 Configuring the Transparent mode management IP address ....................................... 61 Configure the Transparent mode default gateway........................................................ 61 Configuring wireless settings ........................................................................................ 62 Connecting the FortiWiFi unit to your networks ................................................................ 62 Wireless configuration....................................................................................................... 63 Completing the configuration ............................................................................................ 63 Setting the date and time .............................................................................................. 64 Enabling antivirus protection......................................................................................... 64 Registering your FortiWiFi ............................................................................................ 64 Configuring virus and attack definition updates ............................................................ 64 4 Fortinet Inc. Contents Transparent mode configuration examples....................................................................... 65 Default routes and static routes .................................................................................... 65 Example default route to an external network............................................................... 66 Example static route to an external destination ............................................................ 67 Example static route to an internal destination ............................................................. 70 System status....................................................................................................... 73 Changing the FortiWiFi host name ................................................................................... 74 Changing the FortiWiFi firmware ...................................................................................... 74 Upgrading to a new firmware version ........................................................................... 74 Reverting to a previous firmware version...................................................................... 76 Installing firmware images from a system reboot using the CLI ................................... 79 Testing a new firmware image before installing it ......................................................... 81 Manual virus definition updates ........................................................................................ 82 Manual attack definition updates ...................................................................................... 83 Displaying the FortiWiFi serial number ............................................................................. 84 Displaying the FortiWiFi up time ....................................................................................... 84 Backing up system settings .............................................................................................. 84 Restoring system settings................................................................................................. 84 Restoring system settings to factory defaults ................................................................... 85 Changing to Transparent mode ........................................................................................ 85 Changing to NAT/Route mode.......................................................................................... 86 Restarting the FortiWiFi unit ............................................................................................. 86 Shutting down the FortiWiFi unit....................................................................................... 86 System status ................................................................................................................... 87 Viewing CPU and memory status ................................................................................. 87 Viewing sessions and network status ........................................................................... 88 Viewing virus and intrusions status............................................................................... 89 Session list........................................................................................................................ 90 Virus and attack definitions updates and registration ..................................... 93 Updating antivirus and attack definitions .......................................................................... 93 Connecting to the FortiResponse Distribution Network ................................................ 94 Manually initiating antivirus and attack definitions updates .......................................... 95 Configuring update logging ........................................................................................... 96 Scheduling updates .......................................................................................................... 96 Enabling scheduled updates......................................................................................... 96 Adding an override server............................................................................................. 97 Enabling scheduled updates through a proxy server.................................................... 98 Enabling push updates ..................................................................................................... 98 Enabling push updates ................................................................................................. 99 Push updates when FortiWiFi IP addresses change .................................................... 99 Enabling push updates through a NAT device............................................................ 100 FortiWiFi-60 Installation and Configuration Guide 5 Contents Registering FortiGate and FortiWiFi units....................................................................... 104 FortiCare Service Contracts........................................................................................ 104 Registering the FortiWiFi unit...................................................................................... 105 Updating registration information.................................................................................... 107 Recovering a lost Fortinet support password.............................................................. 107 Viewing the list of registered FortiGate and FortiWiFi units ........................................ 107 Registering a new FortiWiFi unit ................................................................................. 108 Adding or changing a FortiCare Support Contract number......................................... 108 Changing your Fortinet support password .................................................................. 109 Changing your contact information or security question ............................................. 109 Downloading virus and attack definitions updates ...................................................... 110 Registering a FortiWiFi unit after an RMA ...................................................................... 110 Network configuration....................................................................................... 113 Configuring interfaces..................................................................................................... 113 Viewing the interface list ............................................................................................. 114 Changing the administrative status of an interface ..................................................... 114 Configuring an interface with a manual IP address .................................................... 114 Configuring an interface for DHCP ............................................................................. 115 Configuring an interface for PPPoE ............................................................................ 116 Adding a secondary IP address to an interface .......................................................... 116 Adding a ping server to an interface ........................................................................... 117 Controlling administrative access to an interface........................................................ 117 Changing the MTU size to improve network performance.......................................... 118 Configuring traffic logging for connections to an interface .......................................... 118 Configuring the management interface in Transparent mode..................................... 119 Wireless configuration................................................................................................. 120 Adding DNS server IP addresses ................................................................................... 122 Configuring routing.......................................................................................................... 122 Adding a default route................................................................................................. 122 Adding destination-based routes to the routing table.................................................. 123 Adding routes in Transparent mode............................................................................ 124 Configuring the routing table....................................................................................... 124 Policy routing .............................................................................................................. 125 Configuring DHCP services ............................................................................................ 126 Configuring a DHCP relay agent................................................................................. 126 Configuring a DHCP server ........................................................................................ 127 6 Fortinet Inc. Contents Configuring the modem interface.................................................................................... 129 Connecting a modem to the FortiWiFi unit.................................................................. 130 Configuring modem settings ....................................................................................... 130 Connecting to a dialup account................................................................................... 131 Disconnecting the modem .......................................................................................... 131 Viewing modem status................................................................................................ 131 Backup mode configuration ........................................................................................ 132 Standalone mode configuration .................................................................................. 132 Adding firewall policies for modem connections ......................................................... 133 RIP configuration ............................................................................................... 135 RIP settings..................................................................................................................... 135 Configuring RIP for FortiWiFi interfaces ......................................................................... 137 Adding RIP filters ............................................................................................................ 139 Adding a RIP filter list.................................................................................................. 139 Assigning a RIP filter list to the neighbors filter........................................................... 140 Assigning a RIP filter list to the incoming filter ............................................................ 140 Assigning a RIP filter list to the outgoing filter............................................................. 141 System configuration ........................................................................................ 143 Setting system date and time.......................................................................................... 143 Changing system options................................................................................................ 144 Adding and editing administrator accounts..................................................................... 145 Adding new administrator accounts ............................................................................ 146 Editing administrator accounts.................................................................................... 146 Configuring SNMP .......................................................................................................... 147 Configuring the FortiWiFi unit for SNMP monitoring ................................................... 148 Configuring FortiWiFi SNMP support.......................................................................... 148 FortiWiFi MIBs ............................................................................................................ 150 FortiWiFi traps............................................................................................................. 151 Fortinet MIB fields ....................................................................................................... 152 Replacement messages ................................................................................................. 155 Customizing replacement messages .......................................................................... 155 Customizing alert emails............................................................................................. 156 Firewall configuration........................................................................................ 159 Default firewall configuration........................................................................................... 160 Interfaces .................................................................................................................... 161 Addresses ................................................................................................................... 161 Services ...................................................................................................................... 161 Schedules ................................................................................................................... 162 Content profiles........................................................................................................... 162 Adding firewall policies.................................................................................................... 162 Firewall policy options................................................................................................. 163 FortiWiFi-60 Installation and Configuration Guide 7 Contents Configuring policy lists .................................................................................................... 167 Policy matching in detail ............................................................................................. 167 Changing the order of policies in a policy list.............................................................. 168 Enabling and disabling policies................................................................................... 168 Addresses....................................................................................................................... 169 Adding addresses ....................................................................................................... 169 Editing addresses ....................................................................................................... 170 Deleting addresses ..................................................................................................... 170 Organizing addresses into address groups ................................................................ 171 Services .......................................................................................................................... 172 Predefined services .................................................................................................... 172 Adding custom TCP and UDP services ...................................................................... 174 Adding custom ICMP services .................................................................................... 175 Adding custom IP services.......................................................................................... 175 Grouping services ....................................................................................................... 176 Schedules ....................................................................................................................... 177 Creating one-time schedules ...................................................................................... 177 Creating recurring schedules ...................................................................................... 178 Adding schedules to policies....................................................................................... 179 Virtual IPs........................................................................................................................ 180 Adding static NAT virtual IPs ...................................................................................... 180 Adding port forwarding virtual IPs ............................................................................... 182 Adding policies with virtual IPs.................................................................................... 184 IP pools........................................................................................................................... 184 Adding an IP pool........................................................................................................ 185 IP Pools for firewall policies that use fixed ports......................................................... 185 IP pools and dynamic NAT ......................................................................................... 185 IP/MAC binding............................................................................................................... 186 Configuring IP/MAC binding for packets going through the firewall............................ 186 Configuring IP/MAC binding for packets going to the firewall ..................................... 187 Adding IP/MAC addresses.......................................................................................... 188 Viewing the dynamic IP/MAC list ................................................................................ 188 Enabling IP/MAC binding ............................................................................................ 188 Content profiles............................................................................................................... 189 Default content profiles ............................................................................................... 190 Adding content profiles ............................................................................................... 190 Adding content profiles to policies .............................................................................. 192 Users and authentication .................................................................................. 193 Setting authentication timeout......................................................................................... 194 Adding user names and configuring authentication........................................................ 194 Adding user names and configuring authentication .................................................... 194 Deleting user names from the internal database ........................................................ 195 8 Fortinet Inc. Contents Configuring RADIUS support.......................................................................................... 196 Adding RADIUS servers ............................................................................................. 196 Deleting RADIUS servers ........................................................................................... 196 Configuring LDAP support .............................................................................................. 197 Adding LDAP servers.................................................................................................. 197 Deleting LDAP servers................................................................................................ 198 Configuring user groups.................................................................................................. 199 Adding user groups..................................................................................................... 199 Deleting user groups................................................................................................... 200 IPSec VPN........................................................................................................... 201 Key management............................................................................................................ 202 Manual Keys ............................................................................................................... 202 Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 202 Manual key IPSec VPNs................................................................................................. 203 General configuration steps for a manual key VPN .................................................... 203 Adding a manual key VPN tunnel ............................................................................... 203 AutoIKE IPSec VPNs...................................................................................................... 205 General configuration steps for an AutoIKE VPN ....................................................... 205 Adding a phase 1 configuration for an AutoIKE VPN.................................................. 205 Adding a phase 2 configuration for an AutoIKE VPN.................................................. 210 Managing digital certificates............................................................................................ 212 Obtaining a signed local certificate ............................................................................. 212 Obtaining CA certificates ............................................................................................ 214 Configuring encrypt policies............................................................................................ 215 Adding a source address ............................................................................................ 216 Adding a destination address...................................................................................... 216 Adding an encrypt policy............................................................................................. 217 IPSec VPN concentrators ............................................................................................... 218 VPN concentrator (hub) general configuration steps .................................................. 219 Adding a VPN concentrator ........................................................................................ 220 VPN spoke general configuration steps...................................................................... 221 Monitoring and Troubleshooting VPNs ........................................................................... 223 Viewing VPN tunnel status.......................................................................................... 223 Viewing dialup VPN connection status ....................................................................... 223 Testing a VPN............................................................................................................. 224 PPTP and L2TP VPN .......................................................................................... 225 Configuring PPTP ........................................................................................................... 225 Configuring the FortiWiFi unit as a PPTP gateway..................................................... 225 Configuring a Windows 98 client for PPTP ................................................................. 228 Configuring a Windows 2000 client for PPTP ............................................................. 229 Configuring a Windows XP client for PPTP ................................................................ 229 FortiWiFi-60 Installation and Configuration Guide 9 Contents Configuring L2TP............................................................................................................ 231 Configuring the FortiWiFi unit as an L2TP gateway.................................................... 231 Configuring a Windows 2000 client for L2TP.............................................................. 233 Configuring a Windows XP client for L2TP ................................................................. 235 Network Intrusion Detection System (NIDS) ................................................... 237 Detecting attacks ............................................................................................................ 237 Selecting the interfaces to monitor.............................................................................. 238 Disabling monitoring interfaces................................................................................... 238 Configuring checksum verification .............................................................................. 238 Viewing the signature list ............................................................................................ 239 Viewing attack descriptions......................................................................................... 239 Disabling NIDS attack signatures ............................................................................... 240 Adding user-defined signatures .................................................................................. 240 Preventing attacks .......................................................................................................... 242 Enabling NIDS attack prevention ................................................................................ 242 Enabling NIDS attack prevention signatures .............................................................. 242 Setting signature threshold values.............................................................................. 242 Logging attacks............................................................................................................... 244 Logging attack messages to the attack log................................................................. 244 Reducing the number of NIDS attack log and email messages.................................. 244 Antivirus protection........................................................................................... 247 General configuration steps............................................................................................ 247 Antivirus scanning........................................................................................................... 248 File blocking.................................................................................................................... 249 Blocking files in firewall traffic ..................................................................................... 249 Adding file patterns to block........................................................................................ 249 Blocking oversized files and emails ................................................................................ 250 Configuring limits for oversized files and email........................................................... 250 Exempting fragmented email from blocking.................................................................... 250 Viewing the virus list ....................................................................................................... 251 Web filtering ....................................................................................................... 253 General configuration steps............................................................................................ 253 Content blocking ............................................................................................................. 254 Adding words and phrases to the Banned Word list ................................................... 254 Clearing the Banned Word list .................................................................................... 255 Backing up the Banned Word list................................................................................ 255 Restoring the Banned Word list .................................................................................. 256 URL blocking................................................................................................................... 257 Configuring FortiWiFi Web URL blocking ................................................................... 257 Configuring FortiWiFi Web pattern blocking ............................................................... 259 10 Fortinet Inc. Contents Configuring Cerberian URL filtering................................................................................ 260 Installing a Cerberian license key ............................................................................... 260 Adding a Cerberian user ............................................................................................. 260 Configuring Cerberian web filter ................................................................................. 261 Enabling Cerberian URL filtering ................................................................................ 262 Script filtering .................................................................................................................. 262 Enabling script filtering................................................................................................ 262 Selecting script filter options ....................................................................................... 262 Exempt URL list .............................................................................................................. 263 Adding URLs to the URL Exempt list .......................................................................... 263 Downloading the URL Exempt List ............................................................................. 264 Uploading a URL Exempt List..................................................................................... 264 Email filter........................................................................................................... 267 General configuration steps............................................................................................ 267 Email banned word list.................................................................................................... 268 Adding words and phrases to the email banned word list........................................... 268 Downloading the email banned word list .................................................................... 269 Uploading the email banned word list ......................................................................... 269 Email block list ................................................................................................................ 270 Adding address patterns to the email block list........................................................... 270 Downloading the email block list................................................................................. 270 Uploading an email block list ...................................................................................... 271 Email exempt list............................................................................................................. 271 Adding address patterns to the email exempt list ....................................................... 272 Adding a subject tag ....................................................................................................... 272 Logging and reporting....................................................................................... 273 Recording logs................................................................................................................ 273 Recording logs on a remote computer........................................................................ 274 Recording logs on a NetIQ WebTrends server ........................................................... 274 Recording logs in system memory.............................................................................. 275 Log message levels .................................................................................................... 275 Filtering log messages.................................................................................................... 276 Configuring traffic logging ............................................................................................... 277 Enabling traffic logging................................................................................................ 278 Configuring traffic filter settings................................................................................... 278 Adding traffic filter entries ........................................................................................... 279 Viewing logs saved to memory ....................................................................................... 280 Viewing logs................................................................................................................ 280 Searching logs ............................................................................................................ 280 FortiWiFi-60 Installation and Configuration Guide 11 Contents Configuring alert email.................................................................................................... 281 Adding alert email addresses...................................................................................... 281 Testing alert email....................................................................................................... 282 Enabling alert email .................................................................................................... 282 Glossary ............................................................................................................. 283 Index .................................................................................................................... 287 12 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Introduction FortiGate and FortiWiFi Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate and FortiWiFi Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate and FortiWiFi Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services. The FortiWiFi-60 Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:

application-level services such as virus protection and content filtering, network-level services such as firewall, intrusion detection, VPN, and traffic shaping. The FortiWiFi-60 Antivirus Firewall uses Fortinets Accelerated Behavior and Content Analysis System (ABACAS) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks. The FortiWiFi series complements existing solutions, such as host-

based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance. The FortiWiFi-60 model is ideally suited for small businesses, remote offices, retail stores, and broadband telecommuter sites. The FortiWiFi-60 Antivirus Firewall features dual WAN link support for redundant internet connections, and an integrated 4-port switch that eliminates the need for an external hub or switch. Networked devices connect directly to the FortiWiFi-60 unit. The FortiWiFi-60 provides a secure, wireless LAN solution that combines mobility and flexibility with the enterprise-class FortiWiFi Antivirus Firewall features. The FortiWiFi is a Wi-Fi certified, wireless LAN transceiver that uses a two mini-PCI radios that are IEEE 802.11b and IEEE 802.11g-

compliant and that can be upgraded to future radio technologies. The FortiWiFi serves as the connection point between wireless and wired networks or as the center point of a stand-alone wireless network. FortiWiFi-60 security features include WEP, VPN over the wireless network, and firewall policies that can include user authentication to control access. INTERNAL LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WLAN WAN1 WAN2 PWR DMZ 4 3 2 1 FortiWiFi-60 Installation and Configuration Guide 13 Antivirus protection Antivirus protection Introduction FortiWiFi ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiWiFi unit. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient. For extra protection, you can configure antivirus protection to block specified file types from passing through the FortiWiFi unit. You can use the feature to stop files that might contain new viruses. If the FortiWiFi unit contains a hard disk, infected or blocked files can be quarantined. The FortiWiFi administrator can download quarantined files so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiWiFi unit to automatically delete quarantined files after a specified time. The FortiWiFi unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or encrypted IPSec VPN traffic. ICSA Labs has certified that FortiGate and FortiWiFi Antivirus Firewalls:

detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org), detect viruses in compressed files using the PKZip format, detect viruses in email that has been encoded using uuencode format, detect viruses in email that has been encoded using MIME encoding, log all actions taken while scanning. Web content filtering Web content filtering can scan all HTTP content protocol streams for URLs or web page content. If there is a match between a URL on the URL block list, or a web page contains a word or phrase that is in the content block list, the FortiWiFi unit blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiWiFi web-based manager. You can configure URL blocking to block all or some of the pages on a web site. Using this feature, you can deny access to parts of a web site without denying access to it completely. To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that overrides the URL blocking and content blocking lists. Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets, cookies, and ActiveX. You can use the Cerberian URL blocking to block unwanted URLs. 14 Fortinet Inc. Email filtering Email filtering can scan all IMAP and POP3 email content for unwanted senders or unwanted content. If there is a match between a sender address pattern on the email block list, or an email contains a word or phrase in the banned word list, the FortiWiFi adds an email tag to the subject line of the email. The recipient can use the mail client software to filter messages based on the email tag. You can configure email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentionally tagging email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned words lists. Introduction Email filtering Firewall The FortiWiFi ICSA-certified firewall protects your computer networks from Internet threats. ICSA has granted FortiWiFi firewalls version 4.0 firewall certification, providing assurance that FortiWiFi firewalls successfully screen and secure corporate networks against a range of threats from public or other untrusted networks. After basic installation of the FortiWiFi unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can configure the firewall to put controls on access to the Internet from the protected networks and to allow controlled access to internal networks. FortiWiFi policies include a range of options that:

control all incoming and outgoing network traffic, control encrypted VPN traffic, apply antivirus protection and web content filtering, block or allow access for all policy options, control when individual policies are in effect, accept or deny traffic to and from individual addresses, control standard and user defined network services individually or in groups, require users to authenticate before gaining access, include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy, include logging to track connections for individual policies, include Network Address Translation (NAT) mode and Route mode policies, include mixed NAT and Route mode policies. The FortiWiFi firewall can operate in NAT/Route mode or Transparent mode. FortiWiFi-60 Installation and Configuration Guide 15 Network intrusion detection NAT/Route mode Introduction In NAT/Route mode, you can create NAT mode policies and Route mode policies. NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network. Route mode policies accept or deny connections between networks without performing address translation. Transparent mode Transparent mode provides the same basic firewall protection as NAT mode. Packets that the FortiWiFi unit receives are forwarded or blocked according to firewall policies. The FortiWiFi unit can be inserted in the network at any point without having to make changes to your network or its components. However, VPN and some advanced firewall features are available only in NAT/Route mode. Network intrusion detection The FortiWiFi Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a variety of suspicious network activity. NIDS uses attack signatures to identify more than 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write user-defined detection attack signatures. NIDS prevention detects and prevents many common denial of service and packet-

based attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters. To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log, and can be configured to send alert emails. Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually or you can configure the FortiWiFi unit to automatically check for and download attack definition updates. VPN Using FortiWiFi virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network. 16 Fortinet Inc. Introduction Secure installation, configuration, and management VPN features include the following:

IPSec, ESP security in tunnel mode, IPSec VPN using local or CA certificates, Industry standard and ICSA-certified IPSec VPN, including:

DES, 3DES (triple-DES), and AES hardware accelerated encryption, HMAC MD5 and HMAC SHA1 authentication and data integrity, AutoIKE key based on pre-shared key tunnels, Manual Keys tunnels, Diffie-Hellman groups 1, 2, and 5, Aggressive and Main Mode, Replay Detection, Perfect Forward Secrecy, XAuth authentication, Dead peer detection. PPTP for easy connectivity with the VPN standard supported by the most popular operating systems. L2TP for easy connectivity with a more secure VPN standard, also supported by many popular operating systems. Firewall policy based control of IPSec VPN traffic. IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel. VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiWiFi unit. IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network. Secure installation, configuration, and management The first time you power on the FortiWiFi unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the Setup wizard to customize FortiWiFi IP addresses for your network, and the FortiWiFi unit is ready to protect your network. You can then use the web-based manager to customize advanced FortiWiFi features. You can also create a basic configuration using the FortiWiFi command line interface

(CLI). Web-based manager Using HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiWiFi unit. The web-based manager supports multiple languages. You can configure the FortiWiFi unit for HTTP and HTTPS administration from any FortiWiFi interface. FortiWiFi-60 Installation and Configuration Guide 17 Secure installation, configuration, and management Introduction You can use the web-based manager to configure most FortiWiFi settings. You can also use the web-based manager to monitor the status of the FortiWiFi unit. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. Once you are satisfied with a configuration, you can download and save it. The saved configuration can be restored at any time. Figure 1: The FortiWiFi web-based manager and setup wizard Command line interface You can access the FortiWiFi command line interface (CLI) by connecting a management computer serial port to the FortiWiFi RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiWiFi unit, including the Internet. The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options that are not available from the web-based manager. This Installation and Configuration Guide contains information about basic and advanced CLI commands. For a more complete description about connecting to and using the FortiWiFi CLI, see the FortiGate CLI Reference Guide. 18 Fortinet Inc. Introduction Document conventions Logging and reporting The FortiWiFi unit supports logging for various categories of traffic and configuration changes. You can configure logging to:

report traffic that connects to the firewall, report network services used, report traffic that was permitted by firewall policies, report traffic that was denied by firewall policies, report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking, report attacks detected by the NIDS, send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations. Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiWiFi units to log the most recent events and attacks detected by the NIDS to the system memory. Document conventions This guide uses the following conventions to describe CLI command syntax. angle brackets < > to indicate variable keywords For example:

execute restore config <filename_str>

You enter restore config myfile.bak

<xxx_str> indicates an ASCII string variable keyword.

<xxx_integer> indicates an integer variable keyword.

<xxx_ip> indicates an IP address variable keyword. vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords For example:

set system opmode {nat | transparent}

You can enter set system opmode nat or set system opmode transparent square brackets [ ] to indicate that a keyword is optional For example:

get firewall ipmacbinding [dhcpipmac]

You can enter get firewall ipmacbinding or get firewall ipmacbinding dhcpipmac FortiWiFi-60 Installation and Configuration Guide 19 Fortinet documentation Introduction Fortinet documentation Information about FortiGate and FortiWiFi products is available from the following User Manual volumes:

Volume 1: FortiWiFi-60 Installation and Configuration Guide Describes installation and basic configuration for the FortiWiFi unit. Also describes how to use FortiWiFi firewall policies to control traffic flow through the FortiWiFi unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP, and email content passing through the FortiWiFi unit. Volume 2: FortiGate VPN Guide Contains in-depth information about FortiGate IPSec VPN using certificates, pre-

shared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples. Volume 3: FortiGate Content Protection Guide Describes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit. Volume 4: FortiGate NIDS Guide Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks. Volume 5: FortiGate Logging and Message Reference Guide Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference. Volume 6: FortiGate CLI Reference Guide Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands. The FortiWiFi online help also contains procedures for using the FortiWiFi web-based manager to configure and manage the FortiWiFi unit. Comments on Fortinet technical documentation You can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. 20 Fortinet Inc. Introduction Customer service and technical support Customer service and technical support For antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com. You can also register FortiWiFi Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time. Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin America and South America. apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore, eu_support@fortinet.com Malaysia, all other Asian countries, and Australia. For customers in the United Kingdom, Scandinavia, Mainland Europe, Africa, and the Middle East. For information on Fortinet telephone support, see http://support.fortinet.com. When requesting technical support, please provide the following information:

Your name Company name Location Email address Telephone number FortiWiFi unit serial number FortiWiFi model FortiWiFi FortiOS firmware version Detailed description of the problem FortiWiFi-60 Installation and Configuration Guide 21 Customer service and technical support Introduction 22 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Getting started This chapter describes unpacking, setting up, and powering on a FortiWiFi Antivirus Firewall unit. When you have completed the procedures in this chapter, you can proceed to one of the following:

Warnings Package contents Mounting Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) Factory default FortiWiFi configuration settings Planning the FortiWiFi configuration FortiGate model maximum values matrix Next steps Warnings

Caution: To comply with FCC radio frequency (RF) exposure limits, dipole antennas should be located at a minimum of 7.9 inches (20 cm) or more from the body of all persons. Caution: Do not operate a wireless network device near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use. FortiWiFi-60 Installation and Configuration Guide 23 Package contents Package contents Getting started The FortiWiFi-60 package contains the following items:

FortiWiFi-60 Antivirus Firewall one orange crossover ethernet cable one gray regular ethernet cable one null modem cable FortiWiFi-60 Quick Start Guide CD containing the FortiGate and FortiWiFi user documentation one power cable and AC adapter Figure 2: FortiWiFi-60 package contents Front Back INTERNAL 4 3 2 1 DC+12V PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Power WLAN LED LED Internal Interface DMZ Interface WAN 1,2 Interface Ethernet Cables:

Orange - Crossover Grey - Straight-through Null-Modem Cable

(RS-232) Console USB WAN2 WAN1 DMZ Internal WAN2 DMZ USB WAN1 Power Connection RS-232 Serial Connection Internal Interface, switch connectors 1,2,3,4 FortiWiFi-60 Power Cable Power Supply Documentation INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 QuickStart Guide Copyright 2003 Fortinet Incorporated. All rights reserved. Trademarks Products mentioned in this document are trademarks. Mounting The FortiWiFi-60 unit can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling. Dimensions 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm) Weight 1.5 lb. (0.68 kg) Power requirements DC input voltage: 12 V DC input current: 3 A 24 Fortinet Inc. Getting started Powering on Environmental specifications Operating temperature: 32 to 104F (0 to 40C) Storage temperature: -13 to 158F (-25 to 70C) Humidity: 5 to 95% non-condensing Wireless Connectivity Antenna type: Dual external fixed antenna Antenna range: 802.11b/g:2.4GHz Antenna Gain: 5dBi Basic WiFi installation guidelines Because the FortiWiFi-60 is a radio device, it is susceptible to common causes of interference that can reduce throughput and range. Follow these basic guidelines to ensure the best possible performance:

Install the access point in an area where large steel structures such as shelving units, bookcases, and filing cabinets do not block the radio signals to and from the access point. Install the access point away from microwave ovens. Microwave ovens operate on the same frequency as the access point and can cause signal interference. Powering on 1 2 3 To power on the FortiWiFi-60 unit Connect the AC adapter to the power connection at the back of the FortiWiFi-60 unit. Connect the AC adapter to the power cable. Connect the power cable to a power outlet. The FortiWiFi-60 unit starts. The Power and WAN LEDS light. Table 1: FortiWiFi-60 LED indicators LED Power State Green Off Green Green Flashing Green Off Description The FortiWiFi unit is powered on. The FortiWiFi unit is powered off. Traffic on WAN link. The correct cable is in use and the connected equipment has power. Network activity at this interface. No link established. Green The interface is connected at 100 Mbps. WAN Link

(Internal DMZ WAN1 WAN2) 100

(Internal DMZ WAN1 WAN2) FortiWiFi-60 Installation and Configuration Guide 25 Connecting to the web-based manager Getting started Connecting to the web-based manager Use the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without resetting the firewall or interrupting service. To connect to the web-based manager, you need:

a computer with an ethernet connection, an ethernet cable. a crossover cable or an ethernet hub and two ethernet cables. Internet Explorer version 4.0 or higher, Note: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4.0 or higher. To connect to the web-based manager Set the IP address of the computer with an ethernet connection to the static IP address 192.168.1.2 and a netmask of 255.255.255.0. You can also configure the management computer to obtain an IP address automatically using DHCP. The FortiWiFi DHCP server assigns the management computer an IP address in the range 192.168.1.1 to 192.168.1.254. Using the ethernet cable, connect the internal interface of the FortiWiFi unit to the computer ethernet connection. Start Internet Explorer and browse to the address https://192.168.1.99 (remember to include the s in https://). The FortiWiFi login is displayed. Type admin in the Name field and select Login. The Register Now window is displayed. Use the information in this window to register your FortiWiFi unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiWiFi virus and attack definitions. Figure 3: FortiWiFi login 1 2 3 4 26 Fortinet Inc. Getting started Connecting to the command line interface (CLI) Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the FortiWiFi unit using the CLI. Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service. To connect to the FortiWiFi CLI, you need:

a computer with an available communications port, the null modem cable included in your FortiWiFi package, terminal emulation software such as HyperTerminal for Windows. Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program. To connect to the CLI Connect the null modem cable to the communications port of your computer and to the FortiWiFi Console port. Make sure that the FortiWiFi unit is powered on. Start HyperTerminal, enter a name for the connection, and select OK. Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the null modem cable and select OK. Select the following port settings and select OK. 8 None 1 None Bits per second 9600 Data bits Parity Stop bits Flow control Press Enter to connect to the FortiWiFi CLI. The following prompt is displayed:

FortiWiFi-60 login:

Type admin and press Enter twice. The following prompt is displayed:

Type ? for a list of commands. For information about how to use the CLI, see the FortiGate CLI Reference Guide. 1 2 3 4 5 6 7 FortiWiFi-60 Installation and Configuration Guide 27 Factory default FortiWiFi configuration settings Getting started Factory default FortiWiFi configuration settings The FortiWiFi unit is shipped with a factory default configuration. The default configuration allows you to connect to and use the FortiWiFi web-based manager to configure the FortiWiFi unit onto the network. To configure the FortiWiFi unit onto the network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configure routing, if required. If you plan to operate the FortiWiFi unit in Transparent mode, you can switch to Transparent mode from the factory default configuration and then configure the FortiWiFi unit onto the network in Transparent mode. Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiWiFi unit. The factory default firewall configuration includes a single network address translation

(NAT) policy that allows users on your internal network to connect to the external network, and stops users on the external network from connecting to the internal network. You can add more policies to provide more control of the network traffic passing through the FortiWiFi unit. The factory default content profiles can be used to apply different levels of antivirus protection, web content filtering, and email filtering to the network traffic that is controlled by firewall policies. Factory default DHCP configuration Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Factory default DHCP configuration When the FortiWiFi unit is first powered on, the WAN1 interface is configured to receive its IP address by connecting to a DHCP server. If your ISP provides IP addresses using DHCP, no other configuration is required for this interface. The FortiWiFi unit can also function as a DHCP server for your internal network. You can configure the TCP/IP settings of the computers on your internal network to obtain an IP address automatically from the FortiWiFi unit DHCP server. For more information about the FortiWiFi DHCP server, see Configuring DHCP services on page 126. 28 Fortinet Inc. Getting started Factory default FortiWiFi configuration settings Table 2: FortiWiFi Internal interface DHCP Server default configuration Enable DHCP Starting IP Ending IP Netmask Lease Duration Default Route DNS IP WINS IP

192.168.1.101 192.168.1.200 255.255.255.0 7 days 192.168.1.99 192.168.1.99 192.168.1.99 Table 3: FortiWiFi WLAN interface DHCP Server default configuration Enable DHCP Starting IP Ending IP Netmask Lease Duration Default Route DNS IP WINS IP

192.168.2.101 192.168.2.200 255.255.255.0 7 days 192.168.2.99 192.168.2.99 192.168.2.99 Factory default NAT/Route mode network configuration When the FortiWiFi unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in Table 4. This configuration allows you to connect to the FortiWiFi unit web-based manager and establish the configuration required to connect the FortiWiFi unit to the network. In Table 4 HTTPS management access means you can connect to the web-based manager using this interface. Ping management access means this interface responds to ping requests. Table 4: Factory default NAT/Route mode network configuration Administrator account Internal interface WAN1 interface WAN2 interface User name:

Password:

IP:

Netmask:

Management Access:

Addressing Mode:

Management Access:

IP:

Netmask:

Management Access:

admin

(none) 192.168.1.99 255.255.255.0 HTTPS, Ping DHCP Ping 192.168.101.99 255.255.255.0 Ping FortiWiFi-60 Installation and Configuration Guide 29 Factory default FortiWiFi configuration settings Getting started DMZ interface Table 4: Factory default NAT/Route mode network configuration (Continued) 10.10.10.1 255.255.255.0 HTTPS, Ping 192.168.100.99 255.255.255.0 IP:

Netmask:

Management Access:

IP:

Netmask:

Management Access:

Geography:

Channel:

Security:

Key:

SSID:

World 5 none none Fortinet WLAN interface Factory default Transparent mode network configuration If you switch the FortiWiFi unit to Transparent mode, it has the default network configuration listed in Table 5. Table 5: Factory default Transparent mode network configuration Administrator account Management IP DNS Management access Wireless User name:

Password:

IP:

Netmask:

Primary DNS Server:

Secondary DNS Server:

Internal WAN1 WAN2 DMZ Geography Channel Security Key SSID admin

(none) 10.10.10.1 255.255.255.0 207.194.200.1 207.194.200.129 HTTPS, Ping Ping Ping HTTPS, Ping World 5 None None fortinet 30 Fortinet Inc. Getting started Factory default FortiWiFi configuration settings Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode. Table 6: Factory default firewall configuration Internal Address Internal_All WAN1 Address WAN1_All WAN2 Address WAN2_All WLAN Address WLAN_All DMZ Address Recurring Schedule Firewall Policy DMZ_All Always Internal->WAN1 Source Internal_All Destination WAN1_All Firewall Policy Internal->WAN2 Source Internal_All Destination WAN2_All Firewall Policy WLAN->WAN1 Source WLAN_All Destination WAN1_All IP: 0.0.0.0 Mask: 0.0.0.0 IP: 0.0.0.0 Mask: 0.0.0.0 IP: 0.0.0.0 Mask: 0.0.0.0 IP: 0.0.0.0 Mask: 0.0.0.0 IP: 0.0.0.0 Mask: 0.0.0.0 Represents all of the IP addresses on the internal network. Represents all of the IP addresses on the network connected to the WAN1 interface. Represents all of the IP addresses on the network connected to the WAN2 interface. Represents all of the IP addresses on the network connected to the WLAN interface. Represents all of the IP addresses on the network connected to the DMZ interface. The schedule is valid at all times. This means that the firewall policy is valid at all times. Firewall policy for connections from the internal network to the WAN1 network. The policy source address. Internal_All means that the policy accepts connections from any internal IP address. The policy destination address. WAN1_All means that the policy accepts connections with a destination address to any IP address on the external (WAN1) network. Firewall policy for connections from the internal network to the WAN2 network. The policy source address. Internal_All means that the policy accepts connections from any internal IP address. The policy destination address. WAN2_All means that the policy accepts connections with a destination address to any IP address on the external (WAN2) network. Firewall policy for connections from the WLAN network to the WAN1 network. The policy source address. Internal_All means that the policy accepts connections from any WLAN IP address. The policy destination address. WAN1_All means that the policy accepts connections from the wireless network with a destination address to any IP address on the external (WAN1) network. FortiWiFi-60 Installation and Configuration Guide 31 Factory default FortiWiFi configuration settings Getting started Table 6: Factory default firewall configuration (Continued) Firewall Policy WLAN->WAN2 Source WLAN_All Destination WAN2_All Firewall policy for connections from the WLAN network to the WAN2 network. The policy source address. Internal_All means that the policy accepts connections from any WLAN IP address. The policy destination address. WAN2_All means that the policy accepts connections from the wireless network with a destination address to any IP address on the external (WAN2) network. General Firewall Policy Options Schedule Always Service ANY ACCEPT Action

NAT

Traffic Shaping

Authentication

Antivirus & Web Filter Content Profile Scan

Log Traffic The policy schedule. Always means that the policy is valid at any time. The policy service. ANY means that this policy processes connections for all services. The policy action. ACCEPT means that the policy allows connections. NAT is selected for the NAT/Route mode default policy so that the policy applies network address translation to the traffic processed by the policy. NAT is not available for Transparent mode policies. Traffic shaping is not selected. The policy does not apply traffic shaping to the traffic controlled by the policy. You can select this option to control the maximum or minimum amount of bandwidth available to traffic processed by the policy. Authentication is not selected. Users do not have to authenticate with the firewall before connecting to their destination address. You can configure user groups and select this option to require users to authenticate with the firewall before they can connect through the firewall. Antivirus & Web Filter is selected. The scan content profile is selected. The policy scans all HTTP, FTP, SMTP, POP3, and IMAP traffic for viruses. See Scan content profile on page 34 for more information about the scan content profile. You can select one of the other content profiles to apply different levels of content protection to traffic processed by this policy. Log Traffic is not selected. This policy does not record messages to the traffic log for the traffic processed by this policy. You can configure FortiWiFi logging and select Log Traffic to record all connections through the firewall that are accepted by this policy. 32 Fortinet Inc. Getting started Factory default FortiWiFi configuration settings Factory default content profiles You can use content profiles to apply different protection settings for content traffic that is controlled by firewall policies. You can use content profiles for:

Antivirus protection of HTTP, FTP, IMAP, POP3, and SMTP network traffic Web content filtering for HTTP network traffic Email filtering for IMAP and POP3 network traffic Oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP network traffic Passing fragmented emails in IMAP, POP3, and SMTP email traffic Using content profiles, you can build protection configurations that can be applied to different types of firewall policies. This allows you to customize types and levels of protection for different firewall policies. For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection. You can configure policies for different traffic services to use the same or different content profiles. Content profiles can be added to NAT/Route mode and Transparent mode policies. Strict content profile Use the strict content profile to apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. You do not need to use the strict content profile under normal circumstances, but it is available if you have extreme problems with viruses and require maximum content screening protection. Table 7: Strict content profile Options Antivirus Scan File Block Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails FTP

HTTP

IMAP POP3 SMTP

block block block block block

FortiWiFi-60 Installation and Configuration Guide 33 Factory default FortiWiFi configuration settings Getting started Scan content profile Use the scan content profile to apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic. Table 8: Scan content profile Options Antivirus Scan File Block Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails FTP

IMAP POP3 SMTP

HTTP

pass

pass pass Web content profile Use the web content profile to apply antivirus scanning and web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic. Table 9: Web content profile Options Antivirus Scan File Block Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails FTP

IMAP POP3 SMTP

HTTP

pass

pass pass 34 Fortinet Inc. Getting started Planning the FortiWiFi configuration Unfiltered content profile Use the unfiltered content profile if you do not want to apply content protection to traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Table 10: Unfiltered content profile Options Antivirus Scan File Block Web URL Block Web Content Block Web Script Filter Web Exempt List Email Block List Email Exempt List Email Content Block Oversized File/Email Block Pass Fragmented Emails HTTP

FTP

IMAP POP3 SMTP

pass

pass pass Planning the FortiWiFi configuration Before you configure the FortiWiFi unit, you need to plan how to integrate the unit into the network. Among other things, you must decide whether you want the unit to be visible to the network, which firewall functions you want it to provide, and how you want it to control the traffic flowing between its interfaces. Your configuration plan depends on the operating mode that you select. The FortiWiFi unit can be configured in one of two modes: NAT/Route mode (the default) or Transparent mode. NAT/Route mode Internal is the interface to the internal network. In NAT/Route mode, the unit is visible to the network. Like a router, all its interfaces are on different subnets. The following interfaces are available in NAT/Route mode:

WAN1 is the default interface to the external network (usually the Internet). WAN2 is the redundant interface to the external network. DMZ is the interface to the DMZ network. WLAN is the interface to the wireless LAN network. You must configure routing to support the redundant WAN1 and WAN2 internet connections. Routing can be used to automatically redirect connections from an interface if its connection to the external network fails. FortiWiFi-60 Installation and Configuration Guide 35 Planning the FortiWiFi configuration Getting started You can add security policies to control whether communications through the FortiWiFi unit operate in NAT or Route mode. Security policies control the flow of traffic based on the source address, destination address, and service of each packet. In NAT mode, the FortiWiFi unit performs network address translation before it sends the packet to the destination network. In Route mode, there is no translation. By default, the FortiWiFi unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured further security policies. You typically use NAT/Route mode when the FortiWiFi unit is operating as a gateway between private and public networks. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet). In addition, you can use NAT/Route mode when the FortiWiFi-60 is operating as a gateway for your wireless network. In this configuration you would create NAT mode policies to control traffic flowing between the wireless network and the Internet as well as between the wireless network and other networks (such as the internal or DMZ networks). If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them. Figure 4: Example NAT/Route mode network configuration NAT mode policies controlling traffic between WLAN and external networks. Wireless network 192.168.40.4 WLAN 192.168.40.1 NAT mode policies controlling traffic between WLAN and internal networks. Internet WAN1 204.23.1.5 FortiWiFi-60 Unit in NAT/Route mode INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Internal 192.168.1.99 Internal network 192.168.1.3 NAT mode policies controlling traffic between internal and external networks. Transparent mode In Transparent mode, the FortiWiFi unit is invisible to the network. Similar to a network bridge, all FortiWiFi interfaces must be on the same subnet. You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates. You typically use the FortiWiFi unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiWiFi unit performs firewall functions as well as antivirus and content scanning but not VPN. 36 Fortinet Inc. Getting started Planning the FortiWiFi configuration Figure 5: Example Transparent mode network configuration Wireless network Transperent mode policies controlling traffic between WLAN and internal networks. Gateway to public network 10.10.10.5 WLAN Transparent mode policies controlling traffic between WLAN and 10.10.10.1 Management IP internal networks. Internal network Internal 10.10.10.3 Internet 204.23.1.5 10.10.10.2 WAN1 INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100

(firewall, router) FortiWiFi-60 Unit in Transparent mode Transparent mode policies controlling traffic between internal and external networks. Internal can connect to the internal network. You can connect up to four network segments to the FortiWiFi unit to control traffic between these network segments. WAN1 can connect to the external firewall or router. DMZ and WAN2 can connect to other network segments. WLAN connects to the wireless network. In Transparent mode the wireless network is on the same subnet as the private network. Using Transparent mode firewall policies you can control the flow of traffic from the wireless network segment to other network segments. Configuration options Once you have selected Transparent or NAT/Route mode operation, you can complete the configuration plan and begin to configure the FortiWiFi unit. You can use the web-based manager setup wizard or the command line interface

(CLI) for the basic configuration of the FortiWiFi unit. Setup wizard If you are configuring the FortiWiFi unit to operate in NAT/Route mode (the default), the setup wizard prompts you to add the administration password and the internal interface address. The setup wizard also prompts you to choose either a manual

(static) or a dynamic (DHCP or PPPoE) address for the WAN1 interface. Using the wizard, you can also add DNS server IP addresses and a default route for the WAN1 interface. In NAT/Route mode you can also change the configuration of the FortiWiFi DHCP server to supply IP addresses for the computers on your internal network. You can also configure the FortiWiFi to allow Internet access to your internal Web, FTP, or email servers. Using the web-based manager you can also add a DHCP server configuration to the WLAN interface to supply IP addresses to the computers on your wireless network. You can also add firewall policies to allow Internet access from the wireless network. FortiWiFi-60 Installation and Configuration Guide 37 Planning the FortiWiFi configuration Getting started If you are configuring the FortiWiFi unit to operate in Transparent mode, you can switch to Transparent mode from the web-based manager and then use the setup wizard to add the administration password, the management IP address and gateway, and the DNS server addresses. CLI If you are configuring the FortiWiFi unit to operate in NAT/Route mode, you can add the administration password and all interface addresses. You can also use the CLI to configure the WAN1 interface for either a manual (static) or a dynamic (DHCP or PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a default route for the WAN1 interface. In NAT/Route mode you can also change the configuration of the FortiWiFi DHCP server to supply IP addresses for the computers on your internal network. Using the CLI you can also add a DHCP server configuration to the WLAN interface to supply IP addresses to the computers on your wireless network. You can also add firewall policies to allow Internet access from the wireless network. If you are configuring the FortiWiFi unit to operate in Transparent mode, you can use the CLI to switch to Transparent mode, Then you can add the administration password, the management IP address and gateway, and the DNS server addresses. 38 Fortinet Inc. Getting started FortiGate model maximum values matrix FortiGate model maximum values matrix Table 11: FortiGate maximum values matrix 20000 20000 50000 6000 10000 6000 FortiGate model 400 500 500 500 500 500 4096*

50 500 500 60**

500 500 100 500 500 200 500 500 300 500 500 50 20 30 50 10 30 N/A N/A N/A 500 500 500 500 500 100 500 500 500 500 500 500 500 500 500 500 500 4096*

4096*

500 500 200 500 1000 500 2000 500 5000 3000 5000 3000 100 32 32 N/A N/A 32 N/A N/A 32 100 64 32 100 64 32 100 16 32 N/A N/A 32 Routes Policy routing gateways Administrative users VLAN subinterfaces Zones Virtual domains DHCP address scopes DHCP reserved IP/MAC pairs Firewall policies Firewall addresses Firewall address groups Firewall custom services Firewall service groups Firewall recurring schedules Firewall onetime schedules Firewall virtual IPs Firewall IP pools IP/MAC binding table entries Firewall content profiles User names Radius servers LDAP servers User groups Total number of user group members

* Includes the number of physical interfaces. **FortiGate-60 and FortiWiFi-60. 1000 6 6 100 300 1000 6 6 100 300 1000 6 6 100 300 1000 6 6 100 300 20 6 6 100 300 500 6 6 100 300 50 500 50 500 50 500 50 500 50 500 50 500 50 500 500 500 500 500 256 256 256 256 500 500 500 500 500 500 500 256 256 256 256 256 256 500 500 500 500 256 256 500 500 500 256 256 500 32 32 32 32 32 32 32 1000 6 6 100 300 800 500 500 500 1000 500 500 3000 500 500 3600 500 500 4000 500 500 500 500 500 500 4096*

4096*

100 64 32 100 200 128 32 200 300 512 32 200 500 512 32 200 500 512 32 200 50000 50000 50000 10000 10000 10000 500 500 500 256 256 500 50 500 32 500 500 500 256 256 500 50 500 32 500 500 500 256 256 500 50 500 32 500 500 500 256 256 500 50 500 32 500 500 500 256 256 500 50 500 32 1000 6 6 100 300 1000 6 6 100 300 1000 6 6 100 300 1000 6 6 100 300 1000 6 6 100 300 FortiWiFi-60 Installation and Configuration Guide 39 Next steps Getting started Table 11: FortiGate maximum values matrix 50 20 20 500 500 500 100 56 60**

50 50 500 500 500 100 56 100 80 80 500 500 500 100 56 200 200 200 500 500 500 100 56 FortiGate model 400 1500 500 3000 300 1500 800 3000 1000 5000 3000 5000 3600 5000 4000 5000 1500 1500 3000 3000 5000 5000 5000 5000 500 500 500 100 56 500 500 500 100 56 500 500 500 100 56 500 500 500 100 56 500 500 500 100 56 500 500 500 100 56 500 500 500 100 56 500 500 500 100 56 IPSec remote gateways

(Phase 1) IPSec VPN tunnels (Phase 2) IPSec VPN concentrators PPTP users L2TP users NIDS user-defined signatures Antivirus file block patterns Web filter and email filter lists Limit varies depending on available system memory. Fortinet recommends limiting total size of web and email filter lists to 4 Mbytes or less. If you want to use larger web filter lists, consider using Cerberian web filtering. 50 50 50 50 50 50 50 50 Log setting traffic filter entries

* Includes the number of physical interfaces. **FortiGate-60 and FortiWiFi-60. 50 50 50 50 Next steps Now that your FortiWiFi unit is operating, you can proceed to configure it to connect to networks:

If you are going to operate the FortiWiFi unit in NAT/Route mode, go to NAT/Route mode installation on page 41. If you are going to operate the FortiWiFi unit in Transparent mode, go to Transparent mode installation on page 59. 40 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 NAT/Route mode installation Installing the FortiWiFi unit using the default configuration This chapter describes how to install the FortiWiFi unit in NAT/Route mode. To install the FortiWiFi unit in Transparent mode, see Transparent mode installation on page 59. This chapter describes:

Preparing to configure NAT/Route mode Using the setup wizard Using the command line interface Connecting the FortiWiFi unit to your networks Configuring your networks Completing the configuration Configuration example: Multiple connections to the Internet Installing the FortiWiFi unit using the default configuration Depending on your requirements, you may be able to deploy the FortiWiFi unit without changing its factory default configuration. If the factory default settings in Table 12 are compatible with your requirements, all you need to do is configure your internal network and then connect the FortiWiFi unit. Table 12: FortiWiFi unit factory default configuration Firewall Policies Four NAT policies allow users on the internal network and on the wireless network to access any Internet service through the WAN1 and WAN2 interfaces. No other traffic is allowed. All web, ftp, and email traffic is scanned for viruses. Using DHCP, WAN1 and WAN2 get their IP addresses from your ISP. The FortiWiFi-60 unit also gets DNS server IPs from these interfaces. WAN1 and WAN2 interfaces DHCP Server on internal and wireless networks Internal Starting IP: 192.168.1.10, Ending IP: 192.168.1.200, Default route: 192.168.1.99, DNS server: 192.168.1.99 WLAN Starting IP: 192.168.2.10, Ending IP: 192.168.2.200, Default route: 192.168.2.99, DNS server: 192.168.2.99 WLAN IP: 192.168.2.99, Channel: 5, SSID: fortinet FortiWiFi-60 Installation and Configuration Guide 41 Preparing to configure NAT/Route mode NAT/Route mode installation 1 2 3 To use the factory default configuration, follow these steps to install the FortiWiFi unit:

Configure the TCP/IP settings of the computers on your internal network to obtain an IP address automatically using DHCP. Refer to your computer documentation for assistance. Turn on DHCP for the computers on your wireless network as well. If required, configure wireless settings to use channel 5 and SSID fortinet. Complete the procedure in the section Connecting the FortiWiFi unit to your networks on page 47. Changing the default configuration You can use the procedures in this chapter to change the default configuration. For example, if your ISP assigns IP addresses using PPPoE instead of DHCP, you only need to change the configuration of the WAN1 interface. Use the information in the rest of this chapter to change the default configuration as required. This chapter also describe how to change your wireless networking channel and SSID, and how to improve the security of your wireless network by enabling WEP and entering a WEP key. Preparing to configure NAT/Route mode Use Table 13 to gather the information that you need to customize NAT/Route mode settings. Table 13: NAT/Route mode settings Internal interface Administrator password:

IP:

Netmask:

IP:

Netmask:

Default Gateway:

Primary DNS Server:

Secondary DNS Server:

IP:

Netmask:

WAN1 interface WAN2 interface _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ 42 Fortinet Inc. NAT/Route mode installation Preparing to configure NAT/Route mode Table 13: NAT/Route mode settings Internal servers Web Server:

SMTP Server:

POP3 Server:

IMAP Server:

FTP Server:

_____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ If you provide access from the Internet to a web server, mail server, IMAP server, or FTP server installed on an internal network, add the IP addresses of the servers here. Advanced NAT/Route mode settings Use Table 14 to gather the information that you need to customize advanced FortiWiFi NAT/Route mode settings. Table 14: Advanced FortiWiFi NAT/Route mode settings DHCP:

WAN1 interface PPPoE:

If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required. User name:

Password:

If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password. DHCP:

WAN2 interface PPPoE:

If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required. User name:

Password:

If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password. _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ The FortiWiFi unit contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network. Starting IP:

Ending IP:

Netmask:

Default Route:

DNS IP:

DHCP server FortiWiFi-60 Installation and Configuration Guide 43 Using the setup wizard DMZ interface NAT/Route mode installation Use Table 15 to record the IP address and netmask of the FortiWiFi DMZ interface if you are configuring it during installation. Table 15: DMZ interface (Optional) DMZ IP:

_____._____._____._____ Netmask:

_____._____._____._____ Wireless settings Use Table 16 to record the IP address and netmask of the FortiWiFi-60 WLAN interface if you are configuring it during installation. If you are configuring wireless networking you should also configure the wireless Service Set ID (SSID) and channel. See Wireless configuration on page 120 for more information. Table 16: Wireless settings (Optional) _____._____._____._____ WLAN IP:

Netmask:

Geography: World Americas EMEA Japan Israel Channel:

Security:

SSID:

None WEP Key:

_____._____._____._____ Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiWiFi unit. To connect to the web-based manager, see Connecting to the web-based manager on page 26. Starting the setup wizard 1 2 3 Select Easy Setup Wizard (the middle button in the upper-right corner of the web-based manager). Use the information that you gathered in Table 13 on page 42 to fill in the wizard fields. Select the Next button to step through the wizard pages. Confirm your configuration settings and then select Finish and Close. Note: If you use the setup wizard to configure internal server settings, the FortiWiFi unit adds port forwarding virtual IPs and firewall policies for each server. For each server located on your internal network the FortiWiFi unit adds a WAN1->Internal policy. For each server located on your DMZ network, the FortiWiFi unit adds a WAN1->DMZ policy. Reconnecting to the web-based manager If you used the setup wizard to change the IP address of the internal interface, you must reconnect to the web-based manager using a new IP address. Browse to https://

followed by the new IP address of the internal interface. Otherwise, you can reconnect to the web-based manager by browsing to https://192.168.1.99. 44 Fortinet Inc. NAT/Route mode installation Using the command line interface You have now completed the initial configuration of your FortiWiFi unit, and you can proceed to Connecting the FortiWiFi unit to your networks on page 47. Using the command line interface As an alternative to using the setup wizard, you can configure the FortiWiFi unit using the command line interface (CLI). To connect to the CLI, see Connecting to the command line interface (CLI) on page 27. Configuring the FortiWiFi unit to operate in NAT/Route mode 1 2 3 Use the information that you gathered in Table 13 on page 42 to complete the following procedures. Configuring NAT/Route mode IP addresses Log into the CLI if you are not already logged in. Set the IP address and netmask of the internal interface to the internal IP address and netmask that you recorded in Table 13 on page 42. Enter:

set system interface internal mode static ip <IP address>

Example set system interface internal mode static ip 192.168.1.1 255.255.255.0 Set the IP address and netmask of the WAN1 interface to the IP address and netmask that you recorded in Table 13 on page 42. To set the manual IP address and netmask, enter:

set system interface wan1 mode static ip <IP address> <netmask>

Example set system interface wan1 mode static ip 204.23.1.5 255.255.255.0 To set the WAN1 interface to use DHCP, enter:

set system interface wan1 mode dhcp connection enable To set the WAN1 interface to use PPPoE, enter:

set system interface wan1 mode pppoe username <user name>

password <password> connection enable Example set system interface wan1 mode pppoe username user@domain.com password mypass connection enable FortiWiFi-60 Installation and Configuration Guide 45 Using the command line interface NAT/Route mode installation 4 5 6 7 8 9 Optionally set the IP address and netmask of the WAN2 interface to the IP address and netmask that you recorded in Table 13 on page 42. To set the manual IP address and netmask, enter:

set system interface wan2 mode static ip <IP address> <netmask>

Example set system interface wan2 mode static ip 34.3.21.35 255.255.255.0 To set the WAN2 interface to use DHCP, enter:

set system interface wan2 mode dhcp connection enable To set the WAN2 interface to use PPPoE, enter:

set system interface wan2 mode pppoe username <user name>

password <password> connection enable Example set system interface wan2 mode pppoe username user@domain.com password mypass connection enable Optionally set the IP address and netmask of the DMZ interface to the DMZ IP address and netmask that you recorded in Table 15 on page 44. Enter:

set system interface dmz mode static ip <IP address> <netmask>

Example set system interface dmz mode static ip 10.10.10.2 255.255.255.0 Optionally set the IP address and netmask of the WLAN interface to the WLAN IP address and netmask that you recorded in Table 16 on page 44. Enter:

set system interface wlan mode static ip <IP address> <netmask>

Example set system interface wlan mode static ip 192.168.40.1 255.255.255.0 Optionally set the wireless configuration using the information that you recorded in Table 16 on page 44. Enter:

set system interface wlan wireless geography {World | Americas

| EMEA | Israel | Japan} channel <channel_number> ssid

<ssid_name> security WEP key <WEP_key>

Example set system interface wlan wireless geography Americas channel 10 ssid My_SSID security WEP key My_Wep_Key Confirm that the addresses are correct. Enter:

get system interface The CLI lists the IP address, netmask and other settings for each of the FortiWiFi interfaces. Set the primary DNS server IP addresses. Enter set system dns primary <IP address>

Example set system dns primary 293.44.75.21 46 Fortinet Inc. NAT/Route mode installation Connecting the FortiWiFi unit to your networks 10 11 Optionally, set the secondary DNS server IP addresses. Enter set system dns secondary <IP address>

Example set system dns secondary 293.44.75.22 Set the default route to the Default Gateway IP address (not required for DHCP and PPPoE). set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1

<gateway_ip>

Example set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2 Connecting the FortiWiFi unit to your networks When you have completed the initial configuration, you can connect the FortiWiFi unit between your internal network and the Internet. There are seven 10/100 BaseTX connectors on the back of the FortiWiFi-60 unit:

Four Internal ports for connecting to your internal network, One WAN1 port for connecting to your public switch or router and the Internet, One WAN 2 port for connecting to a second public switch or router and the Internet for a redundant Internet connection, One DMZ port for connecting to a DMZ network. Note: You can also connect the WAN1 and WAN2 interfaces to different Internet connections to provide a redundant connection to the Internet. To connect the FortiWiFi unit:

Connect the Internal interface connectors to PCs and other network devices in your internal network. The Internal interface functions as a switch, allowing up to four devices to be connected to the internal network and the internal interface. Connect the WAN1 interface to the Internet. Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN1 interface to the internal or LAN connection of your DSL or cable modem. Optionally connect the WAN2 interface to the Internet. Connect to the public switch or router, usually provided by a different Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN2 interface to the internal or LAN connection of your DSL or cable modem. Optionally, connect the DMZ interface to your DMZ network. You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network. 1 2 3 4 FortiWiFi-60 Installation and Configuration Guide 47 Configuring your networks NAT/Route mode installation Figure 6: FortiWiFi-60 NAT/Route mode connections Internal Network Wireless Network D M Z Internal FortiWiFi-60 INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 WAN2 DMZ Network Web Server Mail Server T1 Broadband (cable or DSL) Internet Configuring your networks If you are operating the FortiWiFi unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiWiFi interface to which they are connected. For your internal network, change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiWiFi internal interface. For the wireless network, change the default gateway address of all computers on the wireless network to the IP address of the wlan interface. For your DMZ network, change the default gateway address of all computers and routers connected directly to your DMZ network to the IP address of the FortiWiFi DMZ interface. For the external network, route all packets to the FortiWiFi WAN1 or WAN 2 interface. If you are using the FortiWiFi unit as the DHCP server for your internal network, configure the computers on your internal network for DHCP. Make sure that the connected FortiWiFi unit is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address. 48 Fortinet Inc. NAT/Route mode installation Completing the configuration Completing the configuration Use the information in this section to complete the initial configuration of the FortiWiFi unit. Configuring the DMZ interface If you are planning to configure a DMZ network, you might want to change the IP address of the DMZ interface. Use the following procedure to configure the DMZ interface using the web-based manager. Log into the web-based manager. Go to System > Network > Interface. For the dmz interface, select Modify Change the IP address and Netmask as required. Select Apply. 1 2 3 4 5 Configuring the WLAN interface If you are planning to configure a wireless network, you might want to change the IP address of the WLAN interface and configure your wireless settings. Use the information in Wireless configuration on page 120 to complete the FortiWiFi-60 wireless configuration. Log into the web-based manager. Go to System > Network > Interface. For the wlan interface, select Modify Change the IP address and Netmask as required. Set Geography to your location and select a channel. Set Security to WEP (recommended) and enter a WEP key. Change the SSID if required. Select OK. 1 2 3 4 5 6 7 8 Configuring the WAN2 interface If you are planning to configure a second internet connection using the WAN2 interface, you might want to change the IP address of the WAN2 interface. Use the following procedure to configure the WAN2 interface using the web-based manager. Log into the web-based manager. Go to System > Network > Interface. For the wan2 interface, select Modify Change the IP address and Netmask as required. Select Apply. 1 2 3 4 5 FortiWiFi-60 Installation and Configuration Guide 49 Completing the configuration NAT/Route mode installation Setting the date and time For effective scheduling and logging, the FortiWiFi system date and time should be accurate. You can either manually set the system date and time or you can configure the FortiWiFi unit to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server. To set the FortiWiFi system date and time, see Setting system date and time on page 143. Changing antivirus protection to edit this policy. By default, the FortiWiFi unit scans all web and email content for viruses. You can use the following procedure to change the antivirus configuration. To change the antivirus configuration:

Go to Firewall > Policy > Internal->WAN1. Select Edit For Anti-Virus & Web Filter you can select a different Content Profile. See Factory default content profiles on page 33 for descriptions of the default content profiles. Select OK to save your changes. You can also add you own content profiles. See Adding content profiles on page 190. 1 2 3 4 Registering your FortiWiFi unit After purchasing and installing a new FortiWiFi unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiWiFi units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiWiFi units in a single session without re-entering your contact information. For more information about registration, see Registering FortiGate and FortiWiFi units on page 104. Configuring virus and attack definition updates You can go to System > Update to configure the FortiWiFi unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiWiFi unit automatically downloads and installs the updated definitions. The FortiWiFi unit uses HTTPS on port 8890 to check for updates. The FortiWiFi WAN1 interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890. To configure automatic virus and attack updates, see Updating antivirus and attack definitions on page 93. 50 Fortinet Inc. NAT/Route mode installation Configuration example: Multiple connections to the Internet Configuration example: Multiple connections to the Internet This section describes some basic routing and firewall policy configuration examples for a FortiWiFi unit with multiple connections to the Internet (see Figure 7). In this topology, the organization operating the FortiWiFi unit uses two Internet service providers to connect to the Internet. The FortiWiFi unit is connected to the Internet using the WAN1 and WAN2 interfaces. The WAN1 interface connects to gateway 1, operated by ISP1 and the WAN2 interface connects to gateway 2, operated by ISP2. By adding ping servers to interfaces, and by configuring routing you can control how traffic uses each Internet connection. With this routing configuration is place you can proceed to create firewall policies to support multiple internet connections. This section provides some examples of routing and firewall configurations to configure the FortiWiFi unit for multiple internet connections. To use the information in this section you should be familiar with FortiWiFi routing (see Configuring routing on page 122) and FortiWiFi firewall configuration (see Firewall configuration on page 159). The examples below show how to configure destination-based routing and policy routing to control different traffic patterns. Configuring Ping servers Destination based routing examples Policy routing examples Firewall policy example FortiWiFi-60 Installation and Configuration Guide 51 Configuration example: Multiple connections to the Internet NAT/Route mode installation Figure 7: Example multiple Internet connection configuration Internal Network 192.168.1.0 Internal 192.168.1.99 INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 WAN1 1.1.1.2 WAN2 2.2.2.2 Gateway #1: 1.1.1.1 Gateway #2: 2.2.2.1 ISP1 ISP2 External Network #1 100.100.100.0 External Network #2 200.200.200.0 Internet Configuring Ping servers 1 2 3 Use the following procedure to make Gateway 1 the ping server for the WAN1 interface and Gateway 2 the ping server for the WAN2 interface. Go to System > Network > Interface. For the WAN1 interface, select Modify Ping Server: 1.1.1.1 Select Enable Ping Server Select OK For the WAN2 interface, select Modify Ping Server: 2.2.2.1 Select Enable Ping Server Select OK

. 52 Fortinet Inc. NAT/Route mode installation Configuration example: Multiple connections to the Internet 1 2 Using the CLI Add a ping server to the WAN1 interface. set system interface wan1 config detectserver 1.1.1.1 gwdetect enable Add a ping server to the WAN2 interface. set system interface wan2 config detectserver 2.2.2.1 gwdetect enable Destination based routing examples This section describes the following destination-based routing examples:

Primary and backup links to the Internet Load sharing Load sharing and primary and secondary connections Primary and backup links to the Internet Use the following procedure to add a default destination-based route that directs all outgoing traffic to Gateway 1. If Gateway 1 fails, all connections are re-directed to Gateway 2. Gateway 1 is the primary link to the Internet and Gateway 2 is the backup link. Go to System > Network > Routing Table. Select New. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway #1: 1.1.1.1 Gateway #2: 2.2.2.1 Device #1: wan1 Device #2: wan2 Select OK. Using the CLI Add the route to the routing table. set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2 1 2 1 Table 17: Route for primary and backup links Destination IP Mask 0.0.0.0 0.0.0.0 Gateway #1 1.1.1.1 Device #1 wan1 Gateway #2 2.2.2.1 Device #2 wan2 FortiWiFi-60 Installation and Configuration Guide 53 Configuration example: Multiple connections to the Internet NAT/Route mode installation Load sharing You can also configure destination routing to direct traffic through both gateways at the same time. If users on your internal network connect to the networks of ISP1 and ISP2, you can add routes for each of these destinations. Each route can include a backup destination to the network of the other ISP. Table 18: Load sharing routes Destination IP Mask 100.100.100.0 200.200.200.0 255.255.255.0 255.255.255.0 Gateway #1 Device #1 1.1.1.1 2.2.2.1 wan1 wan2 Gateway #2 Device #2 2.2.2.1 1.1.1.1 wan2 wan1 The first route directs all traffic destined for the 100.100.100.0 network to gateway 1 with the IP address 1.1.1.1. If this router is down, traffic destined for the 100.100.100.0 network is re-directed to gateway 2 with the IP address 2.2.2.1. Load sharing and primary and secondary connections You can combine these routes into a more complete multiple internet connection configuration. In the topology shown in Figure 7 on page 52, users on the Internal network would connect to the Internet to access web pages and other Internet resources. However, they may also connect to services, such as email, provided by their ISPs. You can combine the routes described in the previous examples to provide users with a primary and backup connection to the Internet, while at the same time routing traffic to each ISP network as required. The routing described below allows a user on the internal network to connect to the Internet through gateway 1 and ISP1. At the same time, this user can also connect through the DMZ interface to gateway 2 to access a mail server maintained by ISP2. 1 2 Adding the routes using the web-based manager Go to System > Network > Routing Table. Select New to add the default route for primary and backup links to the Internet. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway #1: 1.1.1.1 Gateway #2: 2.2.2.1 Device #1: wan1 Device #2: wan2 Select OK. 54 Fortinet Inc. NAT/Route mode installation Configuration example: Multiple connections to the Internet 3 4 5 1 1 2 Select New to add a route for connections to the network of ISP1. Destination IP: 100.100.100.0 Mask: 255.255.255.0 Gateway #1: 1.1.1.1 Gateway #2: 2.2.2.1 Device #1: wan1 Device #2: wan2 Select New to add a route for connections to the network of ISP2. Destination IP: 200.200.200.0 Mask: 255.255.255.0 Gateway #1: 2.2.2.1 Gateway #2: 1.1.1.1 Device #1: wan1 Device #2: wan2 Select OK. Change the order of the routes in the routing table to move the default route below the other two routes. For the default route select Move to Type a number in the Move to field to move this route to the bottom of the list. If there are only 3 routes, type 3. Select OK. Adding the routes using the CLI Add the route for connections to the network of ISP2. set system route number 1 dst 100.100.100.0 255.255.255.0 gw1 1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2 Add the route for connections to the network of ISP1. set system route number 2 dst 200.200.200.0 255.255.255.0 gw1 2.2.2.1 dev1 wan2 gw2 1.1.1.1 dev2 wan1 Add the default route for primary and backup links to the Internet. set system route number 3 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 wan1 gw2 2.2.2.1 dev2 wan2 The routing table should have routes arranged as shown in Table 19. Table 19: Example combined routing table Destination IP Mask 100.100.100.0 200.200.200.0 0.0.0.0 255.255.255.0 255.255.255.0 0.0.0.0 Gateway #1 Device #1 1.1.1.1 2.2.2.1 1.1.1.1 wan1 wan2 wan1 Gateway #2 Device #2 2.2.2.1 1.1.1.1 2.2.2.1 wan2 wan1 wan2 FortiWiFi-60 Installation and Configuration Guide 55 Configuration example: Multiple connections to the Internet NAT/Route mode installation Policy routing examples Policy routing can be added to increase the control you have over how packets are routed. Policy routing works on top of destination-based routing. This means you should configure destination-based routing first and then build policy routing on top to increase the control provided by destination-based routing. For example, if you have used destination-based routing to configure routing for dual internet connections, you can use policy routing to apply more control to which traffic is sent to which destination route. This section describes the following policy routing examples, based on topology similar to that shown in Figure 7 on page 52. Differences are noted in each example. The policy routes described in these examples only work if you have already defined destination routes similar to those described in the previous section. Routing traffic from internal subnets to different external networks Routing a service to an external network For more information about policy routing, see Policy routing on page 125. Routing traffic from internal subnets to different external networks If the FortiWiFi unit provides internet access for multiple internal subnets, you can use policy routing to control the route that traffic from each network takes to the Internet. For example, if the internal network includes the subnets 192.168.10.0 and 192.168.20.0 you can enter the following policy routes:

Enter the following command to route traffic from the 192.168.10.0 subnet to the 100.100.100.0 external network:

set system route policy 1 src 192.168.10.0 255.255.255.0 dst 100.100.100.0 255.255.255.0 gw 1.1.1.1 Enter the following command to route traffic from the 192.168.20.0 subnet to the 200.200.200.0 external network:

set system route policy 2 src 192.168.20.0 255.255.255.0 dst 200.200.200.0 255.255.255.0 gw 2.2.2.1 Routing a service to an external network You can use the following policy routes to direct all HTTP traffic (using port 80) to one external network and all other traffic to the other external network. Enter the following command to route all HTTP traffic using port 80 to the next hop gateway with IP address 1.1.1.1. set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 protocol 6 port 80 80 gw 1.1.1.1 Enter the following command to route all other traffic to the next hop gateway with IP address 2.2.2.1. Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 gw 2.2.2.1 1 2 1 2 56 Fortinet Inc. NAT/Route mode installation Configuration example: Multiple connections to the Internet Firewall policy example Firewall policies control how traffic flows through the FortiWiFi unit. Once routing for multiple internet connections has been configured you must create firewall policies to control which traffic is allowed through the FortiWiFi unit and the interfaces through which this traffic can connect. For traffic originating on the Internal network to be able to connect to the Internet through both Internet connections, you must add redundant policies from the internal interface to each interface that connects to the Internet. Once these policies have been added, the routing configuration controls which internet connection is actually used. Adding a redundant default policy Figure 7 on page 52 shows a FortiWiFi unit connected to the Internet using its internal and DMZ interfaces. The default policy allows all traffic from the internal network to connect to the Internet through the WAN1 interface. If you add a similar policy to the internal to WAN2 policy list, this policy will allow all traffic from the internal network to connect to the Internet through the WAN2 interface. With both of these policies added to the firewall configuration, the routing configuration will determine which Internet connection the traffic from the internal network actually uses. For more information about the default policy, see Default firewall configuration on page 160. To add a redundant default policy Go to Firewall > Policy > Int->WAN2. Select New. Configure the policy to match the default policy. Source Destination Schedule Service Action NAT Select OK to save your changes. Internal_All WAN2_All Always ANY Accept Select NAT. 1 2 3 4 Adding more firewall policies In most cases your firewall configuration includes more than just the default policy. However, the basic premise of creating redundant policies applies even as the firewall configuration becomes more complex. To configure the FortiWiFi unit to use multiple Internet connections you must add duplicate policies for connections between the internal network and both interfaces connected to the Internet. As well, as you add redundant policies, you must arrange them in both policy lists in the same order. FortiWiFi-60 Installation and Configuration Guide 57 Configuration example: Multiple connections to the Internet NAT/Route mode installation Restricting access to a single Internet connection In some cases you might want to limit some traffic to only being able to use one Internet connection. For example, in the topology shown in Figure 7 on page 52 the organization might want its mail server to only be able to connect to the SMTP mail server of ISP1. To do this, you add a single Internal->WAN1 firewall policy for SMTP connections. Because redundant policies have not been added, SMTP traffic from the Internet network is always connected to ISP1. If the connection to ISP1 fails the SMTP connection is not available. 58 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Transparent mode installation This chapter describes how to install your FortiWiFi unit in Transparent mode. If you want to install the FortiWiFi unit in NAT/Route mode, see NAT/Route mode installation on page 41. This chapter describes:

Preparing to configure Transparent mode Using the setup wizard Using the command line interface Connecting the FortiWiFi unit to your networks Completing the configuration Transparent mode configuration examples Preparing to configure Transparent mode Use Table 20 to gather the information that you need to customize Transparent mode settings. Table 20: Transparent mode settings Administrator Password:

IP:

Netmask:

Default Gateway:

_____._____._____._____ _____._____._____._____ _____._____._____._____ The management IP address and netmask must be valid for the network from which you will manage the FortiWiFi unit. Add a default gateway if the FortiWiFi unit must connect to a router to reach the management computer. _____._____._____._____ Primary DNS Server:

Secondary DNS Server: _____._____._____._____ Management IP DNS Settings Wireless settings If you are configuring wireless networking Use Table 21 to record the wireless Service Set ID (SSID) and channel. See Wireless configuration on page 120 for more information. FortiWiFi-60 Installation and Configuration Guide 59 Using the setup wizard Transparent mode installation Table 21: Wireless settings (Optional) Geography: World Americas EMEA Japan Israel Channel:

Security:

SSID:

None WEP Key:

Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your FortiWiFi unit. To connect to the web-based manager, see Connecting to the web-based manager on page 26. Changing to Transparent mode 1 2 3 4 The first time that you connect to the FortiWiFi unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager:

Go to System > Status. Select Change to Transparent Mode. Select Transparent in the Operation Mode list. Select OK. The FortiWiFi unit changes to Transparent mode. To reconnect to the web-based manager, change the IP address of your management computer to 10.10.10.2. Connect to the internal or DMZ interface and browse to https:// followed by the Transparent mode management IP address. The default FortiWiFi Transparent mode management IP address is 10.10.10.1. Starting the setup wizard 1 2 3 Select Easy Setup Wizard (the middle button in upper-right corner of the web-based manager). Use the information that you gathered in Table 20 on page 59 to fill in the wizard fields. Select the Next button to step through the wizard pages. Confirm your configuration settings and then select Finish and Close. Reconnecting to the web-based manager If you changed the IP address of the management interface while you were using the setup wizard, you must reconnect to the web-based manager using the new IP address. Browse to https:// followed by the new IP address of the management interface. Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field. 60 Fortinet Inc. Transparent mode installation Using the command line interface Using the command line interface As an alternative to the setup wizard, you can configure the FortiWiFi unit using the command line interface (CLI). To connect to the CLI, see Connecting to the command line interface (CLI) on page 27. Use the information that you gathered in Table 20 on page 59 to complete the following procedures. Changing to Transparent mode 1 2 3 4 Log into the CLI if you are not already logged in. Switch to Transparent mode. Enter:

set system opmode transparent After a few seconds, the login prompt appears. Type admin and press Enter. The following prompt appears:

Type ? for a list of commands. Confirm that the FortiWiFi unit has switched to Transparent mode. Enter:

get system status The CLI displays the status of the FortiWiFi unit. The last line shows the current operation mode. Operation mode: Transparent Configuring the Transparent mode management IP address 1 2 3 Log into the CLI if you are not already logged in. Set the management IP address and netmask to the IP address and netmask that you recorded in Table 20 on page 59. Enter:

set system management ip <IP address> <netmask>

Example set system management ip 10.10.10.2 255.255.255.0 Confirm that the address is correct. Enter:

get system management The CLI lists the management IP address and netmask. Configure the Transparent mode default gateway 1 2 Log into the CLI if you are not already logged in. Set the default route to the default gateway that you recorded in Table 20 on page 59. Enter:

set system route number <number> gateway <IP address>

Example set system route number 1 gw1 204.23.1.2 You have now completed the initial configuration of the FortiWiFi unit. FortiWiFi-60 Installation and Configuration Guide 61 Connecting the FortiWiFi unit to your networks Transparent mode installation Configuring wireless settings 1 2 Log into the CLI if you are not already logged in. Set the wireless configuration using the SSID and channel that you recorded in Table 21 on page 60. Enter:

set system interface wlan wireless geography {World | Americas

| EMEA | Israel | Japan} channel <channel_number> ssid

<ssid_name> security WEP key <WEP_key>

Example set system interface wlan wireless geography Americas channel 10 ssid My_SSID security WEP key My_Wep_Key Connecting the FortiWiFi unit to your networks When you have completed the initial configuration, you can connect the FortiWiFi unit between your internal network and the Internet using the Internal and WAN1 interfaces. You can also connect networks to the DMZ interface and the WAN2 interface. There are seven 10/100Base-TX connectors on the FortiWiFi-60:

Four Internal ports for connecting to your internal network, WAN1 for connecting to the Internet, DMZ and WAN2 which can be connected to networks. To connect the FortiWiFi unit running in Transparent mode:

60 wireless configuration. Completing the configuration Use the information in this section to complete the initial configuration of the FortiWiFi unit. FortiWiFi-60 Installation and Configuration Guide 63 Completing the configuration Transparent mode installation Setting the date and time For effective scheduling and logging, the FortiWiFi system date and time should be accurate. You can either manually set the date and time or you can configure the FortiWiFi unit to automatically keep its date and time correct by synchronizing with a Network Time Protocol (NTP) server. To set the FortiWiFi system date and time, see Setting system date and time on page 143. Enabling antivirus protection To enable antivirus protection to protect users on your internal network from downloading a virus from the Internet:

Go to Firewall > Policy > Internal->WAN1. Select Edit Select Anti-Virus & Web filter to enable antivirus protection for this policy. Select the Scan Content Profile. Select OK to save your changes. to edit this policy. 1 2 3 4 5 Registering your FortiWiFi After purchasing and installing a new FortiWiFi unit, you can register the unit by going to System > Update > Support, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiWiFi units you or your organization have purchased. Registration is quick and easy. You can register multiple FortiWiFi units in a single session without re-entering your contact information. For more information about registration, see Registering FortiGate and FortiWiFi units on page 104. Configuring virus and attack definition updates You can configure the FortiWiFi unit to automatically check to see if new versions of the virus definitions and attack definitions are available. If it finds new versions, the FortiWiFi unit automatically downloads and installs the updated definitions. The FortiWiFi unit uses HTTPS on port 8890 to check for updates. The FortiWiFi WAN1 interface must have a path to the FortiResponse Distribution Network (FDN) using port 8890. To configure automatic virus and attack updates, see Updating antivirus and attack definitions on page 93. 64 Fortinet Inc. Transparent mode installation Transparent mode configuration examples Transparent mode configuration examples the management computer, A FortiWiFi unit operating in Transparent mode still requires a basic configuration to operate as a node on the IP network. As a minimum, the FortiWiFi unit must be configured with an IP address and subnet mask. These are used for management access and to allow the unit to receive antivirus and definitions updates. Also, the unit must have sufficient route information to reach:

The FortiResponse Distribution Network (FDN), a DNS server. A route is required whenever the FortiWiFi unit connects to a router to reach a destination. If all of the destinations are located on the external network, you may be required to enter only a single default route. If, however, the network topology is more complex, you may be required to enter one or more static routes in addition to the default route. This section describes:

Default routes and static routes Example default route to an external network Example static route to an external destination Example static route to an internal destination Default routes and static routes To create a route to a destination, you need to define an IP prefix which consists of an IP network address and a corresponding netmask value. A default route matches any prefix and forwards traffic to the next hop router (otherwise known as the default gateway). A static route matches a more specific prefix and forwards traffic to the next hop router. Default route example:

IP Prefix 0.0.0.0 (IP address) 0.0.0.0 (Netmask) Next Hop 192.168.1.2 Static Route example:

IP Prefix 172.100.100.0 (IP address) 255.255.255.0 (Netmask) Next Hop 192.168.1.2 Note: When adding routes to the FortiWiFi unit, add the default route last so that it appears on the bottom of the route list. This ensures that the unit will attempt to match more specific routes before selecting the default route. FortiWiFi-60 Installation and Configuration Guide 65 Transparent mode configuration examples Transparent mode installation Example default route to an external network Figure 9 shows a FortiWiFi unit where all destinations, including the management computer, are located on the external network. To reach these destinations, the FortiWiFi unit must connect to the upstream router leading to the external network. To facilitate this connection, you must enter a single default route that points to the upstream router as the next hop/default gateway. Figure 9: Default route to an external network DNS Internet FortiResponse Distribution Network (FDN) Management Computer Gateway IP 192.168.1.2 Upstream Router Management IP 192.168.1.1 DMZ FortiWiFi-60 INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Internal Network General configuration steps Set the FortiWiFi unit to operate in Transparent mode. Configure the Management IP address and Netmask of the FortiWiFi unit. Configure the default route to the external network. 1 2 3 66 Fortinet Inc. Transparent mode installation Transparent mode configuration examples Web-based manager example configuration steps To configure basic Transparent mode settings and a default route using the web-based manager:

Go to System > Status. Select Change to Transparent Mode. Select Transparent in the Operation Mode list. Select OK. The FortiWiFi unit changes to Transparent mode. Go to System > Network > Management. Change the Management IP and Netmask:

IP: 192.168.1.1 Mask: 255.255.255.0 Select Apply. Go to System > Network > Routing. Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2 Select OK. CLI configuration steps To configure the Fortinet basic settings and a default route using the CLI:

Change the system to operate in Transparent Mode. set system opmode transparent Add the Management IP address and Netmask. set system management ip 192.168.1.1 255.255.255.0 Add the default route to the external network. set system route number 1 gw1 192.168.1.2 1 2 3 1 2 3 Example static route to an external destination Figure 10 shows a FortiWiFi unit that requires routes to the FDN located on the external network. The FortiWiFi unit does not require routes to the DNS servers or management computer because they are located on the internal network. To connect to the FDN, you would typically enter a single default route to the external network. However, to provide an extra degree of security, you could enter static routes to a specific FortiResponse server in addition to a default route to the external network. If the static route becomes unavailable (perhaps because the IP address of the FortiResponse server changes) the FortiWiFi unit will still be able to receive antivirus and NIDS updates from the FDN using the default route. FortiWiFi-60 Installation and Configuration Guide 67 Transparent mode configuration examples Transparent mode installation Note: This is an example configuration only. To configure a static route, you require a destination IP address. Figure 10: Static route to an external destination Internet 24.102.233.5 FortiResponse Distribution Network (FDN) Gateway IP 192.168.1.2 Upstream Router Management IP 192.168.1.1 FortiWiFi-60 INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 DNS DMZ Internal Network Management Computer General configuration steps Set the FortiWiFi unit to operate in Transparent mode. Configure the Management IP address and Netmask of the FortiWiFi unit. Configure the static route to the FortiResponse server. Configure the default route to the external network. 1 2 3 4 68 Fortinet Inc. Transparent mode installation Transparent mode configuration examples Web-based manager example configuration steps To configure the basic FortiWiFi settings and a static route using the web-based manager:

IP: 192.168.1.1 Mask: 255.255.255.0 Select Apply. Go to System > Network > Routing. Select New to add the static route to the FortiResponse server. Destination IP: 24.102.233.5 Mask: 255.255.255.0 Gateway: 192.168.1.2 Select OK. Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2 Select OK. CLI configuration steps To configure the Fortinet basic settings and a static route using the CLI:

Set the system to operate in Transparent Mode. set system opmode transparent Add the Management IP address and Netmask. set system management ip 192.168.1.1 255.255.255.0 Add the static route to the primary FortiResponse server. set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 192.168.1.2 Add the default route to the external network. set system route number 2 gw1 192.168.1.2 1 2 3 1 2 3 4 FortiWiFi-60 Installation and Configuration Guide 69 Transparent mode configuration examples Transparent mode installation Example static route to an internal destination Figure 11 shows a FortiWiFi unit where the FDN is located on an external subnet and the management computer is located on a remote, internal subnet. To reach the FDN, you need to enter a single default route that points to the upstream router as the next hop/default gateway. To reach the management computer, you need to enter a single static route that leads directly to it. This route will point to the internal router as the next hop. (No route is required for the DNS servers because they are on the same layer 3 subnet as the FortiWiFi unit.) Figure 11: Static route to an internal destination Internet FortiResponse Distribution Network (FDN) Gateway IP 192.168.1.2 Upstream Router Management IP 192.168.1.1 FortiWiFi-60 INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 DNS DMZ Internal Network A Gateway IP 192.168.1.3 Internal Router Internal Network B Management Computer 172.16.1.11 General configuration steps Set the unit to operate in Transparent mode. Configure the Management IP address and Netmask of the FortiWiFi unit. Configure the static route to the management computer on the internal network. 1 2 3 70 Fortinet Inc. Transparent mode installation Transparent mode configuration examples 4 1 2 3 1 2 3 4 Configure the default route to the external network. Web-based manager example configuration steps To configure the FortiWiFi basic settings, a static route, and a default route using the web-based manager:

IP: 192.168.1.1 Mask: 255.255.255.0 Select Apply. Go to System > Network > Routing. Select New to add the static route to the management computer. Destination IP: 172.16.1.11 Mask: 255.255.255.0 Gateway: 192.168.1.3 Select OK. Select New to add the default route to the external network. Destination IP: 0.0.0.0 Mask: 0.0.0.0 Gateway: 192.168.1.2 Select OK. CLI configuration steps To configure the FortiWiFi basic settings, a static route, and a default route using the CLI:

Changing the FortiWiFi host name Changing the FortiWiFi firmware Manual virus definition updates Manual attack definition updates Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiWiFi unit Shutting down the FortiWiFi unit If you log into the web-based manager with another administrator account, you can view the system settings including:

Displaying the FortiWiFi serial number Displaying the FortiWiFi up time All administrative users can also go to the Monitor page and view FortiWiFi system status. System status displays FortiWiFi system health monitoring information, including CPU and memory status, session and network status. System status All administrative users can also go to the Session page and view the active communication sessions to and through the FortiWiFi unit. Session list FortiWiFi-60 Installation and Configuration Guide 73 Changing the FortiWiFi host name System status Changing the FortiWiFi host name The FortiWiFi host name appears on the Status page and in the FortiWiFi CLI prompt. The host name is also used as the SNMP system name. For information about the SNMP system name, see Configuring SNMP on page 147. The default host name is FortiWiFi-60. 1 2 3 4 To change the FortiWiFi host name Go to System > Status. Select Edit Host Name Type a new host name. Select OK. The new host name is displayed on the Status page, and in the CLI prompt, and is added to the SNMP System Name. Changing the FortiWiFi firmware After you download a FortiWiFi firmware image from Fortinet, you can use the procedures listed in Table 1 to install the firmware image on your FortiWiFi unit. Table 1: Firmware upgrade procedures Procedure Upgrading to a new firmware version Reverting to a previous firmware version Installing firmware images from a system reboot using the CLI Testing a new firmware image before installing it Description Commonly-used web-based manager and CLI procedures to upgrade to a new FortiOS firmware version or to a more recent build of the same firmware version. Use the web-based manager or CLI procedure to revert to a previous firmware version. This procedure reverts the FortiWiFi unit to its factory default configuration. Use this procedure to install a new firmware version or revert to a previous firmware version. You must run this procedure by connecting to the CLI using the FortiWiFi console port and a null-modem cable. This procedure reverts the FortiWiFi unit to its factory default configuration. Use this procedure to test a new firmware image before installing it. You must run this procedure by connecting to the CLI using the FortiWiFi console port and a null-modem cable. This procedure temporarily installs a new firmware image using your current configuration. You can test the firmware image before installing it permanently. If the firmware image works correctly you can use one of the other procedures listed in this table to install it permanently. Upgrading to a new firmware version Use the following procedures to upgrade the FortiWiFi unit to a newer firmware version. 74 Fortinet Inc. System status Changing the FortiWiFi firmware Upgrading the firmware using the web-based manager Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure Manually initiating antivirus and attack definitions updates on page 95 to make sure that antivirus and attack definitions are up to date. To upgrade the firmware using the web-based manager Copy the firmware image file to your management computer. Log into the web-based manager as the admin administrative user. Go to System > Status. Select Firmware Upgrade Type the path and filename of the firmware image file, or select Browse and locate the file. Select OK. The FortiWiFi unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiWiFi login. This process takes a few minutes. Log into the web-based manager. Go to System > Status and check the Firmware Version to confirm that the firmware upgrade is successfully installed. Update antivirus and attack definitions. For information about antivirus and attack definitions, see Manually initiating antivirus and attack definitions updates on page 95. Upgrading the firmware using the CLI To use the following procedure you must have a TFTP server that the FortiWiFi unit can connect to. Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure Manually initiating antivirus and attack definitions updates on page 95 to make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute updatecenter updatenow to update the antivirus and attack definitions. To upgrade the firmware using the CLI Make sure that the TFTP server is running. Copy the new firmware image file to the root directory of the TFTP server. Log into the CLI as the admin administrative user. Make sure the FortiWiFi unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168 1 2 3 4 5 6 7 8 9 1 2 3 4 FortiWiFi-60 Installation and Configuration Guide 75 Changing the FortiWiFi firmware System status 5 6 7 8 9 Enter the following command to copy the firmware image from the TFTP server to the FortiWiFi unit:

execute restore image <name_str> <tftp_ip>

Where <name_str> is the name of the firmware image file on the TFTP server and

<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image FGT_300-v250-build045-FORTINET.out 192.168.1.168 The FortiWiFi unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. Reconnect to the CLI. To confirm that the new firmware image is successfully installed, enter:

get system status Use the procedure Manually initiating antivirus and attack definitions updates on page 95 to update antivirus and attack definitions, or from the CLI, enter:

execute updatecenter updatenow To confirm that the antivirus and attack definitions are successfully updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information. get system objver Reverting to a previous firmware version Use the following procedures to revert your FortiWiFi unit to a previous firmware version. Reverting to a previous firmware version using the web-based manager The following procedures revert the FortiWiFi unit to its factory default configuration and delete NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages. Before beginning this procedure you can:

Back up the FortiWiFi unit configuration. For information, see Backing up system settings on page 84. Back up the NIDS user-defined signatures. For information, see the FortiGate NIDS Guide Back up web content and email filtering lists. For information, see the FortiGate Content Protection Guide. If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore the previous configuration from the backup configuration file. 76 Fortinet Inc. System status Changing the FortiWiFi firmware Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure Manually initiating antivirus and attack definitions updates on page 95 to make sure that antivirus and attack definitions are up to date. To revert to a previous firmware version using the web-based manager Copy the firmware image file to your management computer. Log into the FortiWiFi web-based manager as the admin administrative user. Go to System > Status. Select Firmware Upgrade Type the path and filename of the previous firmware image file, or select Browse and locate the file. Select OK. The FortiWiFi unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiWiFi login. This process takes a few minutes. Log into the web-based manager. Go to System > Status and check the Firmware Version to confirm that the firmware is successfully installed. Restore your configuration. For information about restoring your configuration, see Restoring system settings on page 84. Update antivirus and attack definitions. For information about antivirus and attack definitions, see Manually initiating antivirus and attack definitions updates on page 95. 1 2 3 4 5 6 7 8 9 10 Reverting to a previous firmware version using the CLI This procedure reverts your FortiWiFi unit to its factory default configuration and deletes NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages. Before beginning this procedure you can:

Back up the FortiWiFi unit configuration using the command execute backup Back up the NIDS user defined signatures using the command execute backup config. nidsuserdefsig Back up web content and email filtering lists. For information, see the FortiGate Content Protection Guide. If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration from the backup configuration file. FortiWiFi-60 Installation and Configuration Guide 77 Changing the FortiWiFi firmware System status Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure Manually initiating antivirus and attack definitions updates on page 95 to make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute updatecenter updatenow to update the antivirus and attack definitions. To use the following procedure you must have a TFTP server that the FortiWiFi unit can connect to. To revert to a previous firmware version using the CLI Make sure that the TFTP server is running. Copy the new firmware image file to the root directory of the TFTP server. Log into the FortiWiFi CLI as the admin administrative user. Make sure the FortiWiFi unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168 Enter the following command to copy the firmware image from the TFTP server to the FortiWiFi unit:

execute restore image <name_str> <tftp_ip>

Where <name_str> is the name of the firmware image file on the TFTP server and

<tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image FGT_300-v250-build045-FORTINET.out 192.168.1.168 The FortiWiFi unit uploads the firmware image file. After the file uploads, a message similar to the following is displayed:

Get image from tftp server OK. This operation will downgrade the current firmware version!

Do you want to continue? (y/n) Type Y. The FortiWiFi unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes. Reconnect to the CLI. To confirm that the new firmware image has been loaded, enter:

get system status Restore your previous configuration. Use the following command:

execute restore config Update antivirus and attack definitions. For information, see Manually initiating antivirus and attack definitions updates on page 95, or from the CLI, enter:

execute updatecenter updatenow 1 2 3 4 5 6 7 8 9 10 11 78 Fortinet Inc. System status Changing the FortiWiFi firmware 12 To confirm that the antivirus and attack definitions have been updated, enter the following command to display the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information. get system objver Installing firmware images from a system reboot using the CLI This procedure installs a specified firmware image and resets the FortiWiFi unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version. To perform this procedure you:

Back up the FortiWiFi unit configuration. For information, see Backing up system settings on page 84. Back up the NIDS user defined signatures. For information, see the FortiGate NIDS Guide. Back up web content and email filtering lists. For information, see the FortiGate Content Protection Guide. If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure Manually initiating antivirus and attack definitions updates on page 95 to make sure that antivirus and attack definitions are up to date. 1 2 3 4 5 To install firmware from a system reboot Connect to the CLI using the null-modem cable and FortiWiFi console port. Make sure that the TFTP server is running. Copy the new firmware image file to the root directory of the TFTP server. Make sure that the internal interface is connected to the same network as the TFTP server. To confirm that the FortiWiFi unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168, enter:

execute ping 192.168.1.168 FortiWiFi-60 Installation and Configuration Guide 79 Changing the FortiWiFi firmware System status 6 7 Enter the following command to restart the FortiWiFi unit:

execute reboot As the FortiWiFi unit starts, a series of system startup messages is displayed. When the following message appears:

Press any key to enter configuration menu..... ..... Immediately press any key to interrupt the system startup. Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiWiFi unit reboots and you must log in and repeat the execute reboot command. If you successfully interrupt the startup process, the following message appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default.

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G,F,B,Q,or H:

Type G to get the new firmware image from the TFTP server. Type the address of the TFTP server and press Enter. The following message appears:

Enter Local Address [192.168.1.188]:

Type the address of the internal interface of the FortiWiFi unit and press Enter. Note: The local IP address is used only to download the firmware image. After the firmware is installed, the address of this interface is changed back to the default IP address for this interface. The following message appears:

Enter File Name [image.out]:

Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file to the FortiWiFi unit and messages similar to the following are displayed:

Save as Default firmware/Run image without saving:[D/R]

Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]

Type D. The FortiWiFi unit installs the new firmware image and restarts. The installation might take a few minutes to complete. Restoring the previous configuration Change the internal interface addresses if required. You can do this from the CLI using the command:

set system interface 8 9 10 11 12 80 Fortinet Inc. System status Changing the FortiWiFi firmware After changing the interface addresses, you can access the FortiWiFi unit from the web-based manager and restore the configuration. To restore the FortiWiFi unit configuration, see Restoring system settings on page 84. To restore NIDS user defined signatures, see Adding user-defined signatures on page 240. To restore web content filtering lists, see Restoring the Banned Word list on page 256 and Uploading a URL block list on page 258 To restore email filtering lists, see Uploading the email banned word list on page 269 and Uploading an email block list on page 271. If you are reverting to a previous firmware version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you might not be able to restore your previous configuration from the backup up configuration file. Update the virus and attack definitions to the most recent version, see Manually initiating antivirus and attack definitions updates on page 95. Testing a new firmware image before installing it You can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure the FortiWiFi unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiWiFi unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure Upgrading to a new firmware version on page 74. To run this procedure you:

access the CLI by connecting to the FortiWiFi console port using a null-modem cable, install a TFTP server that you can connect to from the FortiWiFi internal interface. The TFTP server should be on the same subnet as the internal interface. 1 2 3 4 5 To test a new firmware image Connect to the CLI using a null-modem cable and FortiWiFi console port. Make sure the TFTP server is running. Copy the new firmware image file to the root directory of the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168 Enter the following command to restart the FortiWiFi unit:

execute reboot As the FortiWiFi unit reboots, press any key to interrupt the system startup. As the FortiWiFi units starts, a series of system startup messages are displayed. When the following message appears:

Press any key to enter configuration menu..... ..... FortiWiFi-60 Installation and Configuration Guide 81 Manual virus definition updates System status 6 Immediately press any key to interrupt the system startup. Note: You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiWiFi unit reboots and you must log in and repeat the execute reboot command. If you successfully interrupt the startup process, the following message appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G,F,Q,or H:

Type G to get the new firmware image from the TFTP server. Type the address of the TFTP server and press Enter. The following message appears:

Enter Local Address [192.168.1.188]:

Enter File Name [image.out]:

Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiWiFi unit and messages similar to the following appear. Save as Default firmware/Run image without saving:[D/R]

Type R. The FortiWiFi image is installed to system memory and the FortiWiFi unit starts running the new firmware image but with its current configuration. You can log into the CLI or the web-based manager using any administrative account. To confirm that the new firmware image has been loaded, from the CLI enter:

get system status You can test the new firmware image as required. 7 8 9 10 11 12 13 Manual virus definition updates The Status page of the FortiWiFi web-based manager displays the current installed versions of the FortiWiFi antivirus definitions. 82 Fortinet Inc. System status Manual attack definition updates Note: For information about configuring the FortiWiFi unit for automatic antivirus definitions updates, see Virus and attack definitions updates and registration on page 93. You can also manually start an antivirus definitions update by going to System > Update and selecting Update Now. 1 2 3 4 5 6 To update the antivirus definitions manually Download the latest antivirus definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status. In the Antivirus Definitions Version section, select Definitions Update Type the path and filename for the antivirus definitions update file, or select Browse and locate the antivirus definitions update file. Select OK to copy the antivirus definitions update file to the FortiWiFi unit. The FortiWiFi unit updates the antivirus definitions. This takes about 1 minute. Go to System > Status to confirm that the Antivirus Definitions Version information has updated. Manual attack definition updates The Status page of the FortiWiFi web-based manager displays the current installed versions of the FortiWiFi Attack Definitions used by the Network Intrusion Detection System (NIDS). Note: For information about configuring the FortiWiFi unit for automatic attack definitions updates, see Virus and attack definitions updates and registration on page 93. You can also manually start an attack definitions update by going to System > Update and selecting Update Now. To update the attack definitions manually Download the latest attack definitions update file from Fortinet and copy it to the computer that you use to connect to the web-based manager. Start the web-based manager and go to System > Status. In the Attack Definitions Version section, select Definitions Update Type the path and filename for the attack definitions update file, or select Browse and locate the attack definitions update file. Select OK to copy the attack definitions update file to the FortiWiFi unit. The FortiWiFi unit updates the attack definitions. This takes about 1 minute. Go to System > Status to confirm that the Attack Definitions Version information has updated. 1 2 3 4 5 6 FortiWiFi-60 Installation and Configuration Guide 83 Displaying the FortiWiFi serial number System status Displaying the FortiWiFi serial number 1 Go to System > Status. The serial number is displayed on the System Status page of the web-based manager. The serial number is specific to the FortiWiFi unit and does not change with firmware upgrades. Displaying the FortiWiFi up time 1 Go to System > Status. The FortiWiFi up time displays the time in days, hours, and minutes since the FortiWiFi unit was last started. Backing up system settings You can back up system settings by downloading them to a text file on the management computer. To back up system settings Go to System > Status. Select System Settings Backup. Select Backup System Settings. Type a name and location for the file. The system settings file is backed up to the management computer. Select Return to go back to the Status page. 1 2 3 4 5 Restoring system settings You can restore system settings by uploading a previously downloaded system settings text file. 1 2 3 4 5 To restore system settings Go to System > Status. Select System Settings Restore. Enter the path and filename of the system settings file, or select Browse and locate the file. Select OK to restore the system settings file to the FortiWiFi unit. The FortiWiFi unit restarts, loading the new system settings. Reconnect to the web-based manager and review your configuration to confirm that the uploaded system settings have taken effect. 84 Fortinet Inc. System status Restoring system settings to factory defaults Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the firmware version or the antivirus or attack definitions.

1 2 3 4 Caution: This procedure deletes all changes that you have made to the FortiWiFi configuration and reverts the system to its original configuration, including resetting interface addresses. To restore system settings to factory defaults Go to System > Status. Select Restore Factory Defaults. Select OK to confirm. The FortiWiFi unit restarts with the configuration that it had when it was first powered on. Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings. For information about restoring system settings, see Restoring system settings on page 84. Changing to Transparent mode Use the following procedure to change the FortiWiFi unit from NAT/Route mode to Transparent mode. After you change the FortiWiFi unit to Transparent mode, most of the configuration resets to Transparent mode factory defaults. The following items are not set to Transparent mode factory defaults:

The admin administrator account password (see Adding and editing administrator accounts on page 145) Custom replacement messages (see Replacement messages on page 155) To change to Transparent mode Go to System > Status. Select Change to Transparent Mode. Select Transparent in the operation mode list. Select OK. The FortiWiFi unit changes operation mode. To reconnect to the web-based manager, connect to the interface configured for Transparent mode management access and browse to https:// followed by the Transparent mode management IP address. By default in Transparent mode, you can connect to the internal or DMZ interface. The default Transparent mode management IP address is 10.10.10.1. 1 2 3 4 5 FortiWiFi-60 Installation and Configuration Guide 85 Changing to NAT/Route mode System status Changing to NAT/Route mode Use the following procedure to change the FortiWiFi unit from Transparent mode to NAT/Route mode. After you change the FortiWiFi unit to NAT/Route mode, most of the configuration resets to NAT/Route mode factory defaults. The following items are not set to NAT/Route mode factory defaults:

The admin administrator account password (see Adding and editing administrator accounts on page 145) Custom replacement messages (see Replacement messages on page 155) 1 2 3 4 5 To change to NAT/Route mode Go to System > Status. Select Change to NAT Mode. Select NAT/Route in the operation mode list. Select OK. The FortiWiFi unit changes operation mode. To reconnect to the web-based manager you must connect to the interface configured by default for management access. By default in NAT/Route mode, you can connect to the internal or DMZ interface. The default Transparent mode management IP address is 192.168.1.99. Restarting the FortiWiFi unit Go to System > Status. Select Restart. The FortiWiFi unit restarts. 1 2 Shutting down the FortiWiFi unit You can restart the FortiWiFi unit after shutdown only by turning the power off and then on. Go to System > Status. Select Shutdown. The FortiWiFi unit shuts down and all traffic flow stops. 1 2 86 Fortinet Inc. System status System status System status You can use the system status monitor to display FortiWiFi system health information. The system health information includes memory usage, the number of active communication sessions, and the amount of network bandwidth currently in use. The web-based manager displays current statistics as well as statistics for the previous minute. You can also view current virus and intrusion status. The web-based manager displays the current number of viruses and attacks as well as a graph of virus and attack levels over the previous 20 hours. In each case you can set an automatic refresh interval that updates the display every 5 to 30 seconds. You can also refresh the display manually. Viewing CPU and memory status Viewing sessions and network status Viewing virus and intrusions status Viewing CPU and memory status Current CPU and memory status indicates how close the FortiWiFi unit is to running at full capacity. The web-based manager displays CPU and memory usage for core processes only. CPU and memory use for management processes (for example, for HTTPS connections to the web-based manager) is excluded. If CPU and memory use is low, the FortiWiFi unit is able to process much more network traffic than is currently running. If CPU and memory use is high, the FortiWiFi unit is performing near its full capacity. Putting additional demands on the system might cause traffic processing delays. CPU and memory intensive processes, such as encrypting and decrypting IPSec VPN traffic, virus scanning, and processing high levels of network traffic containing small packets, increase CPU and memory usage. To view CPU and memory status Go to System > Status > Monitor. CPU & Memory status is displayed. The display includes bar graphs of current CPU and memory usage as well as line graphs of CPU and memory usage for the previous minute. Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this occurs only when you are viewing the display using the web-based manager. Select Refresh to manually update the information displayed. 1 2 3 FortiWiFi-60 Installation and Configuration Guide 87 System status System status Figure 1: CPU and memory status monitor Viewing sessions and network status Use the session and network status display to track how many network sessions the FortiWiFi unit is processing and to see what effect the number of sessions has on the available network bandwidth. Also, by comparing CPU and memory usage with session and network status you can see how much demand network traffic is putting on system resources. The Sessions section displays the total number of sessions being processed by the FortiWiFi unit on all interfaces. It also displays the sessions as a percentage of the maximum number of sessions that the FortiWiFi unit is designed to support. The Network utilization section displays the total network bandwidth being used through all FortiWiFi interfaces. It also displays network utilization as a percentage of the maximum network bandwidth that can be processed by the FortiWiFi unit. 1 2 3 To view sessions and network status Go to System > Status > Monitor. Select Sessions & Network. Sessions and network status is displayed. The display includes bar graphs of the current number of sessions and current network utilization as well as line graphs of session and network utilization usage for the last minute. The line graph scales are shown in the upper left corner of the graph. Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. 88 Fortinet Inc. System status System status 4 Select Refresh to manually update the information displayed. Figure 2: Sessions and network status monitor Viewing virus and intrusions status Use the virus and intrusions status display to track when viruses are found by the FortiWiFi antivirus system and to track when the NIDS detects a network-based attack. To view virus and intrusions status Go to System > Status > Monitor. Select Virus & Intrusions. Virus and intrusions status is displayed. The display includes bar graphs of the number viruses and intrusions detected per hour as well as line graphs of the number of viruses and intrusions detected for the last 20 hours. Set the automatic refresh interval and select Go to control how often the web-based manager updates the display. More frequent updates use system resources and increase network traffic. However, this only occurs when you are viewing the display using the web-based manager. The line graph scales are shown on the upper right corner of the graph. Select Refresh to manually update the information displayed. 1 2 3 4 FortiWiFi-60 Installation and Configuration Guide 89 Session list System status Figure 3: Sessions and network status monitor Session list 1 2 3 4 The session list displays information about the communications sessions currently being processed by the FortiWiFi unit. You can use the session list to view current sessions. FortiWiFi administrators with read and write permission and the FortiWiFi admin user can also stop active communication sessions. To view the session list Go to System > Status > Session. The web-based manager displays the total number of active sessions in the FortiWiFi unit session table and lists the top 16. To navigate the list of sessions, select Page Up Select Refresh If you are logged in as an administrative user with read and write privileges or as the admin user, you can select Clear to update the session list. to stop an active session. or Page Down

. 90 Fortinet Inc. System status Session list Each line of the session list displays the following information. Protocol From IP From Port To IP To Port Expire Clear The service protocol of the connection, for example, udp, tcp, or icmp. The source IP address of the connection. The source port of the connection. The destination IP address of the connection. The destination port of the connection. The time, in seconds, before the connection expires. Stop an active communication session. Figure 4: Example session list FortiWiFi-60 Installation and Configuration Guide 91 Session list System status 92 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Virus and attack definitions updates and registration You can configure the FortiWiFi unit to connect to the FortiResponse Distribution Network (FDN) to update the antivirus and attack definitions and the antivirus engine. You have the following update options:

Request updates from the FDN, Schedule updates to automatically request the latest versions hourly, daily, or weekly, Set Push updates so that the FDN contacts your FortiWiFi unit when a new update is available. To receive scheduled updates and push updates, you must register the FortiWiFi unit on the Fortinet support web page. This chapter describes:

Updating antivirus and attack definitions Scheduling updates Enabling push updates Registering FortiGate and FortiWiFi units Updating registration information Registering a FortiWiFi unit after an RMA Updating antivirus and attack definitions You can configure the FortiWiFi unit to connect to the FortiResponse Distribution Network (FDN) to automatically receive the latest antivirus and attack definitions and antivirus engine updates. The FortiWiFi unit supports the following antivirus and attack definition update features:

User-initiated updates from the FDN, Hourly, daily, or weekly scheduled antivirus and attack definition and antivirus engine updates from the FDN, Push updates from the FDN, Update status including version numbers, expiry dates, and update dates and times, Push updates through a NAT device. FortiWiFi-60 Installation and Configuration Guide 93 Updating antivirus and attack definitions Virus and attack definitions updates and registration The Update page on the web-based manager displays the following antivirus and attack definition update information. Version Expiry date Last update attempt Last update status Current antivirus engine, virus definition, and attack definition version numbers. Expiry date of your license for antivirus engine, virus definition, and attack definition updates. Date and time on which the FortiWiFi unit last attempted to download antivirus engine, virus definition, and attack definition updates. Success or failure of the last update attempt. No updates means the last update attempt was successful but no new updates were available. Update succeeded or similar messages mean the last update attempt was successful and new updates were installed. Other messages can indicate that the FortiWiFi was not able to connect to the FDN and other error conditions. This section describes:

Connecting to the FortiResponse Distribution Network Manually initiating antivirus and attack definitions updates Configuring update logging Connecting to the FortiResponse Distribution Network Before the FortiWiFi unit can receive antivirus and attack updates, it must be able to connect to the FortiResponse Distribution Network (FDN). The FortiWiFi unit uses HTTPS on port 8890 to connect to the FDN. The FortiWiFi WAN1 interface must have a path to the Internet using port 8890. For information about configuring scheduled updates, see Scheduling updates on page 96. You can also configure the FortiWiFi unit to allow push updates. Push updates are provided to the FortiWiFi unit from the FDN using HTTPS on UDP port 9443. To receive push updates, the FDN must have a path to the FortiWiFi WAN1 interface using UDP port 9443. For information about configuring push updates, see Enabling push updates on page 98. The FDN is a world-wide network of FortiResponse Distribution Servers (FDSs). When the FortiWiFi unit connects to the FDN it connects to the nearest FDS. To do this, all FortiWiFi units are programmed with a list of FDS addresses sorted by nearest time zone according to the time zone configured for the FortiWiFi unit. To make sure the FortiWiFi unit receives updates from the nearest FDS, check that you have selected the correct time zone for your area. To make sure the FortiWiFi unit can connect to the FDN 1 2 3 Go to System > Config > Time and make sure the time zone is set to the time zone for the region in which your FortiWiFi unit is located. Go to System > Update. Select Refresh. The FortiWiFi unit tests its connection to the FDN. The test results are displayed at the top of the System Update page. 94 Fortinet Inc. Virus and attack definitions updates and registration Updating antivirus and attack definitions Table 1: Connections to the FDN Connections Status Available Not available FortiResponse Distribution Network Available Not available Push Update Comments The FortiWiFi unit can connect to the FDN. You can configure the FortiWiFi unit for scheduled updates. See Scheduling updates on page 96. The FortiWiFi unit cannot connect to the FDN. You must configure your FortiWiFi unit and your network so that the FortiWiFi unit can connect to the Internet and to the FDN. For example, you may need to add routes to the FortiWiFi routing table or configure your network to allow the FortiWiFi unit to use HTTPS on port 8890 to connect to the Internet. You may also have to connect to an override FortiResponse server to receive updates. See Adding an override server on page 97. The FDN can connect to the FortiWiFi unit to send push updates. You can configure the FortiWiFi unit to receive push updates. See Enabling push updates on page 98. The FDN cannot connect to the FortiWiFi unit to send push updates. Push updates may not be available if you have not registered the FortiWiFi unit (see Registering the FortiWiFi unit on page 105), if there is a NAT device installed between the FortiWiFi unit and the FDN (see Enabling push updates through a NAT device on page 100), or if your FortiWiFi unit connects to the Internet using a proxy server (see Enabling scheduled updates through a proxy server on page 98). Manually initiating antivirus and attack definitions updates 1 2 You can use the following procedure to update the antivirus and attack definitions at any time. The FortiWiFi unit must be able to connect to the FDN or to an override FortiResponse server. To update antivirus and attack definitions Go to System > Update. Select Update Now to update the antivirus and attack definitions. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following:

Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update. After a few minutes, if an update is available, the System Update page lists new version information for antivirus definitions, the antivirus engine, or attack definitions. The System Status page also displays new dates and version numbers for antivirus and attack definitions. Messages are recorded to the event log indicating whether the update was successful or not. FortiWiFi-60 Installation and Configuration Guide 95 Scheduling updates Virus and attack definitions updates and registration Configuring update logging Use the following procedure to configure FortiWiFi logging to record log messages when the FortiWiFi unit updates antivirus and attack definitions. The update log messages are recorded on the FortiWiFi Event log. To configure update logging Go to Log&Report > Log Setting. Select Config Policy for the type of logs that the FortiWiFi unit is configured to record. For information about recording logs, see Recording logs on page 273. Select Update to record log messages when the FortiWiFi unit updates antivirus and attack definitions. Select any of the following update log options. 1 2 3 4 Failed Update Successful Update FDN error 5 Select OK. Records a log message whenever an update attempt fails. Records a log message whenever an update attempt is successful. Records a log message whenever it cannot connect to the FDN or whenever it receives an error message from the FDN. Scheduling updates The FortiWiFi unit can check for and download updated definitions hourly, daily, or weekly, according to a schedule that you specify. This section describes:

Enabling scheduled updates Adding an override server Enabling scheduled updates through a proxy server Enabling scheduled updates To enable scheduled updates Go to System > Update. Select the Scheduled Update check box. Select one of the following to check for and download updates. 1 2 3 Hourly Daily Weekly Once every 1 to 23 hours. Select the number of hours and minutes between each update request. Once a day. You can specify the time of day to check for updates. Once a week. You can specify the day of the week and the time of day to check for updates. 96 Fortinet Inc. Virus and attack definitions updates and registration Scheduling updates 4 Select Apply. The FortiWiFi unit starts the next scheduled update according to the new update schedule. Whenever the FortiWiFi unit runs a scheduled update, the event is recorded in the FortiWiFi event log. Figure 1: Configuring automatic antivirus and attack definitions updates Adding an override server If you cannot connect to the FDN, or if your organization provides antivirus and attack updates using their own FortiResponse server, you can use the following procedure to add the IP address of an override FortiResponse server. 1 2 3 4 To add an override server Go to System > Update. Select the Use override server address check box. Type the IP address of a FortiResponse server. Select Apply. The FortiWiFi unit tests the connection to the override server. If the FortiResponse Distribution Network setting changes to available, the FortiWiFi unit has successfully connected to the override server. If the FortiResponse Distribution Network stays set to not available, the FortiWiFi unit cannot connect to the override server. Check the FortiWiFi configuration and network configuration for settings that would prevent the FortiWiFi unit connecting to the override FortiResponse server. FortiWiFi-60 Installation and Configuration Guide 97 Enabling push updates Virus and attack definitions updates and registration Enabling scheduled updates through a proxy server If your FortiWiFi unit must connect to the Internet through a proxy server, you can use the set system autoupdate tunneling command to allow the FortiWiFi unit to connect (or tunnel) to the FDN using the proxy server. Using this command you can specify the IP address and port of the proxy server. As well, if the proxy server requires authentication, you can add the user name and password required for the proxy server to the autoupdate configuration. The full syntax for enabling updates through a proxy server is:

set system autoupdate tunneling enable [address

<proxy-address_ip> [port <proxy-port> [username <username_str>

[password <password_str>]]]]

For example, if the IP address of the proxy server is 64.23.6.89 and its port is 8080, enter the following command:

set system autouopdate tunneling enable address 64.23.6.89 port 8080 For more information about the set system autoupdate command, see Volume 6, FortiGate CLI Reference Guide. The FortiWiFi unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616. The FortiWiFi unit sends an HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN. The proxy server establishes the connection to the FDN and passes information between the FortiWiFi unit and the FDN. The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers do not allow the CONNECT to connect to any port; they restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services. Because FortiWiFi autoupdates use HTTPS on port 8890 to connect to the FDN, your proxy server might have to be configured to allow connections on this port. There are no special tunneling requirements if you have configured an override server address to connect to the FDN. Enabling push updates The FDN can push updates to FortiWiFi units to provide the fastest possible response to critical situations. You must register the FortiWiFi unit before it can receive push updates. See Registering the FortiWiFi unit on page 105. When you configure a FortiWiFi unit to allow push updates, the FortiWiFi unit sends a SETUP message to the FDN. The next time a new antivirus engine, new antivirus definitions, or new attack definitions are released, the FDN notifies all FortiWiFi units that are configured for push updates that a new update is available. Within 60 seconds of receiving a push notification, the FortiWiFi unit requests an update from the FDN. Note: Push updates are not supported if the FortiWiFi unit must use a proxy server to connect to the FDN. For more information, see Enabling scheduled updates through a proxy server on page 98. 98 Fortinet Inc. Virus and attack definitions updates and registration Enabling push updates When the network configuration permits, configuring push updates is recommended in addition to configuring scheduled updates. On average the FortiWiFi unit receives new updates sooner through push updates than if the FortiWiFi unit receives only scheduled updates. However, scheduled updates make sure that the FortiWiFi unit receives the latest updates. Enabling push updates is not recommended as the only method for obtaining updates. The FortiWiFi unit might not receive the push notification. Also, when the FortiWiFi unit receives a push notification it makes only one attempt to connect to the FDN and download updates. This section describes:

Enabling push updates Push updates when FortiWiFi IP addresses change Enabling push updates through a NAT device Enabling push updates To enable push updates Go to System > Update. Select Allow Push Update. Select Apply. 1 2 3 Push updates when FortiWiFi IP addresses change The SETUP message that the FortiWiFi unit sends when you enable push updates includes the IP address of the FortiWiFi interface that the FDN connects to. If your FortiWiFi unit is running in NAT/Route mode, the SETUP message includes the FortiWiFi WAN1 IP address. If your FortiWiFi unit is running in Transparent mode, the SETUP message includes the FortiWiFi management IP address. The FDN must be able to connect to this IP address for your FortiWiFi unit to be able to receive push update messages. If your FortiWiFi unit is behind a NAT device, see Enabling push updates through a NAT device on page 100. Whenever the WAN1 IP address of the FortiWiFi unit changes, the FortiWiFi unit sends a new SETUP message to notify the FDN of the address change. As long as the FortiWiFi unit sends this SETUP message and the FDN receives it, the FDN can maintain the most up-to-date WAN1 IP address for the FortiWiFi unit. The FortiWiFi unit sends the SETUP message if you change the WAN1 IP address manually or if you have set the WAN1 interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address. If you have redundant connections to the Internet, the FortiWiFi unit also sends the SETUP message when one Internet connection goes down and the FortiWiFi unit fails over to the other Internet connection. In Transparent mode if you change the management IP address, the FortiWiFi unit also sends the SETUP message to notify the FDN of the address change. FortiWiFi-60 Installation and Configuration Guide 99 Enabling push updates Virus and attack definitions updates and registration Enabling push updates through a NAT device If the FDN can connect to the FortiWiFi unit only through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Using port forwarding, the FDN connects to the FortiWiFi unit using either port 9443 or an override push port that you specify. Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP). Example: push updates through a NAT device This example describes how to configure a FortiWiFi NAT device to forward push updates to a FortiWiFi unit installed on its internal network. For the FortiWiFi unit on the internal network to receive push updates, the FortiWiFi NAT device must be configured with a port forwarding virtual IP. This virtual IP maps the IP address of the external interface of the FortiWiFi NAT device and a custom port to the IP address of the FortiWiFi unit on the internal network. This IP address can either be the external IP address of the FortiWiFi unit if it is operating in NAT/Route mode, or the Management IP address of the FortiWiFi unit if it is operating in Transparent mode. Note: This example describes the configuration for a FortiWiFi NAT device. However, you can use any NAT device with a static external IP address that can be configured for port forwarding. General procedure Use the following steps to configure the FortiWiFi NAT device and the FortiWiFi unit on the internal network so that the FortiWiFi unit on the internal network can receive push updates:

Add a port forwarding virtual IP to the FortiWiFi NAT device. Add a firewall policy to the FortiWiFi NAT device that includes the port forwarding virtual IP. Configure the FortiWiFi unit on the internal network with an override push IP and port. 1 2 3 Note: Before completing the following procedure, you should register the internal network FortiWiFi unit so that it can receive push updates. 100 Fortinet Inc. Virus and attack definitions updates and registration Enabling push updates Figure 2: Example network topology: Push updates through a NAT device FortiResponse Distribution Network (FDN) Internet Push update to IP address 64.230.123.149 and port 45001 FortiGate-300 NAT Device Esc Enter External IP 64.230.123.149 External IP or Management IP 192.168.1.99 Virtual IP maps 64.230.123.149:45001 to 192.168.1.99:9443 FortiWiFi-60A INTERNAL PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 Internal Network Adding a port forwarding virtual IP to the FortiWiFi NAT device Use the following procedure to configure a FortiWiFi NAT device to use port forwarding to forward push update connections from the FDN to a FortiWiFi unit on the internal network. 1 2 3 4 To configure the FortiWiFi NAT device Go to Firewall > Virtual IP. Select New. Type a name for the virtual IP. In the External Interface section, select the external interface that the FDN connects to. For the example topology, select the external interface. FortiWiFi-60 Installation and Configuration Guide 101 Enabling push updates Virus and attack definitions updates and registration 5 6 7 8 9 10 11 In the Type section, select Port Forwarding. In the External IP Address section, type the external IP address that the FDN connects to. For the example topology, enter 64.230.123.149. Type the External Service Port that the FDN connects to. For the example topology, enter 45001. In the Map to IP section, type the IP address of the FortiWiFi unit on the internal network. If the FortiWiFi unit is operating in NAT/Route mode, enter the IP address of the external interface. If the FortiWiFi unit is operating in Transparent mode, enter the management IP address. For the example topology, enter 192.168.1.99. Set the Map to Port to 9443. Set Protocol to UDP. Select OK. Figure 3: Push update port forwarding virtual IP Adding a firewall policy for the port forwarding virtual IP To configure the FortiWiFi NAT device Add a new external to internal firewall policy. 1 102 Fortinet Inc. Virus and attack definitions updates and registration Enabling push updates 2 Configure the policy with the following settings:

Source Destination Schedule Service Action NAT External_All The virtual IP added above. Always ANY Accept Selected. 3 Select OK. Configuring the FortiWiFi unit with an override push IP and port To configure the FortiWiFi unit on the internal network Go to System > Update. Select the Allow Push Update check box. Select the Use override push check box. Set IP to the external IP address added to the virtual IP. For the example topology, enter 64.230.123.149. Set Port to the external service port added to the virtual IP. For the example topology, enter 45001. Select Apply. The FortiWiFi unit sends the override push IP address and port to the FDN. The FDN now uses this IP address and port for push updates to the FortiWiFi unit on the internal network. If the external IP address or external service port change, add the changes to the Use override push configuration and select Apply to update the push information on the FDN. Figure 4: Example push update configuration Select Apply. You can select Refresh to make sure that push updates work. Push Update changes to Available. 1 2 3 4 5 6 7 8 FortiWiFi-60 Installation and Configuration Guide 103 Registering FortiGate and FortiWiFi units Virus and attack definitions updates and registration Registering FortiGate and FortiWiFi units After purchasing and installing a new FortiWiFi unit, you can register the unit using the web-based manager by going to System Update Support page, or by using a web browser to connect to http://support.fortinet.com and selecting Product Registration. Registration consists of entering your contact information and the serial numbers of the FortiGate and FortiWiFi units that you or your organization purchased. You can register multiple FortiGate and FortiWiFiunits in a single session without re-entering your contact information. Once registration is completed, Fortinet sends a Support Login user name and password to your email address. You can use this user name and password to log on to the Fortinet support web site to:

View your list of registered FortiGate and FortiWiFi units Register additional FortiGate and FortiWiFi units Add or change FortiCare Support Contract numbers for each FortiGate and FortiWiFi unit View and change registration information Download virus and attack definitions updates Download firmware upgrades Modify registration information after an RMA Soon you will also be able to:

Access Fortinet user documentation Access the Fortinet knowledge base All registration information is stored in the Fortinet Customer Support database. This information is used to make sure that your registered FortiGate and FortiWiFi units can be kept up to date. All information is strictly confidential. Fortinet does not share this information with any third-party organizations for any reason. This section describes:

FortiCare Service Contracts Registering the FortiWiFi unit FortiCare Service Contracts Owners of a new FortiGate and FortiWiFi unit are entitled to 90 days of technical support services. To continue receiving support services after the 90-day expiry date, you must purchase a FortiCare Support Contract from an authorized Fortinet reseller or distributor. Different levels of service are available so you can purchase the support that you need. For maximum network protection, Fortinet strongly recommends that all customers purchase a service contract that covers antivirus and attack definition updates. See your Fortinet reseller or distributor for details of packages and pricing. 104 Fortinet Inc. Virus and attack definitions updates and registration Registering FortiGate and FortiWiFi units To activate the FortiCare Support Contract, you must register the FortiGate and FortiWiFi unit and add the FortiCare Support Contract number to the registration information. You can also register the FortiGate and FortiWiFi unit without purchasing a FortiCare Support Contract. In that case, when you purchase a FortiCare Support Contract you can update the registration information to add the support contract number. A single FortiCare Support Contract can cover multiple FortiGate and FortiWiFi units. You must enter the same service contract number for each of the FortiGate and FortiWiFi models covered by the service contract. Registering the FortiWiFi unit Before registering a FortiWiFi unit, you require the following information:

Your contact information including:

First and last name Company name Email address (Your Fortinet support login user name and password will be sent to this email address.) Address Contact phone number A security question and an answer to the security question. This information is used for password recovery. The security question should be a simple question that only you know the answer to. The answer should not be easy to guess. The product model and serial number for each FortiWiFi unit that you want to register. The serial number is located on a label on the bottom of the FortiWiFi unit. You can view the Serial number from the web-based manager by going to System > Status. The serial number is also available from the CLI using the get system status command. FortiCare Support Contract numbers, if you purchased FortiCare Support Contracts for the FortiWiFi units that you want to register. To register one or more FortiWiFi units Go to System > Update > Support. Enter your contact information on the product registration form. 1 2 FortiWiFi-60 Installation and Configuration Guide 105 Registering FortiGate and FortiWiFi units Virus and attack definitions updates and registration Figure 5: Registering a FortiWiFi unit (contact information and security question) 3 4 5 6 7 Provide a security question and an answer to the security question. Select the model number of the Product Model to register. Enter the Serial Number of the FortiWiFi unit. If you have purchased a FortiCare Support Contract for this FortiWiFi unit, enter the support contract number. Figure 6: Registering a FortiGate unit (product information) Select Finish. If you have not entered a FortiCare Support Contract number (SCN) you can return to the previous page to enter the number. If you do not have a FortiCare Support Contract, you can select Continue to complete the registration. If you have entered a support contract number, a real-time validation is performed to verify that the SCN information matches the FortiWiFi unit. If the information does not match you can try entering it again. A web page is displayed that contains detailed information about the Fortinet technical support services available to you for the registered FortiWiFi unit. Your Fortinet support user name and password is sent to the email address provided with your contact information. 106 Fortinet Inc. Virus and attack definitions updates and registration Updating registration information Updating registration information You can use your Fortinet support user name and password to log on to the Fortinet Support web site at any time to view or update your Fortinet support information. This section describes:

Recovering a lost Fortinet support password Viewing the list of registered FortiGate and FortiWiFi units Registering a new FortiWiFi unit Adding or changing a FortiCare Support Contract number Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Recovering a lost Fortinet support password If you provided a security question and answer when you registered on the Fortinet support web site, you can use the following procedure to receive a replacement password. If you did not provide a security question and answer, contact Fortinet technical support. 1 2 3 4 5 6 To recover a lost Fortinet support password Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name. Select Forgot your password?

Enter your email address and select Submit. The security question that you entered when you registered is displayed. Enter the answer to your security question and select Get Password. If you entered the correct answer to the security question, an email containing a new password is sent to your email address. You can use your current user name and this password to log into the Fortinet support web site. Select Support Login. 7 8 When you receive your new password, enter your user name and new password to log into the Fortinet support web site. Viewing the list of registered FortiGate and FortiWiFi units To view the list of registered FortiGate units Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. 1 2 3 4 FortiWiFi-60 Installation and Configuration Guide 107 Updating registration information Virus and attack definitions updates and registration 5 Select View Products. The list of FortiGate products that you have registered is displayed. For each FortiGate unit, the list includes the serial number and current support options for that unit. Figure 7: Sample list of registered FortiGate units Registering a new FortiWiFi unit 1 2 3 4 5 6 7 8 9 To register a new FortiWiFi unit Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. Select Add Registration. Select the model number of the product model that you want to register. Enter the serial number of the FortiWiFi unit. If you have purchased a FortiCare Support Contract for this FortiWiFi unit, enter the support contract number. Select Finish. The list of FortiWiFi products that you have registered is displayed. The list now includes the new FortiWiFi unit. Adding or changing a FortiCare Support Contract number To add or change a FortiCare Support Contract number Go to System > Update > Support. 1 108 Fortinet Inc. Virus and attack definitions updates and registration Updating registration information 2 3 4 5 6 7 8 Select Support Login. Enter your Fortinet support user name and password. Select Login. Select Add/Change Contract number. Select the Serial Number of the FortiWiFi unit for which to add or change a FortiCare Support Contract number. Add the new Support Contract number. Select Finish. The list of FortiGate products that you have registered is displayed. The list now includes the new support contract information. Changing your Fortinet support password 1 2 3 4 5 6 7 8 To change your Fortinet support password Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. Select My Profile. Select Change Password. Enter your current password. Enter and confirm a new password. An email is sent to your email address confirming that your password has been changed. Use your current user name and new password the next time you log into the Fortinet technical support web site. Changing your contact information or security question 1 2 3 4 5 6 7 8 9 To change your contact information or security question Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. Select My Profile. Select Edit Profile. Make the required changes to your contact information. Make the required changes to your security question and answer. Select Update Profile. Your changes are saved to the Fortinet technical support database. If you changed your contact information, the changes are displayed. FortiWiFi-60 Installation and Configuration Guide 109 Registering a FortiWiFi unit after an RMA Virus and attack definitions updates and registration Downloading virus and attack definitions updates Use the following procedure to manually download virus and attack definitions updates. This procedure also describes how to install the attack definitions updates on your FortiWiFi unit. To download virus and attack definitions updates 1 2 3 4 5 6 7 Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password. Select Login. Select Download Virus/Attack Update. If required, select the FortiOS version. Select the virus and attack definitions to download. Figure 8: Downloading virus and attack definition updates For information about how to install the downloaded files, see Manual virus definition updates on page 82 and Manual attack definition updates on page 83. Registering a FortiWiFi unit after an RMA The Return Material Authorization (RMA) process starts when a registered FortiWiFi unit does not work properly because of a hardware failure. If this happens while the FortiWiFi unit is protected by hardware coverage, you can return the FortiWiFi unit that is not functioning to your reseller or distributor. 110 Fortinet Inc. Virus and attack definitions updates and registration Registering a FortiWiFi unit after an RMA The RMA is recorded and you will receive a replacement unit. Fortinet adds the RMA information to the Fortinet support database. When you receive the replacement unit you can use the following procedure to update your product registration information. 1 2 3 4 5 6 To register a FortiWiFi unit after an RMA Go to System > Update > Support. Select Support Login. Enter your Fortinet support user name and password to log in. Select Add Registration. Select the link to replace a unit with a new unit from an RMA. Select Finish. The list of FortiGate products that you have registered is displayed. The list now includes the replacement FortiGate unit. All support levels are transferred to the replacement unit. FortiWiFi-60 Installation and Configuration Guide 111 Registering a FortiWiFi unit after an RMA Virus and attack definitions updates and registration 112 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Network configuration You can use the System Network page to change any of the following FortiWiFi network settings:

Configuring interfaces Adding DNS server IP addresses Configuring routing Configuring DHCP services Configuring the modem interface Wireless configuration Configuring interfaces Use the following procedures to configure FortiWiFi interfaces:

Viewing the interface list Changing the administrative status of an interface Configuring an interface with a manual IP address Configuring an interface for DHCP Configuring an interface for PPPoE Adding a secondary IP address to an interface Adding a ping server to an interface Controlling administrative access to an interface Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode Wireless configuration For information about configuring the modem interface, see Configuring the modem interface on page 129. FortiWiFi-60 Installation and Configuration Guide 113 Configuring interfaces Network configuration Viewing the interface list 1 To view the interface list Go to System > Network > Interface. The interface list is displayed. The interface list shows the following status information for all the FortiWiFi interfaces and VLAN subinterfaces:

The name of the interface The IP address of the interface The netmask of the interface The administrative access configuration for the interface See Controlling administrative access to an interface on page 117 for information about administrative access options. The administrative status for the interface If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status, see Changing the administrative status of an interface on page 114. For the modem interface, status indicates whether or not the modem is connected to a dialup account. If status is a green arrow, the modem is connected. If status is a red arrow, the modem is not connected. For more information about the modem interface, see Configuring the modem interface on page 129. Changing the administrative status of an interface You can use the following procedures to start an interface that is administratively down and stop and interface that is administratively up. You cannot use the following procedures for the modem interface. 1 2 1 To start up an interface that is administratively down Go to System > Network > Interface. The interface list is displayed. Select Bring Up for the interface that you want to start. To stop an interface that is administratively up From the FortiWiFi CLI, enter the command:

set system interface <intf_str> config status down You can only stop an interface that is administratively up from the FortiWiFi command line interface (CLI). Configuring an interface with a manual IP address You can change the static IP address of any FortiWiFi interface. To change an interface with a manual IP address Go to System > Network > Interface. Choose an interface and select Modify

. 1 2 114 Fortinet Inc. Network configuration Configuring interfaces 3 4 5 Set Addressing Mode to Manual. Change the IP address and Netmask as required. The IP address of the interface must be on the same subnet as the network the interface is connecting to. Two interfaces cannot have the same IP address and cannot have IP addresses on the same subnet. Select OK to save your changes. If you changed the IP address of the interface to which you are connecting to manage the FortiWiFi unit, you must reconnect to the web-based manager using the new interface IP address. Configuring an interface for DHCP You can configure any FortiWiFi interface to use DHCP. If you configure the interface to use DHCP, the FortiWiFi unit automatically broadcasts a DHCP request. You can disable connect to server if you are configuring the FortiWiFi unit offline and you do not want the FortiWiFi unit to send the DHCP request. By default, the FortiWiFi unit also retrieves a default gateway IP address and DNS server IP addresses from the DHCP server. You can disable the option Retrieve default gateway and DNS from server if you do not want the DHCP server to configure these FortiWiFi settings. To configure an interface for DHCP Go to System > Network > Interface. Choose an interface and select Modify In the Addressing Mode section, select DHCP. Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiWiFi unit to obtain a default gateway IP address and DNS server IP addresses from the DHCP server. By default, this option is enabled. Clear the Connect to Server check box if you do not want the FortiWiFi unit to connect to the DHCP server. By default, this option is enabled. Select Apply. The FortiWiFi unit attempts to contact the DHCP server from the interface to set the IP address, netmask, default gateway IP address, and DNS server IP addresses. Select Status to refresh the addressing mode status message. initializing connecting connected failed No activity The FortiWiFi unit is attempting to connect to the DHCP server. The FortiWiFi unit retrieves an IP address, netmask, and other settings from the DHCP server. The FortiWiFi unit was unable to retrieve an IP address and other information from the DHCP server. 1 2 3 4 5 6 7 8 Select OK. FortiWiFi-60 Installation and Configuration Guide 115 Configuring interfaces Network configuration Configuring an interface for PPPoE Use the following procedure to configure any FortiWiFi interface to use PPPoE. If you configure the interface to use PPPoE, the FortiWiFi unit automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the FortiWiFi unit offline and you do not want the FortiWiFi unit to send the PPPoE request. By default, the FortiWiFi unit also retrieves a default gateway IP address and DNS server IP addresses from the PPPoE server. You can disable the option Retrieve default gateway and DNS from server if you do not want the PPPoE server to configure these FortiWiFi settings. To configure an interface for PPPoE Go to System > Network > Interface. Choose an interface and select Modify In the Addressing Mode section, select PPPoE. Enter your PPPoE account User Name and Password. Clear the Retrieve default gateway and DNS from server check box if you do not want the FortiWiFi unit to obtain a default gateway IP address and DNS server IP addresses from the PPPoE server. By default, this option is enabled. Clear the Connect to Server check box if you do not want the FortiWiFi unit to connect to the PPPoE server. By default, this option is enabled. Select Apply. The FortiWiFi unit attempts to contact the PPPoE server from the interface to set the IP address, netmask, default gateway IP address, and DNS server IP addresses. Select Status: to refresh the addressing mode status message. Possible messages:

initializing connecting connected failed No activity The FortiWiFi unit is attempting to connect to the DHCP server. The FortiWiFi unit retrieves an IP address, netmask, and other settings from the PPPoE server. The FortiWiFi unit was unable to retrieve an IP address and other information from the PPPoE server. 1 2 3 4 5 6 7 8 9 Select OK. Adding a secondary IP address to an interface You can use the CLI to add a secondary IP address to any FortiWiFi interface. The secondary IP address cannot be the same as the primary IP address but it can be on the same subnet. To add a secondary IP address from the CLI enter the command:

set system interface <intf_str> config secip <second_ip>

<netmask_ip>

116 Fortinet Inc. Network configuration Configuring interfaces You can also configure management access and add a ping server to the secondary IP address. set system interface <intf_str> config secallowaccess ping https ssh snmp http telnet set system interface <intf_str> config secgwdetect enable Adding a ping server to an interface Add a ping server to an interface if you want the FortiWiFi unit to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover. See Adding destination-based routes to the routing table on page 123. To add a ping server to an interface Go to System > Network > Interface. Choose an interface and select Modify Set Ping Server to the IP address of the next hop router on the network connected to the interface. Select the Enable check box. The FortiWiFi unit uses dead gateway detection to ping the Ping Server IP address to make sure that the FortiWiFi unit can connect to this IP address. To configure dead gateway detection, see Modifying the Dead Gateway Detection settings on page 145. Select OK to save the changes. 1 2 3 4 5 Controlling administrative access to an interface For a FortiWiFi unit running in NAT/Route mode, you can control administrative access to an interface to control how administrators access the FortiWiFi unit and the FortiWiFi interfaces to which administrators can connect. Controlling administrative access for an interface connected to the Internet allows remote administration of the FortiWiFi unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of your FortiWiFi unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiWiFi unit that allows remote administration from the Internet:

Use secure administrative user passwords, Change these passwords regularly, Enable secure administrative access to this interface using only HTTPS or SSH, Do not change the system idle timeout from the default value of 5 minutes (see To set the system idle timeout on page 144). To configure administrative access in Transparent mode, see Configuring the management interface in Transparent mode on page 119. To control administrative access to an interface Go to System > Network > Interface. 1 FortiWiFi-60 Installation and Configuration Guide 117 Configuring interfaces Network configuration 2 3 Choose an interface and select Modify Select the Administrative Access methods for the interface. HTTPS PING HTTP SSH SNMP TELNET To allow secure HTTPS connections to the web-based manager through this interface. If you want this interface to respond to pings. Use this setting to verify your installation and for testing. To allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. To allow SSH connections to the CLI through this interface. To allow a remote SNMP manager to request SNMP information by connecting to this interface. See Configuring SNMP on page 147. To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. 4 Select OK to save the changes. Changing the MTU size to improve network performance To improve network performance, you can change the maximum transmission unit

(MTU) of the packets that the FortiWiFi unit transmits from any interface. Ideally, this MTU should be the same as the smallest MTU of all the networks between the FortiWiFi unit and the destination of the packets. If the packets that the FortiWiFi unit sends are larger, they are broken up or fragmented, which slows down transmission. Experiment by lowering the MTU to find an MTU size for best network performance. 1 2 3 4 To change the MTU size of the packets leaving an interface Go to System > Network > Interface. Choose an interface and select Modify Select Override default MTU value (1500). Set the MTU size. Set the maximum packet size. For manual and DHCP addressing mode the MTU size can be from 576 to 1500 bytes. For PPPoE addressing mode the MTU size can be from 576 to 1492 bytes. Configuring traffic logging for connections to an interface To configure traffic logging for connections to an interface Go to System > Network > Interface. Choose an interface and select Modify Select the Log check box to record log messages whenever a firewall policy accepts a connection to this interface. Select OK to save the changes. 1 2 3 4 118 Fortinet Inc. Network configuration Configuring interfaces Configuring the management interface in Transparent mode Configure the management interface in Transparent mode to set the management IP address of the FortiWiFi unit. Administrators connect to this IP address to administer the FortiWiFi unit. The FortiWiFi also uses this IP address to connect to the FDN for virus and attack updates (see Updating antivirus and attack definitions on page 93). You can also configure the management interface to control how administrators connect to the FortiWiFi unit for administration and the FortiWiFi interfaces to which administrators can connect. Controlling administrative access to a FortiWiFi interface connected to the Internet allows remote administration of the FortiWiFi unit from any location on the Internet. However, allowing remote administration from the Internet could compromise the security of the FortiWiFi unit. You should avoid allowing administrative access for an interface connected to the Internet unless this is required for your configuration. To improve the security of a FortiWiFi unit that allows remote administration from the Internet:

Use secure administrative user passwords, Change these passwords regularly, Enable secure administrative access to this interface using only HTTPS or SSH, Do not change the system idle timeout from the default value of 5 minutes (see To set the system idle timeout on page 144). To configure the management interface in Transparent mode Go to System > Network > Management. Change the Management IP and Netmask as required. This must be a valid IP address for the network that you want to manage the FortiWiFi unit from. Add a default gateway IP address if the FortiWiFi unit must connect to a default gateway to reach the management computer. Select the administrative access methods for each interface. HTTPS PING HTTP SSH SNMP TELNET To allow secure HTTPS connections to the web-based manager through this interface. If you want this interface to respond to pings. Use this setting to verify your installation and for testing. To allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. To allow SSH connections to the CLI through this interface. To allow a remote SNMP manager to request SNMP information by connecting to this interface. See Configuring SNMP on page 147. To allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. Select Log for each interface that you want to record log messages whenever a firewall policy accepts a connection to this interface. Select Apply to save the changes. 1 2 3 4 5 6 FortiWiFi-60 Installation and Configuration Guide 119 Configuring interfaces Network configuration Wireless configuration You can configure the FortiWiFi-60 WLAN interface so that users with wireless network cards can connect to this interface. From this wireless network users can connect through the FortiWiFi-60 to the Internet or to internal or DMZ networks. The FortiWiFi-60 supports the following wireless network standards:

Wired Equivalent Privacy (WEP) IEEE 802.11b (2.4-GHz Band) IEEE 802.11g (2.4-GHz Band)

. To configure wireless settings Configure wireless settings to select the country or region in which you are operating the FortiWiFi-60 and select the channel to use. You can also enable WEP, enter a WEP key, and change the SSID that the FortiWiFi-60 broadcasts. Go to System > Network > Interface. For the wlan interface, select Modify Set Geography to your country or region. Select a channel number for your FortiWiFi-60 wireless network. Users who wish to use the FortiWiFi-60 wireless network should configure their computers to use this channel for wireless networking. Set security to WEP and enter a WEP key. The key can be up to 26 hexidecimal digits (0-9 a-f). Change the Service Set ID (SSID) as required. The SSID is the wireless network name that the FortiWiFi-60 broadcasts. Users who wish to use to the FortiWiFi-60 wireless network should configure their computers to connect to the network that broadcasts this network name. Select OK. 1 2 3 4 5 6 7 120 Fortinet Inc. Network configuration Configuring interfaces Table 2: IEEE 802.11b (2.4-GHz Band) channel numbers Channel number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Frequency

(MHz) 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Americas Regulatory Areas Israel EMEA Japan X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico. Table 3: IEEE 802.11g (2.4-GHz Band) channel numbers Channel number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Frequency

(MHz) 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 FortiWiFi-60 Installation and Configuration Guide Regulatory Areas Americas EMEA Israel ODFM CCK X X X X X X X X X X X X X X X X X X X X X X X X ODFM CCK X X X X X X X X X X X X X X X X X ODFM CCK X X X X X X X X X X X X X X X X X X CCK X X X X X X X X X X X Japan ODFM X X X X X X X X X X X X X 121 Adding DNS server IP addresses Network configuration Adding DNS server IP addresses Several FortiWiFi functions, including sending email alerts and URL blocking, use DNS. Use the following procedure to add the IP addresses of the DNS servers that your FortiWiFi unit can connect to. DNS server IP addresses are usually supplied by your ISP. To add DNS server IP addresses Go to System > Network > DNS. Change the primary and secondary DNS server IP addresses as required. Select Apply to save the changes. 1 2 3 Configuring routing This section describes how to configure FortiWiFi routing. You can configure routing to add static routes from the FortiWiFi unit to local routers. Using policy routing you can increase the flexibility of FortiWiFi routing to support more advanced routing functions. You can also use routing to create a multiple Internet connection configuration that supports redundancy and load sharing between the two Internet connections. This section describes:

Adding a default route Adding destination-based routes to the routing table Adding routes in Transparent mode Configuring the routing table Policy routing Adding a default route You can add a default route for network traffic leaving the external interface. To add a default route Go to System > Network > Routing Table. Select New to add a new route. Set the Source IP and Netmask to 0.0.0.0. Set the Destination IP and Netmask to 0.0.0.0. Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet. Select OK to save the default route. 1 2 3 4 5 6 Note: Only one default route can be active at a time. If two default routes are added to the routing table, only the default route closest to the top of the routing table is active. 122 Fortinet Inc. Network configuration Configuring routing Adding destination-based routes to the routing table You can add destination-based routes to the FortiWiFi routing table to control the destination of traffic exiting the FortiWiFi unit. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses. The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route. You can add one or two gateways to a route. If you add one gateway, the FortiWiFi unit routes the traffic to that gateway. You can add a second gateway to route traffic to the second gateway if the first gateway fails. To support routing failover, the IP address of each gateway must be added to the ping server of the interface connected to the same network as the gateway. For information about adding a ping server, see Adding a ping server to an interface on page 117. 1 2 3 4 5 6 To add destination-based routes to the routing table Go to System > Network > Routing Table. Select New to add a new route. Type the Destination IP address and netmask for the route. Add the IP address of Gateway #1. Gateway #1 is the IP address of the primary destination for the route. Gateway #1 must be on the same subnet as a FortiWiFi interface. If you are adding a static route from the FortiWiFi unit to a single destination router, you need to specify only one gateway. Add the IP address of Gateway #2, if you want to route traffic to multiple gateways. Set Device #1 to the FortiWiFi interface through which you want to route traffic to connect to Gateway #1. You can select the name of an interface or Auto (the default). If you select the name of an interface, the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules:

If the Gateway #1 IP address is on the same subnet as a FortiWiFi interface, the system sends the traffic to that interface. If the Gateway #1 IP address is not on the same subnet as a FortiWiFi interface, the system routes the traffic to the WAN1 interface, using the default route. You can use Device #1 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route. FortiWiFi-60 Installation and Configuration Guide 123 Configuring routing Network configuration 7 8 Set Device #2 to the FortiWiFi interface through which to route traffic to connect to Gateway #2. You can select the name of an interface or Auto (the default). If you select the name of an interface, the traffic is routed to that interface. If you select Auto the system selects the interface according to the following rules:

If the Gateway #2 IP address is on the same subnet as a FortiWiFi interface, the system sends the traffic to that interface. If the Gateway #2 IP address is not on the same subnet as a FortiWiFi interface, the system routes the traffic to the WAN1 interface, using the default route. You can use Device #2 to send packets to an interface that is on a different subnet than the destination IP address of the packets without routing them using the default route. Select OK to save the route. Note: Any two routes in the routing table must differ by something other than just the gateway to be simultaneously active. If two routes added to the routing table are identical except for their gateway IP addresses, only the route closer to the top of the routing table can be active. Note: Arrange routes in the routing table from more specific to more general. For information about arranging routes in the routing table, see Configuring the routing table. Adding routes in Transparent mode Use the following procedure to add routes when operating the FortiWiFi unit in Transparent mode. To add a route in Transparent mode Go to System > Network > Routing. Select New. Enter the Destination IP address and Netmask for the route. Enter the Gateway IP address for the route. Select OK to save the new route. Repeat steps 1 to 5 to add more routes as required. 1 2 3 4 5 6 Configuring the routing table The routing table shows the destination IP address and mask of each route that you add, as well as the gateways and devices added to the route. The routing table also displays the gateway connection status. A green check mark indicates that the FortiWiFi unit has used the ping server and dead gateway detection to determine that it can connect to the gateway. A red X means that a connection cannot be established. A blue question mark means that the connection status is unknown. For more information, see Adding a ping server to an interface on page 117. The FortiWiFi unit assigns routes using a best match algorithm based on the destination address of the packet and the destination address of the route. To select a route for a packet, the FortiWiFi unit searches the routing table for a route that best matches the destination address of the packet. If a match is not found, the FortiWiFi unit routes the packet using the default route. 124 Fortinet Inc. Network configuration Configuring routing 1 2 3 4 Policy routing To configure the routing table Go to System > Network > Routing Table. Choose the route that you want to move and select Move to the routing table. Type a number in the Move to field to specify where in the routing table to move the route and select OK. Select Delete to delete a route from the routing table. to change its order in Figure 9: Routing table Incoming or source interface Policy routing extends the functions of destination routing. Using policy routing you can route traffic based on the following:

Destination address Source address Protocol, service type, or port range Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route for traffic by applying a set of routing rules. To select a route for traffic, the FortiWiFi unit matches the traffic with the policy routes added to the RPDB starting at the top of the list. The first policy route that matches is used to set the route for the traffic. The route supplies the next hop gateway as well as the FortiWiFi interface to be used by the traffic. Packets are matched with policy routes before they are matched with destination routes. If a packet does not match a policy route, it is routed using destination routes. The gateway added to a policy route must also be added to a destination route. When the FortiWiFi unit matches packets with a route in the RPDB, the FortiWiFi unit looks in the destination routing table for the gateway that was added to the policy route. If a match is found, the FortiWiFi unit routes the packet using the matched destination route. If a match is not found, the FortiWiFi unit routes the packet using normal routing. To find a route with a matching gateway, the FortiWiFi unit starts at the top of the destination routing table and searches until it finds the first matching destination route. This matched route is used to route the packet. For policy routing examples, see Policy routing examples on page 56. FortiWiFi-60 Installation and Configuration Guide 125 Configuring DHCP services Network configuration Policy routing command syntax Configure policy routing using the following CLI command. set system route policy <route_int> src <source_ip>

<source_mask> iifname <source-interface_name>

dst <destination_ip> <destination_mask>

oifname <destination-interface_name> protocol <protocol_int>

port <low-port_int> <high-port_int> gw <gateway_ip>

Complete policy routing command syntax is described in Volume 6: FortiGate CLI Reference Guide. Configuring DHCP services You can configure DHCP server or DHCP relay agent functionality on any FortiWiFi interface. A FortiWiFi interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions. Note: To configure DHCP server or DHCP relay functionality on an interface, the FortiWiFi unit must be in NAT/Route mode and the interface must have a static IP address. This section describes the following:

Configuring a DHCP relay agent Configuring a DHCP server Configuring a DHCP relay agent In a DHCP relay configuration, the FortiWiFi unit forwards DHCP requests from DHCP clients through the FortiWiFi unit to a DHCP server. The FortiWiFi unit also returns responses from the DHCP server to the DHCP clients. The DHCP server must have a route to the FortiWiFi unit that is configured as the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive at the FortiWiFi performing DHCP relay. To configure an interface as a DHCP relay agent Go to System > Network > DHCP. Select Service. Select the interface to be the DHCP relay agent. Select DHCP Relay Agent. Enter the DHCP Server IP address. Select Apply. 1 2 3 4 5 6 126 Fortinet Inc. Network configuration Configuring DHCP services Configuring a DHCP server As a DHCP server, the FortiWiFi unit dynamically assigns IP addresses to hosts located on connected subnets. You can configure a DHCP server for any FortiWiFi interface. You can also configure a DHCP server for more than one FortiWiFi interface. For each DHCP server configuration you can add multiple scopes (also called address scopes) so that the DHCP server can assign IP addresses to computers on multiple subnets. Use these procedures to configure an interface as a DHCP server:

Adding a DHCP server to an interface Adding scopes to a DHCP server Adding a reserve IP to a DHCP server Viewing a DHCP server dynamic IP list Adding a DHCP server to an interface To add a DHCP server to an interface Go to System > Network > DHCP. Select Service. Select an interface. Select DHCP Server. Select Apply. 1 2 3 4 5 Adding scopes to a DHCP server If you have configured an interface as a DHCP server, the interface requires at least one scope (also called an address scope). The scope designates the starting IP and ending IP for the range of addresses that the FortiWiFi unit assigns to DHCP clients. You can add multiple scopes to an interface so that the DHCP server added to that interface can supply IP addresses to computers on multiple subnets. Add multiple scopes if the DHCP server receives DHCP requests from subnets that are not connected directly to the FortiWiFi unit. In this case, the DHCP requests are sent to the FortiWiFi unit through DHCP relay. DHCP relay packets contain DHCP relay IP, which is the IP address of the subnet from which the DHCP relay received the request. If the DHCP request received by the DHCP server is not forwarded by a DHCP relay, the DHCP server decides which scope to use based on the IP address of the interface that received the DHCP request; usually the scope with the same subnet as the interface. If the DHCP request received by the server is forwarded by a DHCP relay, the relay IP is used to select the scope. To add a scope to a DHCP server Go to System > Network > DHCP. Select Address Scope. 1 2 FortiWiFi-60 Installation and Configuration Guide 127 Configuring DHCP services Network configuration 3 4 5 Select an interface. You must configure the interface as a DHCP server before it can be selected. Select New to add an address scope. Configure the address scope. Scope Name IP Pool Enter the address scope name. Enter the starting IP and ending IP for the range of IP addresses that this DHCP server assigns to DHCP clients. Enter the netmask that the DHCP server assigns to the DHCP clients. Netmask Lease Duration Enter the interval, in days, hours and minutes, after which a DHCP client Domain Default Route must ask the DHCP server for a new address. If you select Unlimited, DHCP leases never expire. Optionally enter in the domain that the DHCP server assigns to the DHCP clients. Enter the default route to be assigned to DHCP clients. The default route must be on the same subnet as the IP pool. 6 Select Advanced if you want to configure Advanced Options. DNS IP Enter the addresses of up to 3 DNS servers that the DHCP server assigns to the DHCP clients. WINS Server IP Add the IP addresses of one or two WINS servers to be assigned to DHCP clients. Exclusion Range Optionally enter up to 4 exclusion ranges of IP addresses within the IP pool that cannot be assigned to DHCP clients. 7 Select OK. Adding a reserve IP to a DHCP server If you have configured an interface as a DHCP server, you can reserve an IP address for a particular device on the network according to the MAC address of the device. When you add the MAC address of a device and an IP address to the reserve IP list, the DHCP server always assigns this IP address to the device. To add a reserve IP you must first select the interface and scope to which you want to add the reserve IP. To add a reserve IP to a DHCP server Go to System > Network > DHCP. Select Reserve IP. Select an interface. You must configure the interface as a DHCP server before you can select it. Select a scope. You must configure an address scope for the interface before you can select it. Select New to add a reserved IP. Configure the reserved IP. 1 2 3 4 5 6 128 Fortinet Inc. Network configuration Configuring the modem interface IP MAC Name Enter an IP address. The IP address must be within the IP pool added to the selected scope. Enter the MAC address of the device. Optionally, specify a name for the IP and MAC address pair. Note: The reserved IP cannot be assigned to any other device. You can only add a given IP address or MAC address once. 7 Select OK. Viewing a DHCP server dynamic IP list You can view the list of IP addresses that the DHCP server has assigned, their corresponding MAC addresses, and the expiry time and date for these addresses. To view a DHCP server dynamic IP list Go to System > Network > DHCP. Select Dynamic IP. Select the interface for which you want to view the list. 1 2 3 Configuring the modem interface You can connect a modem to the FortiWiFi unit and use it as either a backup interface or standalone interface. In backup mode, the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable. In standalone mode, the modem interface is the connection from the FortiWiFi unit to the Internet. When connecting to the ISP, in either configuration, the FortiWiFi unit modem can automatically dial up to three dialup accounts until the modem connects to an ISP. Connecting a modem to the FortiWiFi unit Configuring modem settings Connecting to a dialup account Disconnecting the modem Viewing modem status Backup mode configuration Standalone mode configuration Adding firewall policies for modem connections FortiWiFi-60 Installation and Configuration Guide 129 Configuring the modem interface Network configuration Connecting a modem to the FortiWiFi unit The FortiWiFi unit can operate with most standard external serial interface modems that support standard Hayes AT commands. To connect, install a USB-to-serial converter between one of the two USB ports on the FortiWiFi unit and the serial port on the modem. The FortiWiFi unit does not support a direct USB connection between the two devices. Figure 10: Example modem interface network connection FortiWiFi-60 INTERNAL PWR PWR WLAN 1 2 3 4 DMZ WAN1 WAN2 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 USB connector USB-to-serial converter serial connector Internet External modem V.92 Configuring modem settings Configure modem settings so that the FortiWiFi unit uses the modem to connect to your ISP dialup accounts. You can configure the modem to connect to up to three dialup accounts. You can also enable and disable FortiWiFi modem support, configure how the modem dials, and select the FortiWiFi interface that the modem is redundant for. To configure modem settings Go to System > Network > Modem. Select Enable USB Modem. Change any of the following dialup connection settings:

1 2 3 130 Fortinet Inc. Network configuration Configuring the modem interface Redial Limit Holddown Timer The maximum number of times (1-10) that the FortiWiFi unit dials the ISP to restore an active connection on the modem interface. The default redial limit is 1. Select None to allow the modem to never stop redialing. For backup configurations. The time (1-60 seconds) that the FortiWiFi unit waits before switching from the modem interface to the primary interface, after the primary interface has been restored. The default is 1 second. Configure a higher value if you find the FortiWiFi unit switching repeatedly between the primary interface and the modem interface. Redundant for To associate the modem interface with the ethernet interface that you want to either back up (backup configuration) or replace (standalone configuration). 4 Enter the following Dialup Account 1 settings:

Phone Number The phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account. The user name (maximum 63 characters) sent to the ISP. The password sent to the ISP. User Name Password If you have multiple dialup accounts, enter Phone Number, User Name, and Password for Dialup Account 2 and Dialup Account 3. Select Apply. 5 6 Connecting to a dialup account Use the following procedure to connect the modem to a dialup account. 1 2 3 4 5 To connect to a dialup account Go to System > Network > Modem. Select Enable USB Modem. Make sure there is correct information in one or more Dialup Accounts. Select Apply if you make any configuration changes. Select Dial Up. The FortiWiFi unit initiates dialing into each dialup account in turn until the modem connects to an ISP. Disconnecting the modem Use the following procedure to disconnect the modem from a dialup account. To disconnect the modem Go to System > Network > Modem. Select Hang Up if you want to disconnect from the dialup account. 1 2 Viewing modem status To view the status of the modem connection go to System > Network > Modem. Modem status is one of the following:

FortiWiFi-60 Installation and Configuration Guide 131 Configuring the modem interface Network configuration not active active The modem interface is not connected to the ISP. The modem interface is attempting to connect to the ISP, or is connected to the ISP. A green check mark indicates the active dialup account. The IP address and netmask assigned to the modem interface appears on the System Network Interface page of the web-based manager. Backup mode configuration The modem interface in backup mode backs up a selected ethernet interface. If that ethernet interface disconnects from its network, the modem automatically dials the configured dialup accounts. When the modem connects to a dialup account, the FortiWiFi unit routes IP packets normally destined for the selected ethernet interface to the modem interface. The FortiWiFi unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface can again connect to its network. For the FortiWiFi unit to be able to switch from an ethernet interface to the modem you must select the name of the interface in the modem configuration and configure a ping server for that interface. You must also configure firewall policies for connections between the modem interface and other FortiWiFi interfaces. Note: Do not add policies for connections between the modem interface and the interface that the modem is backing up. 1 2 3 4 5 To configure backup mode Go to System > Network > Modem. From the Redundant for list, select the ethernet interface that you want the modem to back up. Configure other modem settings as required. See Configuring modem settings on page 130. Configure a ping server for the ethernet interface selected in step 2. See Adding a ping server to an interface on page 117. Configure firewall policies for connections to the modem interface. See Adding firewall policies for modem connections on page 133. Standalone mode configuration In standalone mode, you manually connect the modem to a dialup account. The modem interface operates as the primary connection to the Internet. The FortiWiFi unit routes traffic through the modem interface, which remains permanently connected to the dialup account. If the connection to the dialup account fails, the FortiWiFi unit redials the modem. The modem redials the number of times specified by the redial limit, or until it connects to a dialup account. 132 Fortinet Inc. Network configuration Configuring the modem interface In standalone mode the modem interface replaces the WAN1 or WAN2 ethernet interface. When configuring the modem, you must set Redundant for to the name of the ethernet interface that the modem interface replaces. You must also configure firewall policies for connections between the modem interface and other FortiWiFi interfaces. Note: Do not add a default route to the ethernet interface that the modem interface replaces. Note: Do not add firewall policies for connections between the ethernet interface that the modem replaces and other interfaces. 1 2 3 4 5 To operate in standalone mode Go to System > Network > Modem. From the Redundant for list, select the ethernet interface that the modem is replacing. Configure other modem settings as required. See Configuring modem settings on page 130. Make sure there is correct information in one or more Dialup Accounts. Select Dial Up. The FortiWiFi unit initiates dialing into each dialup account in turn until the modem connects to an ISP. Configure firewall policies for connections to the modem interface. See Adding firewall policies for modem connections on page 133. Adding firewall policies for modem connections The modem interface requires firewall addresses and policies. You can add one or more addresses to the modem interface. For information about adding addresses, see Adding addresses on page 169. When you add addresses, the modem interface appears on the policy grid. You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiWiFi unit. For information about adding firewall policies, see Adding firewall policies on page 162. FortiWiFi-60 Installation and Configuration Guide 133 Configuring the modem interface Network configuration 134 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 RIP configuration The FortiWiFi implementation of the Routing Information Protocol (RIP) supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks. RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops. This chapter describes how to configure FortiWiFi RIP:

RIP settings Configuring RIP for FortiWiFi interfaces Adding RIP filters RIP settings 1 2 3 4 To configure RIP on the FortiWiFi unit Go to System > RIP > Settings. Select Enable RIP. When you enable RIP, the FortiWiFi unit starts the RIP process. The FortiWiFi unit does not send or receive RIP packets until you enable RIP on at least one interface. For information about configuring RIP, see Configuring RIP for FortiWiFi interfaces on page 137. Select Enable Advertise Default if you want RIP to always send the default route to neighbors whether or not the default route is in the static routing table. If you disable Advertise Default, RIP never sends the default route. Change the following RIP default settings, as required. RIP defaults are effective in most configurations. You should only have to change these settings to troubleshoot problems with the RIP configuration. FortiWiFi-60 Installation and Configuration Guide 135 RIP settings RIP configuration Input Queue Default Metric RIP uses the default metric to advertise routes learned from other routing protocols. Set Default Metric to a positive integer lower than 16 to advertise that metric for all routes learned from other routing protocols. The default setting for the Default Metric is 2. Change the depth of the RIP input queue. The higher the number, the deeper the input queue. Change the input queue depth to prevent loss of information from the routing table when you have a FortiWiFi unit sending at high speed to a router that cannot receive at high speed. The range is 0 to 1024. The default input queue depth is 50. A queue size of 0 means there is no input queue. Add a delay in milliseconds between packets in a multiple-packet RIP update. Add an output delay if you are configuring RIP on a FortiWiFi unit that could be sending packets to a router that cannot receive the packets at the rate the FortiWiFi unit is sending them. Output Delay can be from 8 to 50 milliseconds. The default output delay is 0 milliseconds. Output Delay 5 Change the following RIP timer settings, as required. RIP timer defaults are effective in most configurations. You should only have to change these timers to troubleshoot network routing problems. All routers and access servers in the network should have the same RIP timer settings. Update Invalid Holddown Flush The time interval in seconds between RIP updates. The default is 30 seconds. The time interval in seconds after which a route is declared invalid. Invalid should be at least three times the value of Update. During the invalid interval, after the first update is missed and before the invalid timer expires, the route is marked inaccessible and advertised as unreachable; however, the route is still used for forwarding packets. The invalid interval allows for the loss of one or more update packets before RIP considers the route unusable. If RIP receives an update for a route, before the invalid timer expires, it resets the invalid timer to 0. The default for Invalid is 180 seconds. The time interval in seconds during which RIP ignores routing information for a route. Holddown should be at least three times the value Update. A route enters the holddown state when RIP receives an update packet indicating that a route is unreachable or when the invalid timer for the route expires. The holddown interval allows time for bad routing information to clear the network during network convergence. The route is marked inaccessible and advertised as unreachable and is no longer used for forwarding packets. The default for Holddown is 180 seconds. The time in seconds that must elapse after the last update for a route before RIP removes the route from the routing table. Flush should be greater than the value of Invalid to allow the route to go into the holddown state. The default for Flush is 240 seconds. 6 Select Apply to save the changes. 136 Fortinet Inc. RIP configuration Configuring RIP for FortiWiFi interfaces Figure 1: Configuring RIP settings Configuring RIP for FortiWiFi interfaces You can customize a RIP configuration for each FortiWiFi interface. This allows you to customize RIP for the network to which each interface is connected. To configure RIP for FortiWiFi interfaces Go to System > RIP > Interface. On this page you can view a summary of the RIP settings for each FortiWiFi interface. Select Modify Configure any of the following RIP settings:

for the interface for which to configure RIP settings. 1 2 3 RIP1 Send RIP1 Receive RIP2 Send RIP2 Receive Split-Horizon Enables sending RIP version 1 broadcasts from this interface to the network it is connected to. The routing broadcasts are UDP packets with a destination port of 520. Enables listening on port 520 of an interface for RIP version 1 broadcasts. Enables sending RIP version 2 broadcasts from this interface to the network it is connected to. The routing broadcasts are UDP packets with a destination port of 520. Enables listening on port 520 of an interface for RIP version 2 broadcasts. Prevents RIP from sending updates for a route back out the interface from which it received those routes. Split horizon is enabled by default. You should only disable split horizon if there is no possibility of creating a counting to infinity loop when network topology changes. Authentication Enables authentication for RIP version 2 packets sent and received by an interface. Because the original RIP standard does not support authentication, authentication is only available for RIP version 2. FortiWiFi-60 Installation and Configuration Guide 137 Configuring RIP for FortiWiFi interfaces RIP configuration Password Mode Metric Enter the password to be used for RIP version 2 authentication. The password can be up to 16 characters long. Defines the authentication used for RIP version 2 packets sent and received by this interface. If you select Clear, the password is sent as plain text. If you select MD5, the password is used to generate an MD5 hash. MD5 only guarantees the authenticity of the update packet, not the confidentiality of the routing information in the packet. Changes the metric for routes sent by this interface. All routes sent from this interface have this metric added to their current metric value. You can change the interface metric to give a higher priority to an interface. For example, if you have two interfaces that can be used to route packets to the same destination, and you set the metric of one interface higher than the other, the routes to the interface with the lower metric will seem to have a lower cost. More traffic will use routes to the interface with the lower metric. Metric can be from 1 to 16 with 16 equalling unreachable. 4 Select OK to save the RIP configuration for the selected interface. Figure 2: Example RIP configuration for an internal interface 138 Fortinet Inc. RIP configuration Adding RIP filters Adding RIP filters Use the Filter page to create RIP filter lists and assign RIP filter lists to the neighbors filter, incoming route filter, or outgoing route filter. The neighbors filter allows or denies updates from other routers. The incoming filter accepts or rejects routes in an incoming RIP update packet. The outgoing filter allows or denies adding routes to outgoing RIP update packets. Each entry in a RIP filter list consists of a prefix (IP address and netmask), the action RIP should take for this prefix (allow or deny), and the interface to which to apply this RIP filter list entry. When RIP applies a filter while processing an update packet, it starts at the top of the filter list and works down through the list looking for a matching prefix. If RIP finds a matching prefix, it then checks that the interface in the filter list entry matches the interface that the packet is received or sent on. If both prefix and interface match, RIP takes the action specified. If no match is found, the default action is allow. For the neighbors filter, RIP attempts to match prefixes in the filter list against the source address in the update packet. For the incoming filter, RIP attempts to match prefixes in the filter list against prefixes in the routing table entries in the update packet. For the outgoing filter, RIP attempts to match prefixes in the filter list against prefixes in the RIP routing table. You can add up to four RIP filter lists to the FortiWiFi RIP configuration. You can then select one RIP filter list for each RIP filter type: neighbors, incoming routes, outgoing routes. If you do not select a RIP filter list for any of the RIP filter types, no filtering is applied. Note: To block all updates not specifically allowed in a filter list, create an entry at the bottom of the filter list with a prefix with 0.0.0.0 for the IP address, 0.0.0.0 for the netmask, and action set to deny. Because RIP uses the first match it finds in a top down search of the filter list, all the allowed entries are matched first, and all other entries for the specified interface are matched by the last entry and denied. Create a separate entry at the bottom of the filter list for each interface for which you want to deny all updates not specifically allowed. This section describes:

Adding a RIP filter list Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the outgoing filter Adding a RIP filter list Each entry in a RIP filter list consists of a prefix (IP address and netmask), the action RIP should take for this prefix (allow or deny), and the interface to which to apply this RIP filter list entry. To add a RIP filter list Go to System > RIP > Filter. Select New to add a RIP filter. 1 2 FortiWiFi-60 Installation and Configuration Guide 139 Adding RIP filters RIP configuration 3 4 5 6 7 8 1 2 3 4 5 6 7 For Filter Name, type a name for the RIP filter list. The name can be 15 characters long and can contain upper and lower case letters, numbers, and special characters. The name cannot contain spaces. Select the Blank Filter check box to create a RIP filter list with no entries, or enter the information for the first entry on the RIP filter list. Enter the IP address and Mask to create the prefix. For Action, select allow or deny. For Interface, enter the name of the interface to which to apply the entry. Select OK to save the RIP filter list. To add an entry to a RIP filter list Go to System > RIP > Filter. For the RIP filter list name, select Enter the IP address and Mask to create the prefix. For Action, select allow or deny. For Interface, enter the name of the interface to which to apply the entry. Select OK to add the entry to the RIP filter list. Repeat steps 2 to 6 to add entries to the RIP filter list. Add Prefix to add an entry to the filter list. Assigning a RIP filter list to the neighbors filter The neighbors filter allows or denies updates from other routers. You can assign a single RIP filter list to the neighbors filter. To assign a RIP filter list to the neighbors filter Go to System > RIP > Filter. Add RIP filter lists as required. For Neighbors Filter, select the name of the RIP filter list to assign to the neighbors filter. Select Apply. 1 2 3 4 Assigning a RIP filter list to the incoming filter The incoming filter accepts or rejects routes in an incoming RIP update packet. You can assign a single RIP filter list to the incoming filter. To assign a RIP filter list to the incoming filter Go to System > RIP > Filter. Add RIP filter lists as required. For Incoming Routes Filter, select the name of the RIP filter list to assign to the incoming filter. Select Apply. 1 2 3 4 140 Fortinet Inc.

exhibit
download
text

users manual 2

Users Manual

pdf

1.73 MiB

RIP configuration Adding RIP filters Assigning a RIP filter list to the outgoing filter The outgoing filter allows or denies adding routes to outgoing RIP update packets. You can assign a single RIP filter list to the outgoing filter. To assign a RIP filter list to the outgoing filter Go to System > RIP > Filter. Add RIP filter lists as required. For Outgoing Routes Filter, select the name of the RIP filter list to assign to the outgoing filter. Select Apply. 1 2 3 4 FortiWiFi-60 Installation and Configuration Guide 141 Adding RIP filters RIP configuration 142 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 System configuration Use the System Config page to make any of the following changes to the FortiWiFi system configuration:

Setting system date and time Changing system options Adding and editing administrator accounts Configuring SNMP Replacement messages Setting system date and time For effective scheduling and logging, the FortiWiFi system time must be accurate. You can either manually set the FortiWiFi system time or you can configure the FortiWiFi unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server. To set the date and time Go to System > Config > Time. Select Refresh to display the current FortiWiFi system date and time. Select your Time Zone from the list. Select the Automatically adjust clock for daylight saving changes check box if you want the FortiWiFi system clock to be adjusted automatically when your time zone changes to daylight saving time. Select Set Time and set the FortiWiFi system date and time to the correct date and time, if required. Select Synchronize with NTP Server to configure the FortiWiFi unit to use NTP to automatically set the system time and date. For more information about NTP and to find the IP address of an NTP server that you can use, see http://www.ntp.org. Enter the IP address or domain name of the NTP server that the FortiWiFi unit can use to set its time and date. Specify how often the FortiWiFi unit should synchronize its time with the NTP server. A typical Syn Interval would be 1440 minutes for the FortiWiFi unit to synchronize its time once a day. 1 2 3 4 5 6 7 8 FortiWiFi-60 Installation and Configuration Guide 143 Changing system options System configuration 9 Select Apply. Figure 1: Example date and time setting Changing system options On the System Config Options page, you can:

Set the system idle timeout. Set the authentication timeout. Select the language for the web-base manager. Modify the dead gateway detection settings. To set the system idle timeout Go to System > Config > Options. For Idle Timeout, type a number in minutes. Select Apply. Idle Timeout controls the amount of inactive time that the web-based manager waits before requiring the administrator to log in again. The default idle time out is 5 minutes. The maximum idle time out is 480 minutes

(8 hours). To set the Auth timeout Go to System > Config > Options. For Auth Timeout, type a number in minutes. 1 2 3 1 2 144 Fortinet Inc. System configuration Adding and editing administrator accounts 3 Select Apply. Auth Timeout controls the amount of inactive time that the firewall waits before requiring users to authenticate again. For more information, see Users and authentication on page 193. The default Auth Timeout is 15 minutes. The maximum Auth Timeout is 480 minutes

(8 hours). To select a language for the web-based manager Go to System > Config > Options. From the Languages list, select a language for the web-based manager to use. Select Apply. You can choose English, Simplified Chinese, Japanese, Korean, or Traditional Chinese. Note: When the web-based manager language is set to use Simplified Chinese, Japanese, Korean, or Traditional Chinese, you can change to English by selecting the English button on the upper right of the web-based manager. Modifying the Dead Gateway Detection settings Modify dead gateway detection to control how the FortiWiFi unit confirms connectivity with a ping server added to an interface configuration. For information about adding a ping server to an interface, see Adding a ping server to an interface on page 117. To modify the dead gateway detection settings Go to System > Config > Options. For Detection Interval, type a number in seconds to specify how often the FortiWiFi unit tests the connection to the ping target. For Fail-over Detection, type a number of times that the connection test fails before the FortiWiFi unit assumes that the gateway is no longer functioning. Select Apply. 1 2 3 1 2 3 4 Adding and editing administrator accounts When the FortiWiFi unit is initially installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator can connect to the FortiWiFi unit. There are three administration account access levels:

FortiWiFi-60 Installation and Configuration Guide 145 Adding and editing administrator accounts System configuration admin Has all permissions. Can view, add, edit, and delete administrator accounts. Can view and change the FortiWiFi configuration. The admin user is the only user who can go to the System Status page and manually update firmware, update the antivirus definitions, update the attack definitions, download or upload system settings, restore the FortiWiFi unit to factory defaults, restart the FortiWiFi unit, and shut down the FortiWiFi unit. There is only one admin user. Read & Write Can view and change the FortiWiFi configuration. Can view but cannot add, edit, or delete administrator accounts. Can change own administrator account password. Cannot make changes to system settings from the System Status page. Can view the FortiWiFi configuration. Read Only Adding new administrator accounts From the admin account, use the following procedure to add new administrator accounts and control their permission levels. To add an administrator account Go to System > Config > Admin. Select New to add an administrator account. Type a login name for the administrator account. The login name can contain numbers (0-9), uppercase and lowercase letters

(A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Type and confirm a password for the administrator account. For improved security, the password should be at least 6 characters long. The password can contain any characters except spaces. Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web-based manager. If you want the administrator to be able to access the FortiWiFi unit from any address, set the trusted host to 0.0.0.0 and the netmask to 0.0.0.0. To limit the administrator to only access the FortiWiFi unit from a specific network, set the trusted host to the address of the network and set the netmask to the netmask for the network. For example, to limit an administrator to accessing the FortiWiFi unit from your internal network, set the trusted host to the address of your internal network (for example, 192.168.1.0) and set the netmask to 255.255.255.0. Set the Permission level for the administrator. Select OK to add the administrator account. 1 2 3 4 5 6 7 Editing administrator accounts The admin account user can change individual administrator account passwords, configure the IP addresses from which administrators can access the web-based manager, and change the administrator permission levels. Administrator account users with Read & Write access can change their own administrator passwords. 146 Fortinet Inc. System configuration Configuring SNMP To edit an administrator account Go to System > Config > Admin. To change an administrator account password, select Change Password

. Type the Old Password. Type and confirm a new password. For improved security, the password should be at least 6 characters long. The password can contain any characters except spaces. If you enter a password that is less than 6 characters long, the system displays a warning message but still accepts the password. Select OK. To edit the settings of an administrator account, select Edit

. Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web-based manager. If you want the administrator to be able to access the FortiWiFi unit from any address, set the trusted host to 0.0.0.0 and the netmask to 255.255.255.255. To limit the administrator to only be able to access the FortiWiFi unit from a specific network, set the trusted host to the address of the network and set the netmask to the netmask for the network. For example, to limit an administrator to accessing the FortiWiFi unit from your internal network, set the trusted host to the address of your internal network (for example, 192.168.1.0) and set the netmask to 255.255.255.0. Change the administrators permission level as required. Select OK. To delete an administrator account, choose the account to delete and select Delete

. 1 2 3 4 5 6 7 8 9 10 Configuring SNMP You can configure the FortiWiFi SNMP agent to report system information and send traps to SNMP managers. Using an SNMP manager, you can access SNMP traps and data from any FortiWiFi interface or VLAN subinterface configured for SNMP management access. The FortiWiFi SNMP implementation is read-only. SNMP v1 and v2c compliant SNMP managers have read-only access to FortiWiFi system information and can receive FortiWiFi traps. To monitor FortiWiFi system information and receive FortiWiFi traps you must compile Fortinet proprietary MIBs as well as Fortinet-supported standard MIBs into your SNMP manager. RFC support includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II) (for more information, see FortiWiFi MIBs). FortiWiFi-60 Installation and Configuration Guide 147 Configuring SNMP System configuration This section describes:

Configuring the FortiWiFi unit for SNMP monitoring Configuring FortiWiFi SNMP support FortiWiFi MIBs FortiWiFi traps Fortinet MIB fields Configuring the FortiWiFi unit for SNMP monitoring Before a remote SNMP manager can connect to the FortiWiFi agent, you must configure one or more FortiWiFi interfaces to accept SNMP connections. See Controlling administrative access to an interface on page 117. Configuring FortiWiFi SNMP support Use the information in this section to configure the FortiWiFi unit so that an SNMP manager can connect to the FortiWiFi SNMP agent to receive management information and traps. Configuring SNMP access to an interface Configuring SNMP community settings Configuring SNMP access to an interface Before a remote SNMP manager can connect to the FortiWiFi agent, you must configure one or more FortiWiFi interfaces to accept SNMP connections. The configuration steps to follow depend on whether the FortiWiFi unit is operating in NAT/Route mode or Transparent mode. To configure SNMP access to an interface in NAT/Route mode Go to System > Network > Interface. Choose the interface that the SNMP manager connects to and select Modify For Administrative Access select SNMP. Select OK. To configure SNMP access to an interface in Transparent mode Go to System > Network > Management. Choose the interface that the SNMP manager connects to and select SNMP. 1 2 3 4 1 2 Select Apply. Configuring SNMP community settings You can configure a single SNMP community for each FortiWiFi device. An SNMP community consists of identifying information about the FortiWiFi unit, your SNMP get community and trap community strings, and the IP addresses of up to three SNMP managers that can receive traps sent by the FortiWiFi SNMP agent. 148 Fortinet Inc. System configuration Configuring SNMP To configure SNMP community settings Go to System > Config > SNMP v1/v2c. Select the Enable SNMP check box. Configure the following SNMP settings:

1 2 3 System Name System Location Automatically set to the FortiWiFi host name. To change the System Name, see Changing the FortiWiFi host name on page 74. Describe the physical location of the FortiWiFi unit. The system location description can be up to 31 characters long and can contain spaces, numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. The \ < > [ ] ` $ % & characters are not allowed. Get Community Contact Information Add the contact information for the person responsible for this FortiWiFi unit. The contact information can be up to 31 characters long and can contain spaces, numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. The \ < > [ ] ` $ % & characters are not allowed. Also called read community, get community is a password to identify SNMP get requests sent to the FortiWiFi unit. When an SNMP manager sends a get request to the FortiWiFi unit, it must include the correct get community string. The default get community string is public. Change the default get community string to keep intruders from using get requests to retrieve information about your network configuration. The get community string must be used in your SNMP manager to enable it to access FortiWiFi SNMP information. The get community string can be up to 31 characters long and can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and the \ < > [ ] ` $ % &

characters are not allowed. The trap community string functions like a password that is sent with SNMP traps. The default trap community string is public. Change the trap community string to the one accepted by your trap receivers. The trap community string can be up to 31 characters long and can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and the \ < > [ ] ` $ % &

characters are not allowed. Type the IP addresses of up to three trap receivers on your network that are configured to receive traps from your FortiWiFi unit. Traps are only sent to the configured addresses. Trap Receiver IP Addresses Trap Community 4 Select Apply. FortiWiFi-60 Installation and Configuration Guide 149 Configuring SNMP System configuration Figure 2: Sample SNMP configuration FortiWiFi MIBs The FortiWiFi SNMP agent supports FortiWiFi proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. The FortiWiFi MIBs are listed in Table 1. You can obtain these MIB files from Fortinet technical support. To be able to communicate with the SNMP agent, you must compile all of these MIBs into your SNMP manager. Your SNMP manager might already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIBs to this database. If the standard MIBs used by the Fortinet SNMP agent are already compiled into your SNMP manager you do not have to compile them again. Table 1: FortiWiFi MIBs MIB file name or RFC fortinet-trap.mib Description fortinet.mib RFC-1213 (MIB II) The FortiWiFi SNMP agent supports MIB II groups with the following The Fortinet trap MIB is a proprietary MIB that is required for your SNMP manager to receive traps from the FortiWiFi SNMP agent. For more information about FortiWiFi traps, see FortiWiFi traps on page 151. The Fortinet MIB is a proprietary MIB that includes detailed FortiWiFi system configuration information. Add this MIB to your SNMP manager to monitor all FortiWiFi configuration settings. exceptions. No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all FortiWiFi traffic activity. More accurate infor-

mation can be obtained from the information reported by the Fortinet MIB. The FortiWiFi SNMP agent supports Ethernet-like MIB information with the following exception. No support for the dot3Tests and dot3Errors groups. RFC-2665

(Ethernet-like MIB) 150 Fortinet Inc. System configuration FortiWiFi traps Configuring SNMP The FortiWiFi agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the FortiWiFi unit. For these SNMP managers to receive traps, you must load and compile the Fortinet trap MIB onto the SNMP manager. General FortiWiFi traps Description The FortiWiFi unit starts or restarts. An administrator enables the SNMP agent or changes FortiWiFi SNMP settings. This trap is sent when the agent starts during system startup. The SNMP agent stops because the FortiWiFi unit shuts down. An administrator disables the SNMP agent. An administrator enables the SNMP agent. This trap is also sent when the agent starts during system startup. The IP address of an interface of a FortiWiFi unit changes. The trap message includes the name of the interface, the new IP address of the interface, and the serial number of the FortiWiFi unit. This trap can be used to track interface IP address changes for interfaces configured with dynamic IP addresses set using DHCP or PPPoE. Table 2: General FortiWiFi traps Trap message Cold Start System Down Agent Down Agent Up The <interface_name>

Interface IP is changed to <new_IP> (Serial No.:

<FortiWiFi_serial_no>) System traps Table 3: FortiWiFi system traps Trap message interface

<interface_name> is up. Description An interface changes from the up state to the running state, indicating that the interface has been connected to a network. When the interface is up it is administratively up but not connected to a network. When the interface is running it is administratively up and connected to a network. An interface changes from the running state to the up state, indicating that the interface has been disconnected from a network. CPU usage exceeds 90%. Memory usage exceeds 90%. On a FortiWiFi unit with a hard drive, hard drive usage exceeds 90%. The configuration of an interface of a FortiWiFi unit changes. The trap message includes the name of the interface and the serial number of the FortiWiFi unit. The primary unit in an HA cluster fails and is replaced with a new pri-

mary unit. interface

<interface_name> is down. CPU usage high memory low disk low

<FortiWiFi_serial_no>

<interface_name>

HA switch FortiWiFi-60 Installation and Configuration Guide 151 Configuring SNMP System configuration VPN traps Table 4: FortiWiFi VPN traps Trap message VPN tunnel is up VPN tunnel down NIDS traps Description An IPSec VPN tunnel starts up and begins processing network traf-

fic. An IPSec VPN tunnel shuts down. Table 5: FortiWiFi NIDS traps Trap message Flood attack happened. Port scan attack hap-

pened. Antivirus traps Description NIDS attack prevention detects and provides protection from a syn flood attack. NIDS attack prevention detects and provides protection from a port scan attack. Table 6: FortiWiFi antivirus traps Trap message Description virus detected The FortiWiFi unit detects a virus and removes the infected file from an HTTP or FTP download or from an email message. Logging traps Table 7: FortiWiFi logging traps Trap message Description log full On a FortiWiFi unit with a hard drive, hard drive usage exceeds 90%. On a FortiWiFi unit without a hard drive, log to memory usage has exceeds 90%. Fortinet MIB fields The Fortinet MIB contains fields for configuration settings and current status information for all parts of the FortiWiFi product. This section lists the names of the high-level MIB fields and describes the configuration and status information available for each one. You can view more details about the information available from all Fortinet MIB fields by compiling the fortinet.mib file into your SNMP manager and browsing the Fortinet MIB fields. 152 Fortinet Inc. System configuration Configuring SNMP System configuration and status Table 8: System MIB fields MIB field fnSysStatus Description FortiWiFi system configuration including operation mode, firmware version, virus definition version, attack definition version, and serial number. Status monitor information including current CPU usage, CPU idle status, CPU interrupts, memory usage, system up time, the number of active communi-

cation sessions, as well as descriptive information for each active communi-

cation session. FortiWiFi system update configuration including connection status to the FDN, push update status, periodic update status, and current virus and attack definitions versions. FortiWiFi system network configuration including the interface, VLAN, rout-

ing, DHCP, zone, and DNS configuration. FortiWiFi system configuration including time, options, administrative users, and HA configuration. FortiWiFi SNMP configuration. fnSysUpdate fnSysNetwork fnSysConfig fnSysSnmp Firewall configuration Table 9: Firewall MIB fields MIB field fnFirewallPolicy Description FortiWiFi firewall policy list including complete configuration infor-

mation for each policy. FortiWiFi firewall address and address group list. FortiWiFi firewall service and service group list. FortiWiFi firewall schedule list. FortiWiFi firewall virtual IP list. FortiWiFi firewall IP pool list. fnFirewallAddress fnFirewallService fnFirewallSchedule fnFirewallVirtualIP fnFirewallIpPool fnFirewallIPMACBinding FortiWiFi firewall IP/MAC binding configuration. fnFirewallContProfiles FortiWiFi firewall content profile list. Users and authentication configuration Table 10: User and authentication MIB fields FnUserLocalTable FnUserRadiusSrvTable RADIUS server list. FnUserGrpTable User group list. Local user list. FortiWiFi-60 Installation and Configuration Guide 153 Configuring SNMP System configuration VPN configuration and status Table 11: VPN MIB fields fnVpnIpsec IPSec VPN configuration including the Phase 1 list, Phase 2 list, manual key list, and VPN concentrator list. Status and timeout for each VPN tunnel

(Phase 2) and the dialup monitor list showing dialup tunnel status. PPTP VPN configuration. L2TP VPN configuration. IPSec VPN with certificates configuration. fnVpnPPTP fnVpnL2TP fnVpnCert NIDS configuration Table 12: NIDS MIB fields fnNidsDetection NIDS detection configuration. fnNidsPrevention NIDS prevention configuration. fnNidsResponse NIDS response configuration. Antivirus configuration Table 13: Antivirus MIB fields fnAvFileBlock Antivirus file blocking configuration. fnAvQuarantine Antivirus quarantine configuration. fnAVConfig Antivirus configuration including the current virus definition virus list. Web filter configuration Table 14: Web filter MIB fields fnWebFiltercfgMsgTable Web filter content block list and configuration. fnWebFilterUrlBlk fnWebFilterScripts fnWebFilterExemptUrl Web filter exempt URL list. Web filter URL block list. Web filter script blocking configuration. Logging and reporting configuration Table 15: Logging and reporting MIB fields fnLoglogSetting fnLoglog fnLogAlertEmail Log setting configuration. Log setting traffic filter configuration. Alert email configuration. 154 Fortinet Inc. System configuration Replacement messages Replacement messages Replacement messages are added to content passing through the firewall to replace:

Files or other content removed from POP3 and IMAP email messages by the antivirus system, Files or other content removed from HTTP downloads by the antivirus system or web filtering, Files removed from FTP downloads by the antivirus system. You can edit the content of replacement messages. You can also edit the content added to alert email messages to control the information that appears in alert emails for virus incidents, NIDS events, critical system events, and disk full events. This section describes:

Customizing replacement messages Customizing alert emails Figure 3: Sample replacement message Customizing replacement messages Each of the replacement messages in the replacement message list is created by combining replacement message sections. You can use these sections as building blocks to create your own replacement messages. You can edit any of the replacement messages in the replacement message list and add and edit the replacement message sections as required. To customize a replacement message Go to System > Config > Replacement Messages. 1 FortiWiFi-60 Installation and Configuration Guide 155 Replacement messages System configuration 2 3 4 For the replacement message that you want to customize, select Modify In the Message setup dialog box, edit the content of the message. Table 16 lists the replacement message sections that can be added to replacement messages and describes the tags that can appear in each section. In addition to the allowed tags you can add text. For mail and HTTP messages you can also add HTML code. Select OK to save the changes. Used for file blocking (all services).

<**BLOCKED**>

Table 16: Replacement message sections File blocking Section Start Allowed Tags %%FILE%%

%%URL%%

<**/BLOCKED**>

Section End The name of the file that was blocked. The URL of the blocked web page. Scanning Section Start Allowed Tags %%FILE%%

Used for virus scanning (all services).

<**INFECTED**>

The name of the file that was infected.

%%VIRUS%% The name of the virus infecting the file.

%%URL%%

<**/INFECTED**>

The URL of the blocked web page or file. Used when quarantine is enabled (permitted for all scan services and block services for email only).

<**QUARANTINE**>

%%QUARFILE NAME%%

<**/QUARANTINE**>

The name of the file that was quarantined. Section End Quarantine Section Start Allowed Tag Section End Customizing alert emails Customize alert emails to control the content displayed in alert email messages sent to system administrators. To customize alert emails Go to System > Config > Replacement Messages. For the alert email message that you want to customize, select Modify In the Message setup dialog box, edit the text of the message. Table 17 lists the replacement message sections that can be added to alert email messages and describes the tags that can appear in each section. In addition to the allowed tags you can add text and HTML code. Select OK to save the changes. 1 2 3 4 156 Fortinet Inc. System configuration Replacement messages Table 17: Alert email message sections NIDS event Section Start Allowed Tags %%NIDS_EVENT%% The NIDS attack message. Section End Used for NIDS event alert email messages

<**NIDS_EVENT**>

<**/NIDS_EVENT**>

Virus alert Section Start Allowed Tags %%VIRUS%%

Used for virus alert email messages

<**VIRUS_ALERT**>

The name of the virus. The service for which the virus was detected.

%%PROTOCOL%%

%%SOURCE_IP%% The IP address from which the virus was received. For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of web page that sent the virus. The IP address of the computer that would have received the virus. For POP3 this is the IP address of the users computer that attempted to download the email containing the virus.

%%DEST_IP%%

%%EMAIL_FROM%% The email address of the sender of the message in which the virus was found. The email address of the intended receiver of the message in which the virus was found.

%%EMAIL_TO%%

Section End

<**/VIRUS_ALERT**>

Block alert Section Start Allowed Tags %%FILE%%

Used for file block alert email messages

<**BLOCK_ALERT**>

%%PROTOCOL%%

%%SOURCE_IP%% The IP address from which the block file was The name of the file that was blocked. The service for which the file was blocked.

%%DEST_IP%%

received. For email this is the IP address of the email server that sent the email containing the blocked file. For HTTP this is the IP address of web page that sent the blocked file. The IP address of the computer that would have received the blocked file. For email this is the IP address of the users computer that attempted to download the message from which the file ware removed. from which the file was removed. The email address of the intended receiver of the message from which the file was removed.

%%EMAIL_FROM%% The email address of the sender of the message

%%EMAIL_TO%%

Section End

<**/BLOCK_ALERT**>

FortiWiFi-60 Installation and Configuration Guide 157 Replacement messages System configuration Critical event Section Start Allowed Tags %%CRITICAL_EVENT Used for critical firewall event alert emails.

<**CRITICAL_EVENT**>

Section End

<**/CRITICAL_EVENT**>

The firewall critical event message 158 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Firewall configuration Firewall policies control all traffic passing through the FortiWiFi unit. Firewall policies are instructions that the FortiWiFi unit uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service

(port number). For the packet to be connected through the FortiWiFi unit, a firewall policy must be in place that matches the source address, destination address, and service of the packet. The policy directs the firewall action on the packet. The action can be to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN packet. You can also add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week, month, or year. Each policy can be individually configured to route connections or apply network address translation (NAT) to translate source and destination IP addresses and ports. You can add IP pools to use dynamic NAT when the firewall translates source addresses. You can use policies to configure port address translation (PAT) through the FortiWiFi. You can add content profiles to policies to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services. You can create content profiles that perform one or any combination of the following actions:

Apply antivirus protection to HTTP, FTP, SMTP, IMAP, or POP3 services. Apply web filtering to HTTP services. Apply email filtering to IMAP and POP3 services. You can also add logging to a firewall policy so that the FortiWiFi unit logs all connections that use this policy. FortiWiFi-60 Installation and Configuration Guide 159 Default firewall configuration Firewall configuration This chapter describes:

Default firewall configuration Adding firewall policies Configuring policy lists Addresses Services Schedules Virtual IPs IP pools IP/MAC binding Content profiles Default firewall configuration By default, the users on your internal network can connect through the FortiWiFi unit to the Internet through the WAN1 and WAN2 interfaces. Users on the wireless network can also connect to the internet through the WAN1 and WAN2 interfaces. The firewall blocks all other connections. The firewall is configured with default policies that matches any connection request received from the internal network and instructs the firewall to forward the connection through the WAN1 or WAN2 interfaces to the Internet. Other default policies match any connection from the wireless network and instructs the firewall to forward the connection through the WAN1 or WAN2 interfaces. The destination interface selected depends on the destination of the packet, as determined by routing. The default policy also applies virus scanning to all HTTP, FTP, SMTP, POP3, and IMAP traffic matched by the policy. The policy applies virus scanning because the Antivirus & Web Filter option is selected and the Content profile is set to Scan. For more information about content profiles, see Content profiles on page 189. Figure 4: Default firewall policy Interfaces Addresses Services Schedules Content profiles 160 Fortinet Inc. Firewall configuration Interfaces Addresses Services Default firewall configuration Add policies to control connections between FortiWiFi interfaces and between the networks connected to these interfaces. By default, you can add policies for connections that include the internal, WAN1, and DMZ interfaces. If you want to add policies that include the WAN2 and WLAN interface or the modem interface, you must add firewall addresses for these interfaces. For information about firewall addresses, see Addresses on page 169. To add policies between interfaces, the firewall configuration must contain addresses for each interface. By default the firewall configuration includes the following firewall addresses. Internal_All, added to the internal interface, this address matches all addresses on the internal network. WAN1_All, added to the WAN1 interface, this address matches all addresses on the WAN1 network. WAN2_All, added to the WAN2 interface, this address matches all addresses on the WAN2 network. WLAN_All, added to the WLAN interface, this address matches all addresses on the wireless (WLAN) network. DMZ_All, added to the DMZ interface, this address matches all addresses on the DMZ network. The firewall uses these addresses to match the source and destination addresses of packets received by the firewall. The default Internal->WAN1 policy matches all connections from the internal network because it includes the Internal_All address. The default policy also matches all connections to the WAN1 network because it includes the WAN1_All address. The other default policies function in the same manner. You can add more addresses to each interface to improve the control you have over connections through the firewall. For more information about addresses, see Addresses on page 169. You can also add firewall policies that perform network address translation (NAT). To use NAT to translate destination addresses, you must add virtual IPs. Virtual IPs map addresses on one network to a translated address on another network. For more information about Virtual IPs, see Virtual IPs on page 180. Policies can control connections based on the service or destination port number of packets. The default policy accepts connections using any service or destination port number. The firewall is configured with over 40 predefined services. You can add these services to a policy for more control over the services that can be used by connections through the firewall. You can also add user-defined services. For more information about services, see Services on page 172. FortiWiFi-60 Installation and Configuration Guide 161 Adding firewall policies Schedules Firewall configuration Policies can control connections based on the time of day or day of the week when the firewall receives the connection. The default policy accepts connections at any time. The firewall is configured with one schedule that accepts connections at any time. You can add more schedules to control when policies are active. For more information about schedules, see Schedules on page 177. Content profiles Add content profiles to policies to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services. The FortiWiFi unit includes the following default content profiles:

Strictto apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. Scanto apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic. Webto apply antivirus scanning and Web content blocking to HTTP content traffic. Unfilteredto allow oversized files to pass through the FortiWiFi unit without scanned for viruses. The default policy includes the scan content profile. For more information about content profiles, see Content profiles on page 189. Adding firewall policies Add Firewall policies to control connections and traffic between FortiWiFi interfaces. To add a firewall policy Go to Firewall > Policy. Select the policy list to which you want to add the policy. Select New to add a new policy. You can also select Insert Policy before policy above a specific policy. Configure the policy:

For information about configuring the policy, see Firewall policy options on page 163. Select OK to add the policy. Arrange policies in the policy list so that they have the results that you expect. For information about arranging policies in a policy list, see Configuring policy lists on page 167. on a policy in the list to add the new 1 2 3 4 5 6 162 Fortinet Inc. Firewall configuration Adding firewall policies Figure 5: Adding a NAT/Route policy Firewall policy options This section describes the options that you can add to firewall policies. Source Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. For information about adding an address, see Addresses on page 169. Destination Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the destination interface. For information about adding an address, see Addresses on page 169. FortiWiFi-60 Installation and Configuration Guide 163 Adding firewall policies Firewall configuration For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See Virtual IPs on page 180. Schedule Select a schedule that controls when the policy is available to be matched with connections. See Schedules on page 177. Service Select a service that matches the service (port number) of the packet. You can select from a wide range of predefined services or add custom services and service groups. See Services on page 172. Action Select how you want the firewall to respond when the policy matches a connection attempt. ACCEPT DENY ENCRYPT Accept the connection. If you select ACCEPT, you can also configure NAT and Authentication for the policy. Deny the connection. The only other policy option that you can configure is Log Traffic, to log the connections denied by this policy. Make this policy an IPSec VPN policy. If you select ENCRYPT, you can select an AutoIKE Key or Manual Key VPN tunnel for the policy and configure other IPSec settings. You cannot add authentication to an ENCRYPT policy. ENCRYPT is not available in Transparent mode. See Configuring encrypt policies on page 215. NAT Configure the policy for NAT. NAT translates the source address and the source port of packets accepted by the policy. If you select NAT, you can also select Dynamic IP Pool and Fixed Port. NAT is not available in Transparent mode. Dynamic IP Pool Fixed Port Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool. The IP pool must be added to the destination interface of the policy. You cannot select Dynamic IP Pool if the destination interface is configured using DHCP or PPPoE. For information about adding IP pools, see IP pools on page 184. Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is changed. If you select Fixed Port, you must also select Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy. If you do not select Dynamic IP Pool, a policy with Fixed Port selected can only allow one connection at a time for this port or service. VPN Tunnel Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or Manual Key tunnel. VPN Tunnel is not available in Transparent mode. 164 Fortinet Inc. Firewall configuration Adding firewall policies Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address. Allow outbound Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway. Select Inbound NAT to translate the source address of incoming packets to the FortiWiFi internal IP address. Inbound NAT Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to the FortiWiFi external IP address. Traffic Shaping Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy. Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiWiFi device. For example, the policy for the corporate web server might be given higher priority than the policies for most employees computers. An employee who needs unusually high-speed Internet access could have a special outgoing policy set up with higher bandwidth. If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does not allow any traffic. Guaranteed Bandwidth Maximum Bandwidth You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service. You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services. Traffic Priority Select High, Medium, or Low. Select Traffic Priority so that the FortiWiFi unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-

priority connections only when bandwidth is not needed for high-priority connections. Authentication Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. For information about adding and configuring user groups, see Configuring user groups on page 199. You must add user groups before you can select Authentication. You can select Authentication for any service. Users can authenticate with the firewall using HTTP, Telnet, or FTP. For users to be able to authenticate you must add an HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password. If you want users to authenticate to use other services (for example POP3 or IMAP) you can create a service group that includes the services for which you want to require authentication, as well as HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service. FortiWiFi-60 Installation and Configuration Guide 165 Adding firewall policies Firewall configuration In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name. Anti-Virus & Web filter Enable antivirus protection and web filter content filtering for traffic controlled by this policy. You can select Anti-Virus & Web filter if Service is set to ANY, HTTP, SMTP, POP3, IMAP, or FTP or to a service group that includes the HTTP, SMTP, POP3, IMAP, or FTP services. Select a content profile to configure how antivirus protection and content filtering is applied to the policy. For information about selecting a content profile, see Content profiles on page 189. Figure 6: Adding a Transparent mode policy 166 Fortinet Inc. Firewall configuration Configuring policy lists Log Traffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. For information about logging, see Logging and reporting on page 273. Comments You can add a description or other information about the policy. The comment can be up to 63 characters long, including spaces. Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts. When you create exceptions to that policy, you must add them to the policy list above the default policy. No policy below the default policy will ever be matched. This section describes:

Policy matching in detail Changing the order of policies in a policy list Enabling and disabling policies Policy matching in detail When the FortiWiFi unit receives a connection attempt at an interface, it must select a policy list to search through for a policy that matches the connection attempt. The FortiWiFi unit chooses the policy list based on the source and destination addresses of the connection attempt. The FortiWiFi unit then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and date at which the connection attempt was received. The first policy that matches is applied to the connection attempt. If no policy matches, the connection is dropped. The default policy accepts all connection attempts from the internal network to the Internet. From the internal network, users can browse the web, use POP3 to get email, use FTP to download files through the firewall, and so on. If the default policy is at the top of the Internal->WAN1 policy list, the firewall allows all connections from the internal network through the WAN1 interface to the Internet because all connections match the default policy. If more specific policies are added to the list below the default policy, they are never matched. FortiWiFi-60 Installation and Configuration Guide 167 Configuring policy lists Firewall configuration A policy that is an exception to the default policy, for example, a policy to block FTP connections, must be placed above the default policy in the Internal->WAN1 policy list. In this example, all FTP connection attempts from the internal network would then match the FTP policy and be blocked. Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy. Therefore, the firewall would still accept all other connections from the internal network. Note: Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first. Changing the order of policies in a policy list 1 2 3 4 To change the order of a policy in a policy list Go to Firewall > Policy. Select the policy list that you want to change the order of. Choose the policy that you want to move and select Move To in the policy list. Type a number in the Move to field to specify where in the policy list to move the policy and select OK. to change its order Enabling and disabling policies You can enable and disable policies in the policy list to control whether the policy is active or not. The FortiWiFi unit matches enabled policies but does not match disabled policies. Disabling policies Disable a policy to temporarily prevent the firewall from selecting the policy. Disabling a policy does not stop active communications sessions that have been allowed by the policy. For information about stopping active communication sessions, see System status on page 87. To disable a policy Go to Firewall > Policy. Select the policy list that contains the policy that you want to disable. Clear the check box of the policy to disable it. Enabling policies Enable a policy that has been disabled so that the firewall can match connections with the policy. To enable a policy Go to Firewall > Policy. Select the policy list that contains the policy that you want to enable. Select the check box of the policy to enable it. 1 2 3 1 2 3 168 Fortinet Inc. Firewall configuration Addresses Addresses All policies require source and destination addresses. To add addresses to a policy between two interfaces, you must first add addresses to the address list for each interface. You can add, edit, and delete all firewall addresses as required. You can also organize related addresses into address groups to simplify policy creation. A firewall address consists of an IP address and a netmask. This information can represent:

The address of a subnet (for example, for a class C subnet, IP address: 192.168.20.0 and Netmask: 255.255.255.0). A single IP address (for example, IP Address: 192.168.20.1 and Netmask: 255.255.255.255) All possible IP addresses (represented by IP Address: 0.0.0.0 and Netmask:

0.0.0.0) Note: IP address: 0.0.0.0 and Netmask: 255.255.255.255 is not a valid firewall address. This section describes:

Adding addresses Editing addresses Deleting addresses Organizing addresses into address groups Adding addresses 1 2 3 4 5 To add an address Go to Firewall > Address. Select the interface that you want to add the address to. Select New to add a new address. Enter an Address Name to identify the address. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and other special characters are not allowed. Enter the IP Address. The IP address can be:

The IP address of a single computer (for example, 192.45.46.45). The IP address of a subnetwork (for example, 192.168.1.0 for a class C subnet). 0.0.0.0 to represent all possible IP addresses FortiWiFi-60 Installation and Configuration Guide 169 Addresses Firewall configuration 6 Enter the Netmask. The netmask corresponds to the type of address that you are adding. For example:

The netmask for the IP address of a single computer should be 255.255.255.255. The netmask for a class A subnet should be 255.0.0.0. The netmask for a class B subnet should be 255.255.0.0. The netmask for a class C subnet should be 255.255.255.0. The netmask for all addresses should be 0.0.0.0 Note: To add an address to represent any address on a network set the IP Address to 0.0.0.0 and the Netmask to 0.0.0.0 7 Select OK to add the address. Figure 7: Adding an internal address Editing addresses Edit an address to change its IP address and netmask. You cannot edit the address name. To change the address name, you must delete the address entry and then add the address again with a new name. To edit an address Go to Firewall > Address. Select the interface list containing the address that you want to edit. Choose an address to edit and select Edit Address Make the required changes and select OK to save the changes. 1 2 3 4 Deleting addresses Deleting an address removes it from an address list. To delete an address that has been added to a policy, you must first remove the address from the policy. 1 2 To delete an address Go to Firewall > Address. Select the interface list containing the address that you want to delete. You can delete any address that has a Delete Address icon

. 170 Fortinet Inc. Firewall configuration Addresses 3 4 Choose an address to delete and select Delete Select OK to delete the address. Organizing addresses into address groups You can organize related addresses into address groups to make it easier to add policies. For example, if you add three addresses and then add them to an address group, you only have to add one policy using the address group rather than a separate policy for each address. You can add address groups to any interface. The address group can only contain addresses from that interface. Address groups are available in interface source or destination address lists. Address groups cannot have the same names as individual addresses. If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy. To organize addresses into an address group Go to Firewall > Address > Group. Select the interface that you want to add the address group to. Enter a Group Name to identify the address group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. To add addresses to the address group, select an address from the Available Addresses list and select the right arrow to add it to the Members list. To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. Select OK to add the address group. 1 2 3 4 5 6 Figure 8: Adding an internal address group FortiWiFi-60 Installation and Configuration Guide 171 Services Services Firewall configuration Use services to determine the types of communication accepted or denied by the firewall. You can add any of the predefined services to a policy. You can also create custom services and add services to service groups. This section describes:

Predefined services Adding custom TCP and UDP services Adding custom ICMP services Adding custom IP services Grouping services Predefined services The FortiWiFi predefined firewall services are listed in Table 18. You can add these services to any policy. Table 18: FortiWiFi predefined services Service name ANY GRE AH ESP AOL BGP DHCP-Relay DNS FINGER FTP 172 Description Match connections on any port. A connection that uses any of the predefined services is allowed through the firewall. Generic Routing Encapsulation. A protocol that allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets. Authentication Header. AH provides source host authentication and data integrity, but not secrecy. This protocol is used for authentication by IPSec remote gateways set to aggressive mode. Encapsulating Security Payload. This service is used by manual key and AutoIKE VPN tunnels for communicating encrypted data. AutoIKE key VPN tunnels use ESP after establishing the tunnel using IKE. AOL instant messenger protocol. Border Gateway Protocol routing protocol. BGP is an interior/exterior routing protocol. Dynamic Host Configuration Protocol (DHCP) allocates network addresses and delivers configuration parameters from DHCP servers to hosts. Domain name service for translating domain names into IP addresses. A network service that provides information about users. FTP service for transferring files. Protocol all Port all 47 51 50 5190-5194 179 67 53 53 79 21 Fortinet Inc. tcp tcp udp tcp udp tcp tcp Firewall configuration Services IKE L2TP H323 IMAP HTTP HTTPS Internet-Locator-

Service IRC Table 18: FortiWiFi predefined services (Continued) Service name GOPHER Description Gopher communication service. Gopher organizes and displays Internet server contents as a hierarchically structured list of files. H.323 multimedia protocol. H.323 is a standard approved by the International Telecommunication Union (ITU) that defines how audiovisual conferencing data is transmitted across networks. HTTP is the protocol used by the word wide web for transferring data for web pages. HTTP with secure socket layer (SSL) service for secure communication with web servers. IKE is the protocol to obtain authenticated keying material for use with ISAKMP for IPSEC. Internet Message Access Protocol is a protocol used for retrieving email messages. Internet Locator Service includes LDAP, User Locator Service, and LDAP over TLS/SSL. Internet Relay Chat allows people connected to the Internet to join live discussions. L2TP is a PPP-based tunnel protocol for remote access. Lightweight Directory Access Protocol is a set of protocols used to access information directories. NetMeeting allows users to teleconference using the Internet as the transmission medium. Network File System allows network users to access shared files stored on computers of different types. Network News Transport Protocol is a protocol used to post, distribute, and retrieve USENET messages. Network time protocol for synchronizing a computers time with a time server. Open Shortest Path First (OSPF) routing protocol. OSPF is a common link state routing protocol. PC-Anywhere is a remote control and file transfer protocol. ICMP echo request/reply for testing connections to other devices. TIMESTAMP ICMP timestamp request messages. INFO_REQUEST ICMP information request messages. INFO_ADDRESS ICMP address mask request messages. POP3 Post office protocol email protocol for downloading email from a POP3 server. PC-Anywhere NetMeeting OSPF NNTP LDAP PING NTP NFS Protocol tcp Port 70 tcp 1720, 1503 tcp tcp udp tcp tcp tcp tcp tcp tcp tcp tcp tcp udp icmp icmp icmp icmp tcp 80 443 500 143 389 6660-6669 1701 389 1720 111, 2049 119 123 89 5632 8 13 15 17 110 FortiWiFi-60 Installation and Configuration Guide 173 Services Firewall configuration Table 18: FortiWiFi predefined services (Continued) Service name PPTP Description Point-to-Point Tunneling Protocol is a protocol that allows corporations to extend their own corporate network through private tunnels over the public Internet. For connections used by the popular Quake multi-player computer game. QUAKE RAUDIO RLOGIN RIP SMTP SNMP SSH SYSLOG TALK TCP TELNET TFTP UDP UUCP VDOLIVE WAIS WINFRAME X-WINDOWS For streaming real audio multimedia traffic. Rlogin service for remotely logging into a server. Routing Information Protocol is a common distance vector routing protocol. For sending mail between email servers on the Internet. Simple Network Management Protocol is a set of protocols for managing complex networks SSH service for secure connections to computers for remote management. Syslog service for remote logging. A protocol supporting conversations between two or more users. All TCP ports. Telnet service for connecting to a remote computer to run commands. Trivial file transfer protocol, a simple file transfer protocol similar to FTP but with no security features. All UDP ports. Unix to Unix copy utility, a simple file copying protocol. For VDO Live streaming multimedia traffic. Wide Area Information Server. An Internet search protocol. For WinFrame communications between computers running Windows NT. For remote communications between an X-Window server and X-Window clients. Protocol tcp Port 1723 udp udp tcp udp tcp tcp udp tcp udp udp udp tcp tcp udp udp udp tcp tcp tcp tcp 26000, 27000, 27910, 27960 7070 513 520 25 161-162 161-162 22 22 514 517-518 0-65535 23 69 0-65535 540 7000-7010 210 1494 6000-6063 Adding custom TCP and UDP services Add a custom TCP or UDP service if you need to create a policy for a service that is not in the predefined service list. To add a custom TCP or UDP service Go to Firewall > Service > Custom. Select TCP/UDP from the Protocol list. 1 2 174 Fortinet Inc. Firewall configuration Services 3 4 5 6 7 8 Select New. Type a Name for the new custom TCP or UDP service. This name appears in the service list used when you add a policy. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Select the Protocol (either TCP or UDP) used by the service. Specify a Source and Destination Port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the low and high fields. If the service has more than one port range, select Add to specify additional protocols and port ranges. If there are too many port range rows, select Delete Select OK to add the custom service. You can now add this custom service to a policy. to remove each extra row. Adding custom ICMP services Add a custom ICMP service if you need to create a policy for a service that is not in the predefined service list. 1 2 3 4 5 6 To add a custom ICMP service Go to Firewall > Service > Custom. Select ICMP from the Protocol list. Select New. Type a Name for the new custom ICMP service. This name appears in the service list used when you add a policy. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Specify the ICMP type and code for the service. Select OK to add the custom service. You can now add this custom service to a policy. Adding custom IP services Add a custom IP service if you need to create a policy for a service that is not in the predefined service list. 1 2 3 4 To add a custom IP service Go to Firewall > Service > Custom. Select IP from the Protocol list. Select New. Type a Name for the new custom IP service. This name appears in the service list used when you add a policy. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. FortiWiFi-60 Installation and Configuration Guide 175 Services Firewall configuration 5 6 Specify the IP protocol number for the service. Select OK to add the custom service. You can now add this custom service to a policy. Grouping services To make it easier to add policies, you can create groups of services and then add one policy to provide or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group. To group services Go to Firewall > Service > Group. Select New. Type a Group Name to identify the group. This name appears in the service list when you add a policy and cannot be the same as a predefined service name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. To add services to the service group, select a service from the Available Services list and select the right arrow to copy it to the Members list. To remove services from the service group, select a service from the Members list and select the left arrow to remove it from the group. Select OK to add the service group. 1 2 3 4 5 6 Figure 9: Adding a service group 176 Fortinet Inc. Firewall configuration Schedules Schedules Use schedules to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule. Recurring schedules repeat weekly. You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week. This section describes:

Creating one-time schedules Creating recurring schedules Adding schedules to policies Creating one-time schedules You can create a one-time schedule that activates or deactivates a policy for a specified period of time. For example, your firewall might be configured with the default policy that allows access to all services on the Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period. To create a one-time schedule Go to Firewall > Schedule > One-time. Select New. Type a Name for the schedule. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Set the Start date and time for the schedule. Set Start and Stop times to 00 for the schedule to be active for the entire day. Set the Stop date and time for the schedule. One-time schedules use a 24-hour clock. Select OK to add the one-time schedule. 1 2 3 4 5 6 FortiWiFi-60 Installation and Configuration Guide 177 Schedules Firewall configuration Figure 10: Adding a one-time schedule Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week. For example, you might want to prevent Internet use outside working hours by creating a recurring schedule. If you create a recurring schedule with a stop time that occurs before the start time, the schedule starts at the start time and finishes at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time. To create a recurring schedule Go to Firewall > Schedule > Recurring. Select New to create a new schedule. Type a Name for the schedule. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Select the days of the week that you want the schedule to be active on. Set the Start and Stop hours in between which you want the schedule to be active. Recurring schedules use a 24-hour clock. Select OK to save the recurring schedule. 1 2 3 4 5 6 178 Fortinet Inc. Firewall configuration Schedules Figure 11: Adding a recurring schedule Adding schedules to policies After you create schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them. 1 2 3 4 5 6 To add a schedule to a policy Go to Firewall > Policy. Create a new policy or edit a policy to change its schedule. Configure the policy as required. Add a schedule by selecting it from the Schedule list. Select OK to save the policy. Arrange the policy in the policy list to have the effect that you expect. For example, to use a one-time schedule to deny access to a policy, add a policy that matches the policy to be denied in every way. Choose the one-time schedule that you added and set Action to DENY. Then place the policy containing the one-time schedule in the policy list above the policy to be denied. FortiWiFi-60 Installation and Configuration Guide 179 Virtual IPs Virtual IPs Firewall configuration Use virtual IPs to access IP addresses on a destination network that are hidden from the source network by NAT security policies. To allow connections between these networks, you must create a mapping between an address on the source network and the real address on the destination network. This mapping is called a virtual IP. For example, if the computer hosting your web server is located on your DMZ network, it could have a private IP address such as 10.10.10.3. To get packets from the Internet to the web server, you must have an external address for the web server on the Internet. You must then add a virtual IP to the firewall that maps the external IP address of the web server to the actual address of the web server on the DMZ network. To allow connections from the Internet to the web server, you must then add a WAN1->DMZ or WAN2->DMZ firewall policy and set Destination to the virtual IP. You can create two types of virtual IPs:

Static NAT Used to translate an address on a source network to a hidden address on a destination network. Static NAT translates the source address of return packets to the address on the source network. Port Forwarding Used to translate an address and a port number on a source network to a hidden address and, optionally, a different port number on a destination network. Using port forwarding you can also route packets with a specific port number and a destination address that matches the IP address of the interface that receives the packets. This technique is called port forwarding or port address translation (PAT). You can also use port forwarding to change the destination port of the forwarded packets. Note: If you use the setup wizard to configure internal server settings, the firewall adds port forwarding virtual IPs and policies for each server that you configure. Note: Virtual IPs are not required in Transparent mode. This section describes:

Adding static NAT virtual IPs Adding port forwarding virtual IPs Adding policies with virtual IPs Adding static NAT virtual IPs 1 2 3 To add a static NAT virtual IP Go to Firewall > Virtual IP. Select New to add a virtual IP. Type a Name for the virtual IP. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. 180 Fortinet Inc. Firewall configuration Virtual IPs 4 5 6 7 8 Select the virtual IP External Interface from the list. The external interface is the interface connected to the source network that receives the packets to be forwarded to the destination network. You can set the virtual IP external interface to any FortiWiFi interface. Table 19 contains example virtual IP external interface settings and describes the policies that you can add the resulting virtual IP to. Table 19: Virtual IP External Interface examples External Interface Description internal wan1 To map an internal address to a wan1, wan2, DMZ, or modem address. If you select internal, the static NAT virtual IP can be added to Internal->WAN1, Internal->WAN2, Internal->DMZ, and Internal->modem policies. To map an Internet address to an internal or DMZ address. If you select wan1, the static NAT virtual IP can be added to WAN1->Internal, WAN1->DMZ, WAN1-> WAN2, and WAN1-> modem policies. In the Type section, select Static NAT. Enter the External IP Address that you want to map to an address on the destination network. For example, if the virtual IP provides access from the Internet to a web server on a destination network, the external IP address must be a static IP address obtained from your ISP for your web server. This address must be a unique address that is not used by another host and cannot be the same as the IP address of the external interface selected in step 4. However, this address must be routed to this interface. The virtual IP address and the external IP address can be on different subnets. If the IP address of the external interface selected in step 4 is set using PPPoE or DHCP, you can enter 0.0.0.0 for the external IP address. The FortiWiFi unit substitutes the IP address set for this external interface using PPPoE or DHCP. In Map to IP, type the real IP address on the destination network, for example, the IP address of a web server on an internal network. Note: The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address, instead of the firewall external address. Select OK to save the virtual IP. You can now add the virtual IP to firewall policies. FortiWiFi-60 Installation and Configuration Guide 181 Virtual IPs Firewall configuration Figure 12: Adding a static NAT virtual IP Adding port forwarding virtual IPs 1 2 3 4 5 6 To add port forwarding virtual IPs Go to Firewall > Virtual IP. Select New to add a virtual IP. Type a Name for the virtual IP. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Select the virtual IP External Interface from the list. The external interface is the interface connected to the source network that receives the packets to be forwarded to the destination network. In the Type section, select Port Forwarding. Enter the External IP Address that you want to map to an address on the destination zone. You can set the external IP address to the IP address of the external interface selected in step 4 or to any other address. If the IP address of the external interface selected in step 4 is set using PPPoE or DHCP, you can enter 0.0.0.0 for the External IP Address. The FortiWiFi unit substitutes the IP address set for this external interface using PPPoE or DHCP. For example, if the virtual IP provides access from the Internet to a server on your internal network, the external IP address must be a static IP address obtained from your ISP for this server. This address must be a unique address that is not used by another host. However, this address must be routed to the external interface selected in step 4. The virtual IP address and the external IP address can be on different subnets. 182 Fortinet Inc. Firewall configuration Virtual IPs 7 8 9 10 11 Enter the External Service Port number that you want to configure port forwarding for. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides access from the Internet to a web server, the external service port number is 80 (the HTTP port). In Map to IP, enter the real IP address on the destination network. For example, the real IP address could be the IP address of a web server on an internal network. In Map to Port, enter the port number to be added to packets when they are forwarded. If you do not want to translate the port, enter the same number as the External Service Port. If you want to translate the port, enter the port number to which to translate the destination port of the packets when they are forwarded by the firewall. Select the protocol (TCP or UDP) that you want the forwarded packets to use. Select OK to save the port forwarding virtual IP. Figure 13: Adding a port forwarding virtual IP FortiWiFi-60 Installation and Configuration Guide 183 IP pools Firewall configuration Adding policies with virtual IPs Use the following procedure to add a policy that uses a virtual IP to forward packets. To add a policy with a virtual IP Go to Firewall > Policy. Select the type of policy that you want to add. The source interface must match the interface selected in the External Interface list. The destination interface must match the interface connected to the network with the Map to IP address. Use the following information to configure the policy. Source Destination Schedule Service Action NAT Authentication Select the source address from which users can access the server. Select the virtual IP. Select a schedule as required. Select the service that matches the Map to Service that you selected for the port-forwarding virtual IP. Set action to ACCEPT to accept connections to the internal server. You can also select DENY to deny access. Select NAT if the firewall is protecting the private addresses on the destination network from the source network. Optionally select Authentication and select a user group to require users to authenticate with the firewall before accessing the server using port forwarding. Select these options to log port-forwarded traffic and apply antivirus and web filter protection to this traffic. Log Traffic Anti-Virus & Web filter Select OK to save the policy. 1 2 3 4 IP pools An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface. If you add IP pools to an interface, you can select Dynamic IP Pool when you configure a policy with the destination set to this interface. You can add an IP pool if you want to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. For example, if you add an IP pool to the internal interface, you can select Dynamic IP pool for WAN1->Internal, WAN2->Internal and DMZ->Internal policies. You can add multiple IP pools to any interface but only the first IP pool is used by the firewall. This section describes:

Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT 184 Fortinet Inc. Firewall configuration Adding an IP pool IP pools To add an IP pool Go to Firewall > IP Pool. Select the interface to which to add the IP pool. Select New to add a new IP pool to the selected interface. Enter the Start IP and End IP addresses for the range of addresses in the IP pool. The start IP and end IP must define the start and end of an address range. The start IP must be lower than the end IP. The start IP and end IP must be on the same subnet as the IP address of the interface that you are adding the IP pool. Select OK to save the IP pool. 1 2 3 4 5 Figure 14: Adding an IP Pool IP Pools for firewall policies that use fixed ports Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. You can select fixed port for NAT policies to prevent source port translation. However, selecting fixed port means that only one connection can be supported through the firewall for this service. To be able to support multiple connections, you can add an IP pool to the destination interface, and then select dynamic IP pool in the policy. The firewall randomly selects an IP address from the IP pool and assigns it to each connection. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool. IP pools and dynamic NAT You can use IP pools for dynamic NAT. For example, your organization might have purchased a range of Internet addresses but you might have only one Internet connection on the external interface of your FortiWiFi unit. You can assign one of your organizations Internet IP addresses to the external interface of the FortiWiFi unit. If the FortiWiFi unit is operating in NAT/Route mode, all connections from your network to the Internet appear to come from this IP address. FortiWiFi-60 Installation and Configuration Guide 185 IP/MAC binding Firewall configuration If you want connections to originate from all your Internet IP addresses, you can add this address range to an IP pool for the external interface. Then you can select Dynamic IP Pool for all policies with the external interface as the destination. For each connection, the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. As a result, connections to the Internet appear to be originating from any of the IP addresses in the IP pool. IP/MAC binding IP/MAC binding protects the FortiWiFi unit and your network from IP spoofing attacks. IP spoofing attacks try to use the IP address of a trusted computer to connect to, or through, the FortiWiFi unit from a different computer. The IP address of a computer is easy to change to a trusted address, but MAC addresses are added to ethernet cards at the factory and are not easy to change. You can enter the static IP addresses and corresponding MAC addresses of trusted computers in the static IP/MAC table. If you have trusted computers with dynamic IP addresses that are set by the FortiWiFi DHCP server, the FortiWiFi unit adds these IP addresses and their corresponding MAC addresses to the dynamic IP/MAC table. For information about viewing the table, see Viewing a DHCP server dynamic IP list on page 129. The dynamic IP/MAC binding table is not available in Transparent mode. You can enable IP/MAC binding for packets in sessions connecting to the firewall or passing through the firewall. Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or MAC address in the IP/MAC list, you must also change the entry in the IP/MAC list or the computer does not have access to or through the FortiWiFi unit. You must also add the IP/MAC address pair of any new computer that you add to your network or the new computer does not have access to or through the FortiWiFi unit. This section describes:

Configuring IP/MAC binding for packets going through the firewall Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses Viewing the dynamic IP/MAC list Enabling IP/MAC binding Configuring IP/MAC binding for packets going through the firewall Use the following procedure to use IP/MAC binding to filter packets that a firewall policy would normally allow through the firewall. To configure IP/MAC binding for packets going through the firewall Go to Firewall > IP/MAC Binding > Setting. Select the Enable IP/MAC binding going through the firewall check box. Go to Firewall > IP/MAC Binding > Static IP/MAC. 1 2 3 186 Fortinet Inc. Firewall configuration IP/MAC binding 4 Select New to add IP/MAC binding pairs to the IP/MAC binding list. All packets that would normally be allowed through the firewall by a firewall policy are first compared with the entries in the IP/MAC binding list. If a match is found, then the firewall attempts to match the packet with a policy. For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list:

A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy. A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing. A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing. A packet with both the IP address and MAC address not defined in the IP/MAC binding table:

is allowed to go on to be matched with a firewall policy if IP/MAC binding is set to Allow traffic, is blocked if IP/MAC binding is set to Block traffic. Configuring IP/MAC binding for packets going to the firewall 1 2 3 4 Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example, when an administrator is connecting to the FortiWiFi unit for management). To configure IP/MAC binding for packets going to the firewall Go to Firewall > IP/MAC Binding > Setting. Select the Enable IP/MAC binding going to the firewall check box. Go to Firewall > IP/MAC Binding > Static IP/MAC. Select New to add IP/MAC binding pairs to the IP/MAC binding list. All packets that would normally connect to the firewall are first compared with the entries in the IP/MAC binding table. For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list:

A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to connect to the firewall. A packet with IP 1.1.1.1 but with a different MAC address is dropped immediately to prevent IP spoofing. A packet with a different IP address but with a MAC address of 12:34:56:78:90:ab:cd is dropped immediately to prevent IP spoofing. A packet with both the IP address and MAC address not defined in the IP/MAC binding table:

is allowed to connect to the firewall if IP/MAC binding is set to Allow traffic, is blocked if IP/MAC binding is set to Block traffic. FortiWiFi-60 Installation and Configuration Guide 187 IP/MAC binding Firewall configuration Adding IP/MAC addresses To add an IP/MAC address Go to Firewall > IP/MAC Binding > Static IP/MAC. Select New to add an IP address/MAC address pair. Enter the IP Address and the MAC Address. You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address. However, you can set the IP address to 0.0.0.0 for multiple MAC addresses. This means that all packets with these MAC addresses are matched with the IP/MAC binding list. Similarly, you can set the MAC address to 00:00:00:00:00:00 for multiple IP addresses. This means that all packets with these IP addresses are matched with the IP/MAC binding list. Type a Name for the new IP/MAC address pair. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Select the Enable check box to enable IP/MAC binding for the IP/MAC pair. Select OK to save the IP/MAC binding pair. 1 2 3 4 5 6 Viewing the dynamic IP/MAC list To view the dynamic IP/MAC list Go to Firewall > IP/MAC Binding > Dynamic IP/MAC. 1 Enabling IP/MAC binding

1 2 3 4 5 Caution: Make sure that you have added the IP/MAC Address pair of your management computer before enabling IP/MAC binding. To enable IP/MAC binding Go to Firewall > IP/MAC Binding > Setting. Select the Enable IP/MAC binding going through the firewall check box if you want to turn on IP/MAC binding for packets that could be matched by policies. Select the Enable IP/MAC binding going to the firewall check box if you want to turn on IP/MAC binding for packets connecting to the firewall. Configure how IP/MAC binding handles packets with IP and MAC addresses that are not defined in the IP/MAC list. Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP/MAC binding list. Select Block traffic to block packets with IP and MAC address pairs that are not added to the IP/MAC binding list. Select Apply to save the changes. 188 Fortinet Inc. Firewall configuration Content profiles Figure 15: IP/MAC settings Content profiles Use content profiles to apply different protection settings for content traffic that is controlled by firewall policies. You can use content profiles to:

Configure antivirus protection for HTTP, FTP, POP3, SMTP, and IMAP policies Configure web filtering for HTTP policies Configure email filtering for IMAP and POP3 policies Configure oversized file and email blocking for HTTP, FTP, POP3, SMTP, and IMAP policies Pass fragmented email for POP3, SMTP, and IMAP policies Using content profiles, you can build protection configurations that can be applied to different types of firewall policies. This allows you to customize types and levels of protection for different firewall policies. For example, while traffic between internal and external addresses might need strict protection, traffic between trusted internal addresses might need moderate protection. You can configure policies for different traffic services to use the same or different content profiles. Content profiles can be added to NAT/Route mode and Transparent mode policies. Default content profiles Adding content profiles Adding content profiles to policies FortiWiFi-60 Installation and Configuration Guide 189 Content profiles Firewall configuration Default content profiles The FortiWiFi unit has the following four default content profiles that are displayed on the Firewall Content Profile page. You can use the default content profiles or create your own. Strict Scan Web Unfiltered To apply maximum content protection to HTTP, FTP, IMAP, POP3, and SMTP content traffic. You would not use the strict content profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum content screening protection. To apply antivirus scanning to HTTP, FTP, IMAP, POP3, and SMTP content traffic. To apply antivirus scanning and web content blocking to HTTP content traffic. You can add this content profile to firewall policies that control HTTP traffic. Use if you do not want to apply content protection to content traffic. You can add this content profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Adding content profiles If the default content profiles do not provide the protection that you require, you can create custom content profiles. To add a content profile Go to Firewall > Content Profile. Select New. Type a Profile Name. Enable the antivirus protection options that you want. 1 2 3 4 Anti Virus Scan File Block Scan web, FTP, and email traffic for viruses and worms. See Antivirus scanning on page 248. Delete files with blocked file patterns even if they do not contain viruses. Enable file blocking when a virus has been found that is so new that virus scanning does not detect it. See File blocking on page 249. Note: If both Anti Virus Scan and File Block are enabled, the FortiWiFi unit blocks files that match enabled file patterns before they are scanned for viruses. 5 Enable the web filtering options that you want. Web URL Block Web Content Block Web Script Filter Block unwanted web pages and web sites. This option adds FortiWiFi Web URL blocking (see Configuring FortiWiFi Web URL blocking on page 257), FortiWiFi Web Pattern blocking (see Configuring FortiWiFi Web pattern blocking on page 259), and Cerberian URL filtering (see Configuring Cerberian URL filtering on page 260) to HTTP traffic accepted by a policy. Block web pages that contain unwanted words or phrases. See Content blocking on page 254. Remove scripts from web pages. See Script filtering on page 262. 190 Fortinet Inc. Firewall configuration Content profiles Web Exempt List Exempt URLs from web filtering and virus scanning. See Exempt URL list on page 263. 6 Enable the email filter protection options that you want. Email Block List Email Exempt List Add a subject tag to email from unwanted addresses. See Email block list on page 270. Exempt sender address patterns from email filtering. See Email exempt list on page 271. Email Content Block Add a subject tag to email that contains unwanted words or phrases. See Email banned word list on page 268. 7 Enable the fragmented email and oversized file and email options that you want. Oversized File/Email Block or pass files and email that exceed thresholds configured as a percent of system memory. See Blocking oversized files and emails on page 250. Allow email messages that have been fragmented to bypass antivirus scanning. See Exempting fragmented email from blocking on page 250. Pass Fragmented Email 8 Select OK. Figure 16: Example content profile FortiWiFi-60 Installation and Configuration Guide 191 Content profiles Firewall configuration Adding content profiles to policies You can add content profiles to policies with action set to allow or encrypt and with service set to ANY, HTTP, FTP, IMAP, POP3, SMTP, or a service group that includes these services. To add a content profile to a policy Go to Firewall > Policy. Select a policy list that contains policies that you want to add a content profile to. For example, to enable network protection for files downloaded by internal network users from the web, select an internal to external policy list. Select New to add a new policy, or choose a policy and select Edit Select the Anti-Virus & Web filter check box. Select a content profile from the list. Configure the remaining policy settings, if required. Select OK. Repeat this procedure for any policies that you want to enable network protection for. 1 2 3 4 5 6 7 8 192 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Users and authentication IPSec dialup user phase 1 configurations FortiWiFi units support user authentication to the FortiWiFi user database, a RADIUS server, and an LDAP server. You can add user names to the FortiWiFi user database and then add a password to allow the user to authenticate using the internal database. You can also add the names of RADIUS and LDAP servers. You can select RADIUS to allow the user to authenticate using the selected RADIUS server or LDAP to allow the user to authenticate using the selected LDAP server. You can disable a user name so that the user cannot authenticate. To enable authentication, you must add user names to one or more user groups. You can also add RADIUS servers and LDAP servers to user groups. You can then select a user group when you require authentication. You can select user groups to require authentication for:

any firewall policy with Action set to ACCEPT XAuth functionality for phase 1 IPSec VPN configurations PPTP L2TP When a user enters a user name and password, the FortiWiFi unit searches the internal user database for a matching user name. If Disable is selected for that user name, the user cannot authenticate and the connection is dropped. If Password is selected for that user and the password matches, the connection is allowed. If the password does not match, the connection is dropped. If RADIUS is selected and RADIUS support is configured and the user name and password match a user name and password on the RADIUS server, the connection is allowed. If the user name and password do not match a user name and password on the RADIUS server, the connection is dropped. If LDAP is selected and LDAP support is configured and the user name and password match a user name and password on the LDAP server, the connection is allowed. If the user name and password do not match a user name and password on the LDAP server, the connection is dropped. If the user group contains user names, RADIUS servers, and LDAP servers, the FortiWiFi unit checks them in the order in which they have been added to the user group. FortiWiFi-60 Installation and Configuration Guide 193 Setting authentication timeout Users and authentication This chapter describes:

Setting authentication timeout Adding user names and configuring authentication Configuring RADIUS support Configuring LDAP support Configuring user groups Setting authentication timeout Authentication timeout controls how long authenticated firewall connections can remain idle before users must authenticate again to get access through the firewall. 1 2 To set authentication timeout Go to System > Config > Options. In Auth Timeout, type a number, in minutes. The default authentication timeout is 15 minutes. Adding user names and configuring authentication Use the following procedures to add user names and configure authentication. This section describes:

Adding user names and configuring authentication Deleting user names from the internal database Adding user names and configuring authentication To add a user name and configure authentication Go to User > Local. Select New to add a new user name. Type the User Name. The user name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Select one of the following authentication configurations:

1 2 3 4 Disable Password Prevent this user from authenticating. Enter the password that this user must use to authenticate. The password should be at least six characters long. The password can contain numbers

(0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters

- and _. Other special characters and spaces are not allowed. 194 Fortinet Inc. Users and authentication Adding user names and configuring authentication LDAP Radius Require the user to authenticate to an LDAP server. Select the name of the LDAP server to which the user must authenticate. You can only select an LDAP server that has been added to the FortiWiFi LDAP configuration. See Configuring LDAP support on page 197. Require the user to authenticate to a RADIUS server. Select the name of the RADIUS server to which the user must authenticate. You can only select a RADIUS server that has been added to the FortiWiFi RADIUS configuration. See Configuring RADIUS support on page 196. 5 6 Select the Try other servers if connect to selected server fails check box if you have selected Radius and you want the FortiWiFi unit to try to connect to other RADIUS servers added to the FortiWiFi RADIUS configuration. Select OK. Figure 17: Adding a user name Deleting user names from the internal database You cannot delete user names that have been added to user groups. Remove user names from user groups before deleting them. To delete a user name from the internal database Go to User > Local. Select Delete User Select OK. for the user name that you want to delete. 1 2 3 Note: Deleting the user name deletes the authentication configured for the user. FortiWiFi-60 Installation and Configuration Guide 195 Configuring RADIUS support Users and authentication Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiWiFi unit contacts the RADIUS server for authentication. This section describes:

Adding RADIUS servers Deleting RADIUS servers Adding RADIUS servers To add a RADIUS server Go to User > RADIUS. Select New to add a new RADIUS server. Type the Name of the RADIUS server. You can type any name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Enter the Server Name or IP address of the RADIUS server. Enter the RADIUS server secret. Select OK. 1 2 3 4 5 6 Figure 18: Example RADIUS configuration Deleting RADIUS servers You cannot delete a RADIUS server that has been added to a user group. To delete a RADIUS server Go to User > RADIUS. Select Delete Select OK. beside the RADIUS server name that you want to delete. 1 2 3 196 Fortinet Inc. Users and authentication Configuring LDAP support Configuring LDAP support If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiWiFi unit contacts the LDAP server for authentication. To authenticate with the FortiWiFi unit, the user enters a user name and password. The FortiWiFi unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the FortiWiFi unit. If the LDAP server cannot authenticate the user, the connection is refused by the FortiWiFi unit. The FortiWiFi unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. ForitGate LDAP supports all LDAP servers compliant with LDAP v3. FortiWiFi LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. FortiWiFi LDAP support does not supply information to the user about why authentication failed. LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With PPTP, L2TP, and IPSec VPN, PAP (packet authentication protocol) is supported and CHAP (Challenge-Handshake Authentication Protocol) is not. This section describes:

Adding LDAP servers Deleting LDAP servers Adding LDAP servers 1 2 3 4 5 6 To add an LDAP server Go to User > LDAP. Select New to add a new LDAP server. Type the Name of the LDAP server. You can type any name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Enter the Server Name or IP address of the LDAP server. Enter the Server Port used to communicate with the LDAP server. By default LDAP uses port 389. Enter the common name identifier for the LDAP server. The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid. FortiWiFi-60 Installation and Configuration Guide 197 Configuring LDAP support Users and authentication 7 8 Enter the distinguished name used to look up entries on the LDAP server. Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiWiFi unit passes this distinguished name unchanged to the server. For example, you could use the following base distinguished name:

ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is domain component You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units:

ou=accounts,ou=marketing,dc=fortinet,dc=com Select OK. Figure 19: Example LDAP configuration Deleting LDAP servers You cannot delete an LDAP server that has been added to a user group. To delete an LDAP server Go to User > LDAP. Select Delete Select OK. beside the LDAP server name that you want to delete. 1 2 3 198 Fortinet Inc. Users and authentication Configuring user groups Configuring user groups To enable authentication, you must add user names, RADIUS servers, and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for:

Policies that require authentication. Only users in the selected user group or users that can authenticate with the RADIUS servers added to the user group can authenticate with these policies. IPSec VPN Phase 1 configurations for dialup users. Only users in the selected user group can authenticate to use the VPN tunnel. XAuth for IPSec VPN Phase 1 configurations. Only users in the selected user group can be authenticated using XAuth. The FortiWiFi PPTP configuration. Only users in the selected user group can use PPTP. The FortiWiFi L2TP configuration. Only users in the selected user group can use L2TP. When you add user names, RADIUS servers, and LDAP servers to a user group, the order in which they are added determines the order in which the FortiWiFi unit checks for authentication. If user names are first, then the FortiWiFi unit checks for a match with these local users. If a match is not found, the FortiWiFi unit checks the RADIUS or LDAP server. If a RADIUS or LDAP server is added first, the FortiWiFi unit checks the server and then the local users. If the user group contains users, RADIUS servers, and LDAP servers, the FortiWiFi unit checks them in the order in which they have been added to the user group. This section describes:

Adding user groups Deleting user groups Adding user groups Use the following procedure to add user groups to the FortiWiFi configuration. You can add user names, RADIUS servers, and LDAP servers to user groups. To add a user group Go to User > User Group. Select New to add a new user group. 1 2 FortiWiFi-60 Installation and Configuration Guide 199 Configuring user groups Users and authentication Figure 20: Adding a user group 3 4 5 6 7 8 Enter a Group Name to identify the user group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list. To add a RADIUS server to the user group, select a RADIUS server from the Available Users list and select the right arrow to add the RADIUS server to the Members list. To add an LDAP server to the user group, select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list. To remove users, RADIUS servers, or LDAP servers from the user group, select a user, RADIUS server, or LDAP server from the Members list and select the left arrow to remove the name, RADIUS server, or LDAP server from the group. Select OK. Deleting user groups You cannot delete user groups that have been selected in a policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. To delete a user group Go to User > User Group Select Delete Select OK. beside the user group that you want to delete. 1 2 3 200 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 IPSec VPN A Virtual Private Network (VPN) is an extension of a private network that encompasses links across shared or public networks such as the Internet. For example, a company that has two offices in different cities, each with its own private network, can use a VPN to create a secure tunnel between the offices. Similarly, a teleworker can use a VPN client for remote access to a private office network. In both cases, the secure connection appears to the user as a private network communication, even though the communication is over a public network. Secure VPN connections are enabled by a combination of tunneling, data encryption, and authentication. Tunneling encapsulates data so that it can be transferred over the public network. Instead of being sent in its original format, the data frames are encapsulated within an additional header and then routed between tunnel endpoints. Upon arrival at the destination endpoint, the data is decapsulated and forwarded to its destination within the private network. Encryption changes a data stream from clear text (something that a human or a program can interpret) to cipher text (something that cannot be interpreted). The information is encrypted and decrypted using mathematical algorithms known as keys. Authentication provides a means to verify the origin of a packet and the integrity of its contents. Authentication is done using checksums calculated with keyed hash function algorithms. This chapter provides an overview about how to configure FortiWiFi IPSec VPN. For a complete description of FortiWiFi VPN, see the FortiGate VPN Guide. Key management Manual key IPSec VPNs AutoIKE IPSec VPNs Managing digital certificates Configuring encrypt policies IPSec VPN concentrators Monitoring and Troubleshooting VPNs FortiWiFi-60 Installation and Configuration Guide 201 Key management Key management IPSec VPN There are three basic elements in any encryption system:

an algorithm that changes information into code, a cryptographic key that serves as a secret starting point for the algorithm, a management system to control the key. IPSec provides two ways to handle key exchange and management:

Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates Manual Keys When using manual keys, matching security settings must be entered at both ends of the tunnel. These settings, which include both the encryption and authentication keys, must be kept secret so that unauthorized parties cannot decrypt the data, even if they know which encryption algorithm is being used. Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates For using multiple tunnels, an automated system of key management is required. IPSec supports the automated generation and negotiation of keys using the Internet Key Exchange protocol. This method of key management is referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates. AutoIKE with pre-shared keys If both peers in a session are configured with the same pre-shared key, they can use it to authenticate themselves to each other. The peers do not send the key to each other. Instead, as part of the security negotiation process, they use it in combination with a Diffie-Hellman group to create a session key. The session key is used for encryption and authentication and is automatically regenerated by IKE during the communication session. Pre-shared keys are similar to manual keys in that they require the network administrator to distribute and manage matching information at the VPN peer sites. Whenever a pre-shared key changes, the administrator must update both sites. AutoIKE with certificates This method of key management involves a trusted third party, the certificate authority

(CA). Each peer in a VPN is first required to generate a set of keys, known as a public/private key pair. The CA signs the public key for each peer, creating a signed digital certificate. The peer then contacts the CA to retrieve their own certificates, plus that of the CA. After the certificates are uploaded to the FortiWiFi units and appropriate IPSec tunnels and policies are configured, the peers are ready to communicate. As they do, IKE manages the exchange of certificates, sending signed digital certificates from one peer to another. The signed digital certificates are validated by the presence of the CA certificate at each end. With authentication complete, the IPSec tunnel is then established. 202 Fortinet Inc. IPSec VPN Manual key IPSec VPNs In some respects, certificates are simpler to manage than manual keys or pre-shared keys. For this reason, certificates are best suited to large network deployments. Manual key IPSec VPNs When using manual keys, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers. With other methods, the SPI is generated automatically but with the manual key configuration it must be entered as part of the VPN setup. The encryption and authentication keys must match on the local and remote peers, that is, the SPI values must be mirror images of each other. After you enter these values, the VPN tunnel can start without a need for the authentication and encryption algorithms to be negotiated. Provided you entered correct, complementary values, the tunnels are established between the peers. This means that the tunnel already exists between the peers. As a result, when traffic matches a policy requiring the tunnel, it can be authenticated and encrypted immediately. General configuration steps for a manual key VPN Adding a manual key VPN tunnel General configuration steps for a manual key VPN A manual key VPN configuration consists of a manual key VPN tunnel, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel. 1 2 To create a manual key VPN configuration Add a manual key VPN tunnel. See Adding a manual key VPN tunnel on page 203. Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See Configuring encrypt policies on page 215. Adding a manual key VPN tunnel Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiWiFi unit and a remote IPSec VPN client or gateway that is also using manual key. 1 2 3 4 To add a manual key VPN tunnel Go to VPN > IPSec > Manual Key. Select New to add a new manual key VPN tunnel. Type a VPN Tunnel Name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Enter the Local SPI. The Local Security Parameter Index is a hexadecimal number of up to eight digits

(digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Remote SPI at the opposite end of the tunnel. FortiWiFi-60 Installation and Configuration Guide 203 Manual key IPSec VPNs IPSec VPN 5 6 7 8 Enter the Remote SPI. The Remote Security Parameter Index is a hexadecimal number of up to eight digits

(digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel. Enter the Remote Gateway. This is the external IP address of the FortiWiFi unit or other IPSec gateway at the opposite end of the tunnel. Select an Encryption Algorithm from the list. Use the same algorithm at both ends of the tunnel. Enter the Encryption Key. Each two-character combination entered in hexadecimal format represents one byte. Depending on the encryption algorithm that you select, you might be required to enter the key in multiple segments. Use the same encryption key at both ends of the tunnel. DES 3DES AES128 AES192 AES256 Enter a 16-character (8 byte) hexadecimal number (0-9, A-F). Enter a 48-character (24 byte) hexadecimal number (0-9, A-F). Separate the number into three segments of 16 characters. Enter a 32-character (16 byte) hexadecimal number (0-9, A-F). Separate the number into two segments of 16 characters. Enter a 48-character (24 byte) hexadecimal number (0-9, A-F). Separate the number into three segments of 16 characters. Enter a 64-character (32 byte) hexadecimal number (0-9, A-F). Separate the number into four segments of 16 characters. 9 10 Select an Authentication Algorithm from the list. Use the same algorithm at both ends of the tunnel. Enter the Authentication Key. Each two-character combination entered in hexadecimal format represents one byte. Use the same authentication key at both ends of the tunnel. MD5 SHA1 Enter a 32-character (16 byte) hexadecimal number (0-9, A-F). Separate the number into two segments of 16 characters. Enter a 40-character (20 byte) hexadecimal number (0-9, A-F). Separate the number into two segmentsthe first of 16 characters; the second of 24 characters. 11 12 Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. See Adding a VPN concentrator on page 220. Select OK to save the manual key VPN tunnel. 204 Fortinet Inc. IPSec VPN AutoIKE IPSec VPNs AutoIKE IPSec VPNs FortiWiFi units support two methods of Automatic Internet Key Exchange (AutoIKE) for establishing IPSec VPN tunnels: AutoIKE with pre-shared keys and AutoIKE with digital certificates. General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Adding a phase 2 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPN An AutoIKE VPN configuration consists of phase 1 and phase 2 configuration parameters, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel. To create an AutoIKE VPN configuration Note: Prior to configuring an AutoIKE VPN that uses digital certificates, you must add the CA and local certificates to the FortiWiFi unit. For information about digital certificates, see Managing digital certificates on page 212. Add the phase 1 parameters. See Adding a phase 1 configuration for an AutoIKE VPN on page 205. Add the phase 2 parameters. See Adding a phase 2 configuration for an AutoIKE VPN on page 210. Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See Configuring encrypt policies on page 215. 1 2 3 Adding a phase 1 configuration for an AutoIKE VPN When you add a phase 1 configuration, you define the terms by which the FortiWiFi unit and a remote VPN peer (gateway or client) authenticate themselves to each other prior to establishing an IPSec VPN tunnel. The phase 1 configuration is related to the phase 2 configuration. In phase 1 the VPN peers are authenticated; in phase 2 the tunnel is established. You have the option to use the same phase 1 parameters to establish multiple tunnels. In other words, the same remote VPN peer (gateway or client) can have multiple tunnels to the local VPN peer (the FortiWiFi unit). When the FortiWiFi unit receives an IPSec VPN connection request, it authenticates the VPN peers according to the phase 1 parameters. Then, depending on the source and destination addresses of the request, it starts an IPSec VPN tunnel and applies an encrypt policy. To add a phase 1 configuration 1 2 Go to VPN > IPSEC > Phase 1. Select New to add a new phase 1 configuration. FortiWiFi-60 Installation and Configuration Guide 205 AutoIKE IPSec VPNs IPSec VPN 3 4 5 6 7 8 9 Type a Gateway Name for the remote VPN peer. The remote VPN peer can be either a gateway to another network or an individual client on the Internet. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Select a Remote Gateway address type. If the remote VPN peer has a static IP address, select Static IP Address. If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), or if the remote VPN peer has a static IP address that is not required in the peer identification process, select Dialup User. Depending on the Remote Gateway address type you selected, other fields become available. Remote Gateway: Static IP Address IP Address If you select Static IP Address, the IP Address field appears. Enter the IP address of the remote IPSec VPN gateway or client that can connect to the FortiWiFi unit. This is a mandatory entry. Remote Gateway: Dialup User Peer Options If you select Dialup User, the Peer Options become available under Advanced Options. Use the Peer Options to authenticate remote VPN peers with peer IDs during phase 1 negotiations. Select Aggressive or Main (ID Protection) mode. When using aggressive mode, the VPN peers exchange identifying information in the clear. When using main mode, identifying information is hidden. The VPN peers must use the same mode. Configure the P1 Proposal. Select up to three encryption and authentication algorithm combinations to propose for phase 1. The VPN peers must use the same P1 proposal settings. Select the DH Group(s). Select one or more Diffie-Hellman groups to propose for phase 1. As a general rule, the VPN peers should use the same DH Group settings. Enter the Keylife. The keylife is the amount of time in seconds before the phase 1 encryption key expires. When the key expires, a new key is generated without interrupting service. P1 proposal keylife can be from 120 to 172,800 seconds. For Authentication Method, select Preshared Key or RSA Signature. Preshared Key: Enter a key that is shared by the VPN peers. The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, make sure the key consists of a minimum of 16 randomly chosen alphanumeric characters. RSA Signature: Select a local certificate that has been digitally signed by the certificate authority (CA). To add a local certificate to the FortiWiFi unit, see Obtaining a signed local certificate on page 212. 206 Fortinet Inc. IPSec VPN AutoIKE IPSec VPNs 10 1 2 3 Configure the Local ID the that the FortiWiFi unit sends to the remote VPN peer. Preshared key: If the FortiWiFi unit is functioning as a client and uses its ID to authenticate itself to the remote VPN peer, enter an ID. If no ID is specified, the FortiWiFi unit transmits its IP address. RSA Signature: No entry is required because the Local ID field contains the Distinguished Name (DN) of the certificate associated with this phase 1 configuration. The DN identifies the owner of the certificate and includes, as a minimum, a Common Name (CN). The DN is transmitted in place of an ID or IP address. Configuring advanced options To configure phase 1 advanced options Select Advanced Options. Select a Peer Option if you want to authenticate remote VPN peers by the ID that they transmit during phase 1. Accept any peer ID Accept this peer ID Select to accept any peer ID (and therefore not authenticate remote VPN peers by peer ID). Select to authenticate a specific VPN peer or a group of VPN peers with a shared user name (ID) and password (pre-

shared key). Also add the peer ID. Accept peer ID in dialup group Select to authenticate each remote VPN peer with a unique user name (ID) and password (pre-shared key). Also select a dialup group (user group). Configure the user group prior to configuring this peer option. Optionally, configure XAuth. XAuth (IKE eXtended Authentication) authenticates VPN peers at the user level. If the the FortiWiFi unit (the local VPN peer) is configured as an XAuth server, it authenticates remote VPN peers by referring to a user group. The users contained in the user group can be configured locally on the FortiWiFi unit or on remotely located LDAP or RADIUS servers. If the FortiWiFi unit is configured as an XAuth client, it provides a user name and password when it is challenged. XAuth: Enable as a Client Name Password Enter the user name the local VPN peer uses to authenticate itself to the remote VPN peer. Enter the password the local VPN peer uses to authenticate itself to the remote VPN peer. FortiWiFi-60 Installation and Configuration Guide 207 AutoIKE IPSec VPNs IPSec VPN Encryption method Usergroup XAuth: Enable as a Server Select the encryption method used between the XAuth client, the FortiWiFi unit and the authentication server. PAP Password Authentication Protocol. CHAPChallenge-Handshake Authentication Protocol. MIXEDSelect MIXED to use PAP between the XAuth client and the FortiWiFi unit, and CHAP between the FortiWiFi unit and the authentication server. Use CHAP whenever possible. Use PAP if the authentication server does not support CHAP. (Use PAP with all implementations of LDAP and some implementations of Microsoft RADIUS). Use MIXED if the authentication server supports CHAP but the XAuth client does not. (Use MIXED with the Fortinet Remote VPN Client.). Select a group of users to be authenticated by XAuth. The individual users within the group can be authenticated locally or by one or more LDAP or RADIUS servers. The user group must be added to the FortiWiFi configuration before it can be selected here. 4 Optionally, configure NAT Traversal. Enable Keepalive Frequency Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal has no effect. Both ends of the VPN (both VPN peers) must have the same NAT traversal setting. If you enable NAT-traversal, you can change the number of seconds in the Keepalive Frequency field. This number specifies, in seconds, how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 keylife expires. The keepalive frequency can be from 0 to 900 seconds. 5 Optionally, configure Dead Peer Detection. Use these settings to monitor the status of the connection between VPN peers. DPD allows dead connections to be cleaned up and new VPN tunnels established. DPD is not supported by all vendors. Enable Short Idle Retry Count Retry Interval Long Idle Select Enable to enable DPD between the local and remote peers. Set the time, in seconds, that a link must remain unused before the local VPN peer considers it to be idle. After this period of time expires, whenever the local peer sends traffic to the remote VPN peer it also sends a DPD probe to determine the status of the link. To control the length of time that the FortiWiFi unit takes to detect a dead peer with DPD probes, configure the Retry Count and the Retry Interval. Set the number of times that the local VPN peer retries the DPD probe before it considers the channel to be dead and tears down the security association (SA). To avoid false negatives because of congestion or other transient failures, set the retry count to a sufficiently high value for your network. Set the time, in seconds, that the local VPN peer unit waits between retrying DPD probes. Set the time, in seconds, that a link must remain unused before the local VPN peer pro-actively probes its state. After this period of time expires, the local peer sends a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer. 6 Select OK to save the phase 1 parameters. 208 Fortinet Inc. IPSec VPN AutoIKE IPSec VPNs Figure 21: Adding a phase 1 configuration (Standard options) Figure 22: Adding a phase 1 configuration (Advanced options) FortiWiFi-60 Installation and Configuration Guide 209 AutoIKE IPSec VPNs IPSec VPN Adding a phase 2 configuration for an AutoIKE VPN Add a phase 2 configuration to specify the parameters used to create and maintain a VPN tunnel between the local VPN peer (the FortiWiFi unit) and the remote VPN peer

(the VPN gateway or client). 1 2 3 4 5 6 7 8 9 Note: Adding a Phase 2 configuration is the same for pre-shared key and certification VPNs. To add a phase 2 configuration Go to VPN > IPSEC > Phase 2. Select New to add a new phase 2 configuration. Enter a Tunnel Name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Select a Remote Gateway to associate with the VPN tunnel. A remote gateway can be either a gateway to another network or an individual client on the Internet. Remote gateways are added as part of the phase 1 configuration. For details, see Adding a phase 1 configuration for an AutoIKE VPN on page 205. Choose either a single DIALUP remote gateway, or up to three STATIC remote gateways. Multiple STATIC remote gateways are necessary if you are configuring IPSec redundancy. Configure the P2 Proposal. Select up to three encryption and authentication algorithm combinations to propose for phase 2. The VPN peers must use the same P2 proposal settings. Optionally, enable Replay Detection. Replay detection protects the VPN tunnel from replay attacks. Note: Do not select replay detection if you have also selected Null Authentication for the P2 Proposal. Optionally, enable Perfect Forward Secrecy (PFS). PFS improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. Select the DH Group(s). The VPN peers must use the same DH Group settings. Enter the Keylife. The keylife causes the phase 2 key to expire after a specified time, after a specified number of Kbytes of data have been processed by the VPN tunnel, or both. If you select both, the key does not expire until both the time has passed and the number of Kbytes have been processed. When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 Kbytes. 210 Fortinet Inc. IPSec VPN AutoIKE IPSec VPNs 10 11 12 Enable Autokey Keep Alive if you want to keep the VPN tunnel running even if no data is being processed. Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the procedure, Adding a VPN concentrator on page 220 to add the tunnel to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you added the tunnel. Select a Quick Mode Identity. Use selectors from policy Use wildcard selectors Select this option for policy-based VPNs. A policy-based VPN uses an encrypt policy to select which VPN tunnel to use for the connection. In this configuration, the VPN tunnel is referenced directly from the encrypt policy. You must select this option if both VPN peers are FortiWiFi units. Select this option for routing-based VPNs. A routing-based VPN uses routing information to select which VPN tunnel to use for the connection. In this configuration, the tunnel is referenced indirectly by a route that points to a tunnel interface. You must select this option if the remote VPN peer is a non-

FortiWiFi unit that has been configured to operate in tunnel interface mode. 13 Select OK to save the AutoIKE key VPN tunnel. Figure 23: Adding a phase 2 configuration FortiWiFi-60 Installation and Configuration Guide 211 Managing digital certificates IPSec VPN Managing digital certificates Use digital certificates to make sure that both participants in an IPSec communication session are trustworthy, prior to setting up an encrypted VPN tunnel between the participants. Fortinet uses a manual procedure to obtain certificates. This involves copying and pasting text files from your local computer to the certificate authority, and from the certificate authority to your local computer. Obtaining a signed local certificate Obtaining CA certificates Note: Digital certificates are not required for configuring FortiWiFi VPNs. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation. Obtaining a signed local certificate The signed local certificate provides the FortiWiFi unit with a means to authenticate itself to other devices. Note: The VPN peers must use digital certificates that adhere to the X.509 standard. Generating the certificate request With this procedure, you generate a private and public key pair. The public key is the base component of the certificate request. 1 2 3 4 To generate the certificate request Go to VPN > Certificates > Local Certificates. Select Generate. Type a Certificate Name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. Configure the Subject Information that identifies the object being certified. Preferably use an IP address or domain name. If this is impossible (such as with a dialup client), use an email address. Host IP Domain Name E-Mail For Host IP, enter the IP address of the FortiWiFi unit being certified. For Domain name, enter the fully qualified domain name of the FortiWiFi unit being certified. Do not include the protocol specification (http://) or any port number or path names. For E-mail, enter the email address of the owner of the FortiWiFi unit being certified. Typically, e-mail addresses are entered only for clients, not gateways. 5 Configure the Optional Information to further identify the object being certified. 212 Fortinet Inc. IPSec VPN Managing digital certificates Organization Unit Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiWiFi unit (such as Manufacturing or MF). Enter the legal name of the organization that is requesting the certificate for the FortiWiFi unit (such as Fortinet). Enter the name of the city or town where the FortiWiFi unit is located

(such as Vancouver). Enter the name of the state or province where the FortiWiFi unit is located

(such as California or CA). Select the country where the FortiWiFi unit is located. Enter a contact email address for the FortiWiFi unit. Typically, email addresses are entered only for clients, not gateways. Organization Locality State/Province Country e-mail 6 Configure the key. Key Type Key Size Select RSA as the key encryption type. No other key type is supported. Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but more secure. Not all IPSec VPN products support all three key sizes. 7 Select OK to generate the private and public key pair and the certificate request. The private/public key pair are generated and the certificate request is displayed on the Local Certificates list with a status of Pending. Figure 24: Adding a Local Certificate FortiWiFi-60 Installation and Configuration Guide 213 Managing digital certificates IPSec VPN 1 2 3 4 1 2 3 4 Downloading the certificate request Use the following procedure to download a certificate request from the FortiWiFi unit to the management computer. To download the certificate request to download the local certificate to the management computer. Go to VPN > Certificates > Local Certificates. Select Download Select Save. Name the file and save it in a directory on the management computer. After downloading the certificate request, you can submit it tor your CA so that your CA can sign the certificate. Importing the signed local certificate With this procedure, you import the signed local certificate from the management computer to the FortiWiFi unit. To import the signed local certificate Go to VPN > Certificates > Local Certificates. Select Import. Enter the path or browse to locate the signed local certificate on the management computer. Select OK. The signed local certificate is displayed on the Local Certificates list with a status of OK. Backing up and restoring the local certificate and private key When you back up a FortiWiFi configuration that includes IPSec VPN tunnels using certificates, you must also back up the local certificate and private key in a password-

protected PKCS12 file. Before restoring the configuration, you must import the PKCS12 file and set the local certificate name to the same that was in the original configuration. Public Key Cryptography Standard 12 (PKCS12) describes the syntax for securely exchanging personal information. Note: Use the execute vpn certificates key CLI command to back up and restore the local certificate and private key. For more information, see the FortiGate CLI Reference Guide. Obtaining CA certificates For the VPN peers to authenticate themselves to each other, they must both obtain a CA certificate from the same certificate authority. The CA certificate provides the VPN peers with a means to validate the digital certificates that they receive from other devices. 214 Fortinet Inc. IPSec VPN Configuring encrypt policies The FortiWiFi unit obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer. The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiWiFi unit. Note: The CA certificate must adhere to the X.509 standard. Importing CA certificates Import the CA certificate from the management computer to the FortiWiFi unit. 1 2 3 4 To import the CA certificate Go to VPN > Certificates > CA Certificates. Select Import. Enter the path or browse to locate the CA certificate on the management computer. Select OK. The CA is displayed on the CA Certificates list. The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on). Configuring encrypt policies A VPN connects the local, internal network to a remote, external network. The principal role of the encrypt policy is to define (and limit) which addresses on these networks can use the VPN. A VPN requires only one encrypt policy to control both inbound and outbound connections. Depending on how you configure it, the policy controls whether users on your internal network can establish a tunnel to the remote network (the outbound connection), and whether users on the remote network can establish a tunnel to your internal network (the inbound connection). This flexibility allows one encrypt policy to do the same function as two regular firewall policies. Although the encrypt policy controls both incoming and outgoing connections, it must always be configured as an outgoing policy. An outgoing policy has a source address on an internal network and a destination address on an external network. The source address identifies the addresses on the internal network that are part of the VPN. The destination address identifies the addresses on the remote network that are part of the VPN. Note: The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway. FortiWiFi-60 Installation and Configuration Guide 215 Configuring encrypt policies IPSec VPN In addition to defining membership in the VPN by address, you can configure the encrypt policy for services such as DNS, FTP, and POP3, and to allow connections according to a predefined schedule (by the time of the day or the day of the week, month, or year). You can also configure the encrypt policy for:

Inbound NAT to translate the source of incoming packets. Outbound NAT to translate the source address of outgoing packets. Traffic shaping to control the bandwidth available to the VPN and the priority of the VPN. Content profiles to apply antivirus protection, web filtering, and email filtering to web, file transfer, and email services in the VPN. Logging so that the FortiWiFi unit logs all connections that use the VPN. The policy must also include the VPN tunnel that you created to communicate with the remote FortiWiFi VPN gateway. When users on your internal network attempt to connect to the network behind the remote VPN gateway, the encrypt policy intercepts the connection attempt and starts the VPN tunnel added to the policy. The tunnel uses the remote gateway added to its configuration to connect to the remote VPN gateway. When the remote VPN gateway receives the connection attempt, it checks its own policy, gateway, and tunnel configuration. If the configuration is allowed, an IPSec VPN tunnel is negotiated between the two VPN peers. Adding a source address Adding a destination address Adding an encrypt policy Adding a source address The source address is located within the internal network of the local VPN peer. It can be a single computer address or the address of a network. To add a source address Go to Firewall > Address. Select an internal interface. Select New to add an address. Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer. Select OK to save the source address. 1 2 3 4 5 Adding a destination address The destination address can be a VPN client address on the Internet or the address of a network behind a remote VPN gateway. To add a destination address Go to Firewall > Address. Select an external interface. Select New to add an address. 1 2 3 216 Fortinet Inc. IPSec VPN Configuring encrypt policies 4 5 Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the remote VPN peer. Select OK to save the destination address. Adding an encrypt policy 1 2 3 4 5 6 7 8 To add an encrypt policy Go to Firewall > Policy. Select New to add a new policy. Set Source to the source address. Set Destination to the destination address. Set Service to control the services allowed over the VPN connection. You can select ANY to allow all supported services over the VPN connection or select a specific service or service group to limit the services allowed over the VPN connection. Set Action to ENCRYPT. Configure the ENCRYPT parameters. VPN Tunnel Allow inbound Select Allow inbound to enable inbound users to connect to the source Select an Auto Key tunnel for this encrypt policy. address. Allow outbound Select Allow outbound to enable outbound users to connect to the destination address. The FortiWiFi unit translates the source address of incoming packets to the IP address of the FortiWiFi interface connected to the source address network. Typically, this is an internal interface of the FortiWiFi unit. Inbound NAT makes it impossible for local hosts to see the IP addresses of remote hosts (hosts located on the network behind the remote VPN gateway). Inbound NAT Outbound NAT The FortiWiFi unit translates the source address of outgoing packets to the IP address of the FortiWiFi interface connected to the destination address network. Typically, this is an external interface of the FortiWiFi unit. Outbound NAT makes it impossible for remote hosts to see the IP addresses of local hosts (hosts located on the network behind the local VPN gateway). If Outbound NAT is implemented, it is subject to these limitations:

Configure Outbound NAT only at one end of the tunnel. The end that does not implement Outbound NAT requires an internal to external policy that specifies the remote external interface as the Destination (usually a public IP address). The tunnel, and the traffic within the tunnel, can only be initiated at the end that implements Outbound NAT. For information about configuring the remaining policy settings, see Adding firewall policies on page 162. Select OK to save the encrypt policy. To make sure that the encrypt policy is matched for VPN connections, arrange the encrypt policy above other policies with similar source and destination addresses and services in the policy list. FortiWiFi-60 Installation and Configuration Guide 217 IPSec VPN concentrators IPSec VPN Figure 25: Adding an encrypt policy IPSec VPN concentrators In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer called a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes. The advantage of a hub-and-spoke network is that the spokes are simpler to configure because they require fewer policy rules. Also, a hub-and-spoke network provides some processing efficiencies, particularly on the spokes. The disadvantage of a hub-

and-spoke network is its reliance on a single peer to handle management of all VPNs. If this peer fails, encrypted communication in the network is impossible. A hub-and-spoke VPN network requires a special configuration. Setup varies depending on the role of the VPN peer. If the VPN peer is a FortiWiFi unit functioning as the hub, or concentrator, it requires a VPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings or manual key settings, plus encrypt policies). It also requires a concentrator configuration that groups the hub-and-spoke tunnels together. The concentrator configuration defines the FortiWiFi unit as the hub in a hub-and-spoke network. 218 Fortinet Inc. IPSec VPN IPSec VPN concentrators If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (but not to the other spokes). It also requires policies that control its encrypted connections to the other spokes and its non-encrypted connections to other networks, such as the Internet. VPN concentrator (hub) general configuration steps Adding a VPN concentrator VPN spoke general configuration steps VPN concentrator (hub) general configuration steps A central FortiWiFi that is functioning as a hub requires the following configuration:

A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for each spoke. Destination addresses for each spoke. A concentrator configuration. An encrypt policy for each spoke. 1 2 3 4 To create a VPN concentrator configuration Configure one of the following tunnels for each spoke:

A manual key tunnel consists of a name for the tunnel, the IP address of the spoke

(client or gateway) at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel. See Manual key IPSec VPNs on page 203. An AutoIKE tunnel consists of phase 1 and phase 2 parameters. The phase 1 parameters include the name of the spoke (client or gateway), designation of how the spoke receives its IP address (static or dialup), encryption and authentication algorithms, and the authentication method (either pre-shared keys or PKI certificates). The phase 2 parameters include the name of the tunnel, selection of the spoke (client or gateway) configured in phase 1, encryption and authentication algorithms, and a number of security parameters. See AutoIKE IPSec VPNs on page 205. Add a destination address for each spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway). See Adding a source address on page 216. Add the concentrator configuration. This step groups the tunnels together on the FortiWiFi unit. The tunnels link the hub to the spokes. The tunnels are added as part of the AutoIKE phase 2 configuration or the manual key configuration. See Adding a VPN concentrator on page 220. Note: Add the concentrator configuration to the central FortiWiFi unit (the hub) after adding the tunnels for all spokes. Add an encrypt policy for each spoke. Encrypt policies control the direction of traffic through the hub and allow inbound and outbound VPN connections between the hub and the spokes. The encrypt policy for each spoke must include the tunnel name of the spoke. The source address must be Internal_All. Use the following configuration for the encrypt policies:

FortiWiFi-60 Installation and Configuration Guide 219 IPSec VPN concentrators IPSec VPN Internal_All The VPN spoke address. ENCRYPT The VPN spoke tunnel name. Source Destination Action VPN Tunnel Allow inbound Select allow inbound. Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See Adding an encrypt policy on page 217. Arrange the policies in the following order:

encrypt policies default non-encrypt policy (Internal_All -> External_All) 5 Adding a VPN concentrator To add a VPN concentrator configuration Go to VPN > IPSec > Concentrator. Select New to add a VPN concentrator. Enter the name of the new concentrator in the Concentrator Name field. To add tunnels to the VPN concentrator, select a VPN tunnel from the Available Tunnels list and select the right arrow. To remove tunnels from the VPN concentrator, select the tunnel in the Members list and select the left arrow. Select OK to add the VPN concentrator. 1 2 3 4 5 6 220 Fortinet Inc. IPSec VPN IPSec VPN concentrators Figure 26: Adding a VPN concentrator VPN spoke general configuration steps A remote VPN peer that functions as a spoke requires the following configuration:

A tunnel (AutoIKE phase 1 and phase 2 configuration or manual key configuration) for the hub. The source address of the local VPN spoke. The destination address of each remote VPN spoke. A separate outbound encrypt policy for each remote VPN spoke. These policies allow the local VPN spoke to initiate encrypted connections. A single inbound encrypt policy. This policy allows the local VPN spoke to accept encrypted connections. 1 2 3 To create a VPN spoke configuration Configure a tunnel between the spoke and the hub. Choose between a manual key tunnel or an AutoIKE tunnel. To add a manual key tunnel, see Manual key IPSec VPNs on page 203. To add an AutoIKE tunnel, see AutoIKE IPSec VPNs on page 205. Add the source address. One source address is required for the local VPN spoke. See Adding a source address on page 216. Add a destination address for each remote VPN spoke. The destination address is the address of the spoke (either a client on the Internet or a network located behind a gateway). See Adding a destination address on page 216 FortiWiFi-60 Installation and Configuration Guide 221 IPSec VPN concentrators IPSec VPN 4 5 6 Add a separate outbound encrypt policy for each remote VPN spoke. These policies control the encrypted connections initiated by the local VPN spoke. The encrypt policy must include the appropriate source and destination addresses and the tunnel added in step 1. Use the following configuration:

Source Destination Action VPN Tunnel The local VPN spoke address. The remote VPN spoke address. ENCRYPT The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Allow inbound Do not enable. Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See Adding an encrypt policy on page 217. Add an inbound encrypt policy. This policy controls the encrypted connections initiated by the remote VPN spokes. The encrypt policy for the hub must include the appropriate source and destination addresses and the tunnel added in step 1. Use the following configuration:

Source Destination Action VPN Tunnel The local VPN spoke address. External_All ENCRYPT The VPN tunnel name added in step 1. (Use the same tunnel for all encrypt policies.) Allow inbound Select allow inbound. Allow outbound Do not enable. Inbound NAT Select inbound NAT if required. Outbound NAT Select outbound NAT if required. See Adding an encrypt policy on page 217. Arrange the policies in the following order:

outbound encrypt policies default non-encrypt policy (Internal_All -> External_All) inbound encrypt policy Note: The default non-encrypt policy is required to allow the VPN spoke to access other networks, such as the Internet. 222 Fortinet Inc. IPSec VPN Monitoring and Troubleshooting VPNs Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status Testing a VPN Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels. For each tunnel, the list shows the status and the tunnel time out. To view VPN tunnel status Go to VPN > IPSEC > Phase 2. View the status and timeout for each VPN tunnel. 1 2 Status Timeout The status of each tunnel. If Status is Up, the tunnel is active. If Status is Down, the tunnel is not active. If Status is Connecting, the tunnel is attempting to start a VPN connection with a remote VPN gateway or client. The time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. Figure 27: AutoIKE key tunnel status Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway. The monitor also lists the tunnel lifetime, timeout, proxy ID source, and proxy ID destination for each tunnel. To view dialup connection status Go to VPN > IPSec > Dialup Monitor. View the dialup connection status information for the FortiWiFi unit:

1 2 Remote gateway The IP address of the remote dialup remote gateway on the FortiWiFi unit. Lifetime Timeout The amount of time that the dialup VPN connection has been active. The time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. FortiWiFi-60 Installation and Configuration Guide 223 Monitoring and Troubleshooting VPNs IPSec VPN Proxy ID Source The actual IP address or subnet address of the remote peer. Proxy ID Destination The actual IP address or subnet address of the local peer. Figure 28: Dialup Monitor Testing a VPN To confirm that a VPN between two networks has been configured correctly, use the ping command from one internal network to connect to a computer on the other internal network. The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the FortiWiFi unit. To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the ping command to connect to a computer on the internal network. The VPN tunnel initializes automatically when the client makes a connection attempt. You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network. 224 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 PPTP and L2TP VPN You can use PPTP and L2TP to create a virtual private network (VPN) between a remote client computer that is running Windows and your internal network. Because PPTP and L2TP are supported by Windows you do not require third-party software on the client computer. Provided your ISP supports PPTP and L2TP connections, you can create a secure connection by making some configuration changes to the client computer and the FortiWiFi unit. This chapter provides an overview of how to configure FortiWiFi PPTP and L2TP VPN. For a complete description of FortiWiFi PPTP and L2TP, see the FortiGate VPN Guide. This chapter describes:

Configuring PPTP Configuring L2TP Configuring PPTP Point-to-Point protocol (PPTP) packages data within PPP packets and then encapsulates the PPP packets within IP packets for transmission through a VPN tunnel. Note: PPTP VPNs are supported only in NAT/Route mode. This section describes:

Configuring the FortiWiFi unit as a PPTP gateway Configuring a Windows 98 client for PPTP Configuring a Windows 2000 client for PPTP Configuring a Windows XP client for PPTP Configuring the FortiWiFi unit as a PPTP gateway Use the following procedures to configure the FortiWiFi unit as a PPTP gateway:

To add users and user groups Add a user for each PPTP client. Go to User > Local. 1 FortiWiFi-60 Installation and Configuration Guide 225 Configuring PPTP PPTP and L2TP VPN 2 3 4 1 2 3 4 5 1 2 3 4 5 6 Add and configure PPTP users. For information about adding and configuring users, see Adding user names and configuring authentication on page 194. Go to User > User Group. Add and configure PPTP user groups. For information about adding and configuring user groups, see Configuring user groups on page 199. To enable PPTP and specify an address range Go to VPN > PPTP > PPTP Range. Select Enable PPTP. Enter the Starting IP and the Ending IP for the PPTP address range. Select the User Group that you added in To add users and user groups on page 225. Select Apply to enable PPTP through the FortiWiFi unit. Figure 29: Example PPTP Range configuration To add a source address Add a source address for every address in the PPTP address range. Go to Firewall > Address. Select the interface to which PPTP clients connect. Select New to add an address. Enter the Address Name, IP Address, and NetMask for an address in the PPTP address range. Select OK to save the source address. Repeat for all addresses in the PPTP address range. 226 Fortinet Inc. PPTP and L2TP VPN Configuring PPTP Note: If the PPTP address range is comprised of an entire subnet, add an address for this subnet. Do not add an address group. To add a source address group Organize the source addresses into an address group. Go to Firewall > Address > Group. Add a new address group to the interface to which PPTP clients connect. Enter a Group Name to identify the address group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. To add addresses to the address group, select an address from the Available Addresses list and select the right arrow to add it to the Members list. To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. Select OK to add the address group. To add a destination address Add an address to which PPTP users can connect. Go to Firewall > Address. Select the internal interface or the DMZ interface. Select New to add an address. Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer. Select OK to save the destination address. To add a firewall policy Add a policy which specifies the source and destination addresses and sets the service for the policy to the traffic type inside the PPTP VPN tunnel. Go to Firewall > Policy. Select New to add a new policy. Set Source to the group that matches the PPTP address range. Set Destination to the address to which PPTP users can connect. Set Service to match the traffic type inside the PPTP VPN tunnel. For example, if PPTP users can access a web server, select HTTP. Set Action to ACCEPT. Select NAT if address translation is required. You can also configure traffic shaping, logging, and antivirus and web filter settings for PPTP policies. Select OK to save the firewall policy. 1 2 3 4 5 6 1 2 3 4 5 1 2 3 4 5 6 7 8 FortiWiFi-60 Installation and Configuration Guide 227 Configuring PPTP PPTP and L2TP VPN Configuring a Windows 98 client for PPTP Use the following procedure to configure a client computer running Windows 98 so that it can connect to a FortiWiFi PPTP VPN. To configure the Windows 98 client, you must install and configure Windows dialup networking and virtual private networking support. To install PPTP support Go to Start > Settings > Control Panel > Network. Select Add. Select Adapter. Select Add. Select Microsoft as the manufacturer. Select Microsoft Virtual Private Networking Adapter. Select OK twice. Insert diskettes or CDs as required. Restart the computer. To configure a PPTP dialup connection Go to My Computer > Dial-Up Networking > Configuration. Double-click Make New Connection. Name the connection and select Next. Enter the IP address or host name of the FortiWiFi unit to connect to and select Next. Select Finish. An icon for the new connection appears in the Dial-Up Networking folder. Right-click the new icon and select Properties. Go to Server Types. Uncheck IPX/SPX Compatible. Select TCP/IP Settings. Uncheck Use IP header compression. Uncheck Use default gateway on remote network. Select OK twice. To connect to the PPTP VPN Start the dialup connection that you configured in the previous procedure. Enter your PPTP VPN User Name and Password. Select Connect. 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 228 Fortinet Inc. PPTP and L2TP VPN Configuring PPTP Configuring a Windows 2000 client for PPTP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiWiFi PPTP VPN. To configure a PPTP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next. For Network Connection Type, select Connect to a private network through the Internet and select Next. For Destination Address, enter the IP address or host name of the FortiWiFi unit to connect to and select Next. Set Connection Availability to Only for myself and select Next. Select Finish. In the Connect window, select Properties. Select the Security tab. Uncheck Require data encryption. Select OK. To connect to the PPTP VPN Start the dialup connection that you configured in the previous procedure. Enter your PPTP VPN User Name and Password. Select Connect. In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. 1 2 3 4 5 6 7 8 9 10 1 2 3 4 Configuring a Windows XP client for PPTP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiWiFi PPTP VPN. 1 2 3 4 5 6 7 To configure a PPTP dialup connection Go to Start > Settings > Control Panel. Select Network and Internet Connections. Select Create a Connection to the network of your workplace and select Next. Select Virtual Private Network Connection and select Next. Name the connection and select Next. If the Public Network dialog box appears, choose the appropriate initial connection and select Next. In the VPN Server Selection dialog, enter the IP address or host name of the FortiWiFi unit to connect to and select Next. FortiWiFi-60 Installation and Configuration Guide 229 Configuring PPTP PPTP and L2TP VPN 8 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 Select Finish. To configure the VPN connection Right-click the Connection icon that you created in the previous procedure. Select Properties > Security. Select Typical to configure typical settings. Select Require data encryption. Note: If a RADIUS server is used for authentication do not select Require data encryption. PPTP encryption is not supported for RADIUS server authentication. Select Advanced to configure advanced settings. Select Settings. Select Challenge Handshake Authentication Protocol (CHAP). Make sure that none of the other settings are selected. Select the Networking tab. Make sure that the following options are selected:

TCP/IP QoS Packet Scheduler Make sure that the following options are not selected:

File and Printer Sharing for Microsoft Networks Client for Microsoft Networks Select OK. To connect to the PPTP VPN Connect to your ISP. Start the VPN connection that you configured in the previous procedure. Enter your PPTP VPN User Name and Password. Select Connect. In the connect window, enter the User Name and Password that you use for your dialup network connection. This user name and password is not the same as your VPN user name and password. 230 Fortinet Inc. PPTP and L2TP VPN Configuring L2TP Configuring L2TP Some implementations of L2TP support elements of IPSec. These elements must be disabled when L2TP is used with a FortiWiFi unit. Note: L2TP VPNs are only supported in NAT/Route mode. This section describes:

Configuring the FortiWiFi unit as an L2TP gateway Configuring a Windows 2000 client for L2TP Configuring a Windows XP client for L2TP Configuring the FortiWiFi unit as an L2TP gateway Use the following procedures to configure the FortiWiFi unit as an L2TP gateway:

To add users and user groups Add a user for each L2TP client. Go to User > Local. Add and configure L2TP users. See Adding user names and configuring authentication on page 194. Go to User > User Group. Add and configure L2TP user groups. See Configuring user groups on page 199. To enable L2TP and specify an address range Go to VPN > L2TP > L2TP Range. Select Enable L2TP. Enter the Starting IP and the Ending IP for the L2TP address range. Select the User Group that you added in To add users and user groups on page 231. Select Apply to enable L2TP through the FortiWiFi unit. 1 2 3 4 1 2 3 4 5 FortiWiFi-60 Installation and Configuration Guide 231 Configuring L2TP PPTP and L2TP VPN Figure 30: Sample L2TP address range configuration To add source addresses Add a source address for every address in the L2TP address range. Go to Firewall > Address. Select the interface to which L2TP clients connect. Select New to add an address. Enter the Address Name, IP Address, and NetMask for an address in the L2TP address range. Select OK to save the source address. Repeat for all addresses in the L2TP address range. Note: If the L2TP address range is comprised of an entire subnet, add an address for this subnet. Do not add an address group. To add a source address group Organize the source addresses into an address group. Go to Firewall > Address > Group. Add a new address group to the interface to which L2TP clients connect. Enter a Group Name to identify the address group. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. To add addresses to the address group, select an address from the Available Addresses list and select the right arrow to add it to the Members list. To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. Select OK to add the address group. To add a destination address 1 2 3 1 2 3 1 2 3 4 5 6 232 Fortinet Inc. PPTP and L2TP VPN Configuring L2TP Add an address to which L2TP users can connect. Go to Firewall > Address. Select the internal interface or the DMZ interface. Select New to add an address. Enter the Address Name, IP Address, and NetMask for a single computer or for an entire subnetwork on an internal interface of the local VPN peer. Select OK to save the source address. To add a firewall policy Add a policy that specifies the source and destination addresses and sets the service for the policy to the traffic type inside the L2TP VPN tunnel. Go to Firewall > Policy. Select New to add a policy. Set Source to the group that matches the L2TP address range. Set Destination to the address to which L2TP users can connect. Set Service to match the traffic type inside the L2TP VPN tunnel. For example, if L2TP users can access a web server, select HTTP. Set Action to ACCEPT. Select NAT if address translation is required. You can also configure traffic shaping, logging, and antivirus and web filter settings for L2TP policies. Select OK to save the firewall policy. 1 2 3 4 5 1 2 3 4 5 6 7 8 Configuring a Windows 2000 client for L2TP Use the following procedure to configure a client computer running Windows 2000 so that it can connect to a FortiWiFi L2TP VPN. To configure an L2TP dialup connection Go to Start > Settings > Network and Dial-up Connections. Double-click Make New Connection to start the Network Connection Wizard and select Next. For Network Connection Type, select Connect to a private network through the Internet and select Next. For Destination Address, enter the address of the FortiWiFi unit to connect to and select Next. Set Connection Availability to Only for myself and select Next. Select Finish. In the Connect window, select Properties. Select the Security tab. Make sure that Require data encryption is selected. 1 2 3 4 5 6 7 8 9 FortiWiFi-60 Installation and Configuration Guide 233 Configuring L2TP PPTP and L2TP VPN Note: If a RADIUS server is used for authentication do not select Require data encryption. L2TP encryption is not supported for RADIUS server authentication. 10 11 12 Select the Networking tab. Set VPN server type to Layer-2 Tunneling Protocol (L2TP). Save the changes and continue with the following procedure. 1 2 3 4 5 6 7 8 9 1 2 3 4 To disable IPSec Select the Networking tab. Select Internet Protocol (TCP/IP) properties. Double-click the Advanced tab. Go to the Options tab and select IP security properties. Make sure that Do not use IPSEC is selected. Select OK and close the connection properties window. Note: The default Windows 2000 L2TP traffic policy does not allow L2TP traffic without IPSec encryption. You can disable default behavior by editing the Windows 2000 Registry as described in the following steps. See the Microsoft documentation for editing the Windows Registry. Use the registry editor (regedit) to locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\

Parameters Add the following registry value to this key:

Value Name: ProhibitIpSec Data Type: REG_DWORD Value: 1 Save the changes and restart the computer for the changes to take effect. You must add the ProhibitIpSec registry value to each Windows 2000-based endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for L2TP and IPSec traffic from being created. When the ProhibitIpSec registry value is set to 1, your Windows 2000-based computer does not create the automatic filter that uses CA authentication. Instead, it checks for a local or active directory IPSec policy. To connect to the L2TP VPN Start the dialup connection that you configured in the previous procedure. Enter your L2TP VPN User Name and Password. Select Connect. In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. 234 Fortinet Inc. PPTP and L2TP VPN Configuring L2TP Configuring a Windows XP client for L2TP Use the following procedure to configure a client computer running Windows XP so that it can connect to a FortiWiFi L2TP VPN. To configure an L2TP VPN dialup connection Go to Start > Settings. Select Network and Internet Connections. Select Create a connection to the network of your workplace and select Next. Select Virtual Private Network Connection and select Next. Name the connection and select Next. If the Public Network dialog box appears, choose the appropriate initial connection and select Next. In the VPN Server Selection dialog, enter the IP address or host name of the FortiWiFi unit to connect to and select Next. Select Finish. To configure the VPN connection Right-click the icon that you created. Select Properties > Security. Select Typical to configure typical settings. Select Require data encryption. Note: If a RADIUS server is used for authentication do not select Require data encryption. L2TP encryption is not supported for RADIUS server authentication. Select Advanced to configure advanced settings. Select Settings. Select Challenge Handshake Authentication Protocol (CHAP). Make sure that none of the other settings are selected. Select the Networking tab. Make sure that the following options are selected:

TCP/IP QoS Packet Scheduler Make sure that the following options are not selected:

File and Printer Sharing for Microsoft Networks Client for Microsoft Networks To disable IPSec Select the Networking tab. Select Internet Protocol (TCP/IP) properties. Double-click the Advanced tab. 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 9 10 11 1 2 3 FortiWiFi-60 Installation and Configuration Guide 235 Configuring L2TP PPTP and L2TP VPN 4 5 6 7 8 9 1 2 3 4 5 Go to the Options tab and select IP security properties. Make sure that Do not use IPSEC is selected. Select OK and close the connection properties window. Note: The default Windows XP L2TP traffic policy does not allow L2TP traffic without IPSec encryption. You can disable default behavior by editing the Windows XP Registry as described in the following steps. See the Microsoft documentation for editing the Windows Registry. Use the registry editor (regedit) to locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\

Parameters Add the following registry value to this key:

(NIDS) The FortiWiFi NIDS is a real-time network intrusion detection sensor that uses attack signature definitions to both detect and prevent a wide variety of suspicious network traffic and direct network-based attacks. Also, whenever an attack occurs, the FortiWiFi NIDS can record the event in a log and send an alert email to the system administrator. This chapter describes:

Detecting attacks Preventing attacks Logging attacks Detecting attacks The NIDS Detection module detects a wide variety of suspicious network traffic and network-based attacks. Use the following procedures to configure the general NIDS settings and the NIDS Detection module Signature List. For the general NIDS settings, you must select which interfaces you want to be monitored for network-based attacks. You also need to decide whether to enable checksum verification. Checksum verification tests the integrity of packets received at the monitored interfaces. This section describes:

Selecting the interfaces to monitor Disabling monitoring interfaces Configuring checksum verification Viewing the signature list Viewing attack descriptions Disabling NIDS attack signatures Adding user-defined signatures FortiWiFi-60 Installation and Configuration Guide 237 Detecting attacks Network Intrusion Detection System (NIDS) Selecting the interfaces to monitor To select the interfaces to monitor for attacks Go to NIDS > Detection > General. Select the interfaces to monitor for network attacks. You can select one or more interfaces. Select Apply. 1 2 3 Disabling monitoring interfaces To disable monitoring interfaces for attacks Go to NIDS > Detection > General. Clear the check box for all the interfaces that you do not want monitored. Select Apply. 1 2 3 Configuring checksum verification Checksum verification tests the files that pass through the FortiWiFi unit to make sure that they have not been changed in transit. The NIDS can run checksum verification on IP, TCP, UDP, and ICMP traffic. For maximum detection, you can turn on checksum verification for all types of traffic. However, if the FortiWiFi unit does not need to run checksum verification, you can turn it off for some or all types of traffic to improve system performance. For example, you might not need to run checksum verification if the FortiWiFi unit is installed behind a router that also does checksum verification. To configure checksum verification Go to NIDS > Detection > General. Select the type of traffic that you want to run Checksum Verifications on. Select Apply. 1 2 3 Figure 31: Example NIDS detection configuration 238 Fortinet Inc. Network Intrusion Detection System (NIDS) Detecting attacks Viewing the signature list You can display the current list of NIDS signature groups and the members of a signature group. To view the signature list Go to NIDS > Detection > Signature List. View the names and action status of the signature groups in the list. The NIDS detects attacks listed in all the signature groups that have check marks in the Enable column. Note: The user-defined signature group is the last item in the signature list. See Adding user-

defined signatures on page 240. Select View Details The Signature Group Members list displays the attack ID, Rule Name, and Revision number for each group member. to display the members of a signature group. 1 2 3 Viewing attack descriptions 1 2 3 4 Fortinet provides online information for all NIDS attacks. You can view the FortiResponse Attack Analysis web page for an attack listed on the signature list. to display the members of a signature group. To view attack descriptions Go to NIDS > Detection > Signature List. Select View Details Select a signature and copy its attack ID. Open a web browser and enter the following URL:

http://www.fortinet.com/ids/ID<attack-ID>

Make sure that you include the attack ID. For example, to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow /bin/sh attack (ID 101646338), use the following URL:

http://www.fortinet.com/ids/ID101646338 Note: Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack. This URL is available in the Attack Log messages and Alert email messages. For information about log message content and formats, and about log locations, see the FortiGate Logging and Message Reference Guide. For information about logging attack messages, see Logging attacks on page 244. FortiWiFi-60 Installation and Configuration Guide 239 Detecting attacks Network Intrusion Detection System (NIDS) Figure 32: Example signature group members list Disabling NIDS attack signatures By default, all NIDS attack signatures are enabled. You can use the NIDS signature list to disable detection of some attacks. Disabling unnecessary NIDS attack signatures can improve system performance and reduce the number of IDS log messages and alert emails that the NIDS generates. For example, the NIDS detects a large number of web server attacks. If you do not provide access to a web server behind your firewall, you might want to disable all web server attack signatures. Note: To save your NIDS attack signature settings, Fortinet recommends that you back up your FortiWiFi configuration before you update the firmware and restore the saved configuration after the update. To disable NIDS attack signatures Go to NIDS > Detection > Signature List. Scroll through the signature list to find the signature group that you want to disable. Attack ID numbers and rule names in attack log messages and alert email match those in the signature group members list. You can scroll through a signature group members list to locate specific attack signatures by ID number and name. Clear the Enable check box. Select OK. Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable. Select Check All Select Uncheck All list. to enable all NIDS attack signature groups in the signature list. to disable all NIDS attack signature groups in the signature 1 2 3 4 5 Adding user-defined signatures You can create a user-defined signature list in a text file and upload it from the management computer to the FortiWiFi unit. Note: You cannot upload individual signatures. You must include, in a single text file, all the user-defined signatures that you want to upload. The file can contain one or more signatures. For information about how to write user-defined signatures, see the FortiGate NIDS Guide. 240 Fortinet Inc. Network Intrusion Detection System (NIDS) Detecting attacks 1 2

3 4 5 To add user-defined signatures Go to NIDS > Detection > User Defined Signature List. Select Upload

. Caution: Uploading the user-defined signature list overwrites the existing file. Type the path and filename of the text file for the user-defined signature list or select Browse and locate the file. Select OK to upload the text file for the user-defined signature list. Select Return to display the uploaded user-defined signature list. Figure 33: Example user-defined signature list Downloading the user-defined signature list You can back up the user-defined signature list by downloading it to a text file on the management computer. Note: You cannot download individual signatures. You must download the entire user-defined signature list. 1 2 To download the user-defined signature list Go to NIDS > Detection > User Defined Signature List. Select Download. The FortiWiFi unit downloads the user-defined signature list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file. FortiWiFi-60 Installation and Configuration Guide 241 Preventing attacks Network Intrusion Detection System (NIDS) Preventing attacks NIDS attack prevention protects the FortiWiFi unit and the networks connected to it from common TCP, ICMP, UDP, and IP attacks. You can enable NIDS attack prevention to prevent a set of default attacks with default threshold values. You can also enable or disable and set the threshold values for individual attack prevention signatures. Note: After the FortiWiFi unit reboots, NIDS attack prevention and synflood prevention are always disabled. Enabling NIDS attack prevention Enabling NIDS attack prevention signatures Setting signature threshold values Enabling NIDS attack prevention To enable NIDS attack prevention 1 2 Go to NIDS > Prevention. Select the Enable Prevention check box, in the top left corner. Enabling NIDS attack prevention signatures The NIDS Prevention module contains signatures that are designed to protect your network against attacks. Some signatures are enabled by default, others must be enabled. For a complete list of NIDS Prevention signatures and descriptions, see the FortiGate NIDS Guide. To enable attack prevention signatures 1 2 3 4 5 to enable all signatures in the NIDS attack prevention signature Go to NIDS > Prevention. Select the Enable check box beside each signature that you want to enable. Select Check All list. Select Uncheck All signature list. Select Reset to Default Values signatures and return to the default threshold values. to disable all signatures in the NIDS attack prevention to enable only the default NIDS attack prevention Setting signature threshold values You can change the default threshold values for the NIDS Prevention signatures listed in Table 20. The threshold depends on the type of attack. For flooding attacks, the threshold is the maximum number of packets received per second. For overflow attacks, the threshold is the buffer size for the command. For large ICMP attacks, the threshold is the ICMP packet size limit to pass through. 242 Fortinet Inc. Network Intrusion Detection System (NIDS) Preventing attacks For example, setting the icmpflood signature threshold to 500 allows 500 echo requests from a source address, to which the system sends echo replies. The FortiWiFi unit drops any requests over the threshold of 500. If you enter a threshold value of 0 or a number out of the allowable range, the FortiWiFi unit uses the default value. Table 20: NIDS Prevention signatures with threshold values Signature abbreviation Threshold value units synflood portscan srcsession ftpovfl smtpovfl pop3ovfl udpflood udpsrcsession icmpflood Threshold: Maximum number of SYN segments received per second. Queue Size: Maximum proxied connections. Timeout: Number of seconds for the SYN cookie to keep a proxied connection alive. Maximum number of SYN segments received per second Total number of TCP sessions initiated from the same source Maximum buffer size for an FTP command (bytes) Maximum buffer size for an SMTP command (bytes) Maximum buffer size for a POP3 command (bytes) Maximum number of UDP packets received from the same source or sent to the same destination per second Total number of UDP sessions initiated from the same source Maximum number of ICMP packets received from the same source or sent to the same destination per second icmpsrcsession Total number of ICMP sessions icmpsweep icmplarge initiated from the same source Maximum number of ICMP packets received from the same source per second Maximum ICMP packet size (bytes) Default threshold value 2048 Minimum threshold value 1 Maximum threshold value 1000000 4096 100 1000000 15 512 2048 256 512 512 2048 2048 256 128 128 1 1 1 32 32 32 1 1 1 1 1 3600 1000000 1000000 1408 1408 1408 1000000 1000000 1000000 1000000 1000000 32000 64 64000 To set Prevention signature threshold values Go to NIDS > Prevention. Select Modify Signatures that do not have threshold values do not have Modify Type the Threshold value. Select the Enable check box. Select OK. 1 2 3 4 5 beside the signature for which you want to set the Threshold value. icons. FortiWiFi-60 Installation and Configuration Guide 243 Logging attacks Network Intrusion Detection System (NIDS) Logging attacks Whenever the NIDS detects or prevents an attack, it generates an attack message. You can configure the system to add the message to the attack log. Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Logging attack messages to the attack log To log attack messages to the attack log 1 2 3 4 5 Go to Log&Report > Log Setting. Select Config Policy for the log locations you have set. Select Attack Log. Select Attack Detection and Attack Prevention. Select OK. Note: For information about log message content and formats, and about log locations, see the FortiGate Logging and Message Reference Guide. Reducing the number of NIDS attack log and email messages Intrusion attempts might generate an excessive number of attack messages. Based on the frequency that messages are generated, the FortiWiFi unit automatically deletes duplicates. If you still receive an excessive number of unnecessary messages, you can manually disable message generation for unneeded signature groups. Automatic message reduction The attack log and alert email messages that the NIDS produces include the ID number and name of the attack that generated the message. The attack ID number and name in the message are identical to the ID number and rule name that appear on the NIDS Signature Group Members list. The FortiWiFi unit uses an alert email queue in which each new message is compared with the previous messages. If the new message is not a duplicate, the FortiWiFi unit sends it immediately and puts a copy in the queue. If the new message is a duplicate, the FortiWiFi unit deletes it and increases an internal counter for the number of message copies in the queue. The FortiWiFi unit holds duplicate alert email messages for 60 seconds. If a duplicate message has been in the queue for more than 60 seconds, the FortiWiFi unit deletes the message and increases the copy number. If the copy number is greater than 1, the FortiWiFi unit sends a summary email that includes Repeated x times in the subject header, the statement The following email has been repeated x times in the last y seconds, and the original message. 244 Fortinet Inc. Network Intrusion Detection System (NIDS) Logging attacks Manual message reduction If you want to reduce the number of alerts that the NIDS generates, you can review the content of attack log messages and alert email. If a large number of the alerts are nuisance alerts (for example, web attacks when you are not running a web server), you can disable the signature group for that attack type. Use the ID number in the attack log or alert email to locate the attack in the signature group list. See Disabling NIDS attack signatures on page 240. FortiWiFi-60 Installation and Configuration Guide 245 Logging attacks Network Intrusion Detection System (NIDS) 246 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Antivirus protection You can enable antivirus protection in firewall policies. You can select a content profile that controls how the antivirus protection behaves. Content profiles control the type of traffic protected (HTTP, FTP, IMAP, POP3, SMTP), the type of antivirus protection and the treatment of fragmented email and oversized files or email. This chapter describes:

General configuration steps Antivirus scanning File blocking Blocking oversized files and emails Exempting fragmented email from blocking Viewing the virus list General configuration steps 1 2 3 4 5 Configuring antivirus protection involves the following general steps. Select antivirus protection options in a new or existing content profile. See Adding content profiles on page 190. Select the Anti-Virus & Web filter option in firewall policies that allow web (HTTP), FTP, and email (IMAP, POP3, and SMTP) connections through the FortiWiFi unit. Select a content profile that provides the antivirus protection options that you want to apply to a policy. See Adding content profiles to policies on page 192. Configure antivirus protection settings to control how the FortiWiFi unit applies antivirus protection to the web, FTP, and email traffic allowed by policies. See:

Configure the messages that users receive when the FortiWiFi unit blocks or deletes an infected file. See Replacement messages on page 155. Configure the FortiWiFi unit to send an alert email when it blocks or deletes an infected file. See Configuring alert email in the Logging and Message Reference Guide. Antivirus scanning on page 248, File blocking on page 249, Blocking oversized files and emails on page 250, Exempting fragmented email from blocking on page 250. Note: For information about receiving virus log messages, see Configuring logging, and for information about log message content and format, see Virus log messages in the Logging Configuration and Reference Guide FortiWiFi-60 Installation and Configuration Guide 247 Antivirus scanning Antivirus scanning Antivirus protection Virus scanning intercepts most files (including files compressed with up to 12 layers of compression using zip, rar, gzip, tar, upx, and OLE) in the content streams for which you enable antivirus protection. Each file is tested to determine the file type and the most effective method of scanning the file for viruses. For example, binary files are scanned using binary virus scanning and Microsoft Office files containing macros are scanned for macro viruses. FortiWiFi virus scanning does not scan the following file types:

If a file is found to contain a virus, the FortiWiFi unit removes the file from the content stream and replaces it with a replacement message. cdimage floppy image

.ace

.bzip2

.Tar+Gzip+Bzip2 1 2 To scan FortiWiFi firewall traffic for viruses Select antivirus scanning in a content profile. For information about content profiles, see Adding content profiles on page 190. Add this content profile to firewall policies to apply virus scanning to the traffic controlled by the firewall policy. See Adding content profiles to policies on page 192. Figure 34: Example content profile for virus scanning 248 Fortinet Inc. Antivirus protection File blocking File blocking Enable file blocking to remove all files that are a potential threat and to provide the best protection from active computer virus attacks. Blocking files is the only protection from a virus that is so new that antivirus scanning cannot detect it. You would not normally operate the FortiWiFi unit with blocking enabled. However, it is available for extremely high-risk situations in which there is no other way to prevent viruses from entering your network. File blocking deletes all files that match a list of enabled file patterns. The FortiWiFi unit replaces the file with an alert message that is forwarded to the user. The FortiWiFi unit also writes a message to the virus log and sends an alert email if it is configured to do so. Note: If both blocking and scanning are enabled, the FortiWiFi unit blocks files that match enabled file patterns and does not scan these files for viruses. compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip) By default, when blocking is enabled, the FortiWiFi unit blocks the following file patterns:

executable files (*.bat, *.com, and *.exe) dynamic link libraries (*.dll) HTML application (*.hta) Microsoft Office files (*.doc, *.ppt, *.xl?) Microsoft Works files (*.wps) Visual Basic files (*.vb?) screen saver files (*.scr) Blocking files in firewall traffic Use content profiles to apply file blocking to HTTP, FTP, POP3, IMAP, and SMTP traffic controlled by firewall policies. 1 2 To block files in firewall traffic Select file blocking in a content profile. See Adding content profiles on page 190. Add this content profile to firewall policies to apply content blocking to the traffic controlled by the firewall policy. See Adding content profiles to policies on page 192. Adding file patterns to block To add file patterns to block Go to Anti-Virus > File Block. Select New. 1 2 FortiWiFi-60 Installation and Configuration Guide 249 Blocking oversized files and emails Antivirus protection 3 4 5 Type the new pattern in the File Pattern field. You can use an asterisk (*) to represent any characters and a question mark (?) to represent any single character. For example, *.dot blocks Microsoft Word template files and *.do? blocks both Microsoft Word template files and document files. Select the check box beside the traffic protocols for which you want to enable blocking of this file pattern. Select OK. Blocking oversized files and emails You can configure the FortiWiFi unit to buffer 1 to 15 percent of available memory to store oversized files and email. The FortiWiFi unit then blocks a file or email that exceeds this limit instead of bypassing antivirus scanning and sending the file or email directly to the server or receiver. The FortiWiFi unit sends a replacement message for an oversized file or email attachment to the HTTP or email proxy client. Configuring limits for oversized files and email To configure limits for oversized files and email Go to Anti-Virus > Config > Config. Type the size limit, in MB. Select Apply. 1 2 3 Exempting fragmented email from blocking A fragmented email is a large email message that has been split into smaller messages that are sent individually and recombined when they are received. By default, when antivirus protection is enabled, the FortiWiFi unit blocks fragmented emails and replaces them with an email block message that is forwarded to the receiver. It is recommended that you disable the fragmenting of email messages in the client email software. To exempt fragmented emails from automatic antivirus blocking

1 2 Caution: The FortiWiFi unit cannot scan fragmented emails for viruses or use file pattern blocking to remove files from these email messages. Enable Pass Fragmented Emails for IMAP, POP3, and SMTP traffic in a content profile. Select Anti-Virus & Web filter in a firewall policy. For example, to pass fragmented emails that internal users send to the external network, select an internal to external policy. 250 Fortinet Inc. Antivirus protection Viewing the virus list 3 Select a content profile that has Pass Fragmented Emails enabled for the traffic that you want the FortiWiFi unit to scan. Viewing the virus list You can view the names of the viruses and worms in the current virus definition list. 1 2 To view the virus list Go to Anti-Virus > Config > Virus List. Scroll through the virus and worm list to view the names of all viruses and worms in the list. FortiWiFi-60 Installation and Configuration Guide 251 Viewing the virus list Antivirus protection 252 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Web filtering removing scripts from web pages, When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for HTTP traffic. Content profiles control the following types of content filtering:

blocking unwanted URLs, blocking unwanted content, exempting URLs from blocking. You can also use the Cerberian URL filtering to block unwanted URLs. For more information, see Configuring Cerberian URL filtering on page 260. This chapter describes:

General configuration steps Content blocking URL blocking Configuring Cerberian URL filtering Script filtering Exempt URL list General configuration steps 1 2 Configuring web filtering involves the following general steps:

Select web filtering options in a new or existing content profile. See Adding content profiles on page 190. Select the Anti-Virus & Web filter option in firewall policies that allow HTTP connections through the FortiWiFi unit. Select a content profile that provides the web filtering options that you want to apply to a policy. See Adding content profiles to policies on page 192. FortiWiFi-60 Installation and Configuration Guide 253 Content blocking Web filtering 3 4 5 6 URL blocking on page 257, Configuring Cerberian URL filtering on page 260, Content blocking on page 254, Script filtering on page 262, Exempt URL list on page 263. Configure web filtering settings to control how the FortiWiFi unit applies web filtering to the HTTP traffic allowed by policies. See:

Configure the messages that users receive when the FortiWiFi unit blocks unwanted content or unwanted URLs. See Replacement messages on page 155. Configure the FortiWiFi unit to record log messages when it blocks unwanted content or unwanted URLs. See Recording logs on page 273. Configure the FortiWiFi unit to send an alert email when it blocks unwanted content or unwanted URLs. See Configuring alert email on page 281. Content blocking When the FortiWiFi unit blocks a web page, the user who requested the blocked page receives a block message and the FortiWiFi unit writes a message to the web filtering log. You can add banned words to the list in many languages using Western, Simplified Chinese, Traditional Chinese, Japanese, or Korean character sets. Adding words and phrases to the Banned Word list Clearing the Banned Word list Backing up the Banned Word list Restoring the Banned Word list Adding words and phrases to the Banned Word list 1 2 3 Go to Web Filter > Content Block. Select New to add a word or phrase to the Banned Word list. Choose a language or character set for the banned word or phrase. You can choose Western, Chinese Simplified, Chinese Traditional, Japanese, or Korean. Your computer and web browser must be configured to enter characters in the character set that you choose. 254 Fortinet Inc. Web filtering Content blocking 4 5 6 Type a banned word or phrase. If you type a single word (for example, banned), the FortiWiFi unit blocks all web pages that contain that word. If you type a phrase (for example, banned phrase), the FortiWiFi unit blocks web pages that contain both words. When this phrase appears on the banned word list, the FortiWiFi unit inserts plus signs (+) in place of spaces (for example, banned+phrase). If you type a phrase in quotes (for example, banned word), the FortiWiFi unit blocks all web pages in which the words are found together as a phrase. Content filtering is not case-sensitive. You cannot include special characters in banned words. To enable the banned word, ensure that the Enable checkbox is selected. Select OK. The word or phrase is added to the Banned Word list. You can enable all the words on the banned word list by selecting Check All You can disable all the words on the banned word list by selecting Uncheck All

. Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. Figure 35: Example banned word list Clearing the Banned Word list 1 2 Go to Web Filter > Content Block. Select Clear List list. to remove all banned words and phrases from the banned word Backing up the Banned Word list You can back up the banned word list by downloading it to a text file on the management computer. To back up the banned word list Go to Web Filter > Content Block. 1 FortiWiFi-60 Installation and Configuration Guide 255 Content blocking Web filtering 2 Select Backup Banned Word List The FortiWiFi unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file. Restoring the Banned Word list You can create a Banned Word list in a text editor and then upload the text file to the FortiWiFi unit. Add one banned word or phrase to each line of the text file. The word or phrase should be followed by two parameters separated by spaces. The first parameter specifies the status of the entry. The second parameter specifies the language of the entry. Table 21: Banned Word list configuration parameters Parameter Setting Status 0 Description Disabled Language 1 0 1 2 3 4 Enabled ASCII Simplified Chinese Traditional Chinese Japanese Korean Figure 36: Example Banned Word List text file banned 1 0 banned+phrase+1 1 3

"banned+phrase+2" 1 1 Note: All changes made to the banned word list using the web-based manager are lost when you upload a new list. However, you can download your current banned word list, add more items to it using a text editor, and then upload the edited list to the FortiWiFi unit. 1 2 3 4 5 6 To restore the banned word list Go to Web Filter > Content Block. Select Restore Banned Word List Type the path and filename of the banned word list text file, or select Browse and locate the file. Select OK to upload the file to the FortiWiFi unit. Select Return to display the updated Banned Word List. You can continue to maintain the Banned Word List by making changes to the text file and uploading it again as necessary. Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked. 256 Fortinet Inc. Web filtering URL blocking URL blocking You can block the unwanted web URLs using FortiWiFi Web URL blocking, FortiWiFi Web pattern blocking, and Cerberian web filtering. Configuring FortiWiFi Web URL blocking Configuring FortiWiFi Web pattern blocking Configuring Cerberian URL filtering Configuring FortiWiFi Web URL blocking You can configure FortiWiFi Web URL blocking to block all pages on a website by adding the top-level URL or IP address. You can also block individual pages on a website by including the full path and filename of the web page to block. Adding URLs to the Web URL block list Clearing the Web URL block list Downloading the Web URL block list Uploading a URL block list 1 2 3 Adding URLs to the Web URL block list Go to Web Filter > Web URL Block. Select New to add a URL to the Web URL block list. Type the URL the you want to block. Type a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com or 122.133.144.155 blocks access to all pages at this website. Type a top-level URL followed by the path and filename to block access to a single page on a website. For example, www.badsite.com/news.html or 122.133.144.155/news.html blocks the news page on this website. To block all pages with a URL that ends with badsite.com, add badsite.com to the block list. For example, adding badsite.com blocks access to www.badsite.com, mail.badsite.com, www.finance.badsite.com, and so on. Note: Do not include http:// in the URL that you want to block. Note: Do not use regular expressions in the Web URL block list. You can use regular expressions in the Web Pattern Block list to create URL patterns to block. See Configuring FortiWiFi Web pattern blocking on page 259. Note: You can type a top-level domain suffix (for example, com without the leading period) to block access to all URLs with this suffix. Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. Ensure that the Enable checkbox has been selected and then select OK. 4 FortiWiFi-60 Installation and Configuration Guide 257 URL blocking Web filtering 5 6 1 2 1 2 Select OK to add the URL to the Web URL block list. You can enter multiple URLs and then select Check All Web URL block list. You can disable all of the URLs on the list by selecting Uncheck All Each page of the Web URL block list displays 100 URLs. Use Page Up and Page Down

. to navigate through the Web URL block list. to enable all items in the Note: You must select the Web URL Block option in the content profile to enable the URL blocking. Figure 37: Example URL block list Clearing the Web URL block list Go to Web Filter > Web URL Block. Select Clear URL Block List block list. to remove all URLs and patterns from the Web URL Downloading the Web URL block list You can back up the Web URL block list by downloading it to a text file on the management computer. To download a Web URL block list Go to Web Filter > Web URL Block. Select Download URL Block List The FortiWiFi unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file. Uploading a URL block list You can create a URL block list in a text editor and then upload the text file to the FortiWiFi unit. Add one URL or pattern to each line of the text file. You can follow the item with a space and then a 1 to enable or a zero (0) to disable the URL. If you do not add this information to the text file, the FortiWiFi unit automatically enables all URLs and patterns that are followed by a 1 or no number when you upload the text file. 258 Fortinet Inc. Web filtering URL blocking Figure 38: Example URL block list text file www.badsite.com/index 1 www.badsite.com/products 1 182.63.44.67/index 1 You can either create the URL block list or add a URL list created by a third-party URL block or blacklist service. For example, you can download the squidGuard blacklists available at http://www.squidguard.org/blacklist/ as a starting point for creating a URL block list. Three times per week, the squidGuard robot searches the web for new URLs to add to the blacklists. You can upload the squidGuard blacklists to the FortiWiFi unit as a text file, with only minimal editing to remove comments at the top of each list and to combine the lists that you want into a single file. Note: All changes made to the URL block list using the web-based manager are lost when you upload a new list. However, you can download your current URL block list, add more items to it using a text editor, and then upload the edited list to the FortiWiFi unit. 1 2 3 4 5 6 7 8

. To upload a URL block list In a text editor, create the list of URLs and patterns that you want to block. Using the web-based manager, go to Web Filter > Web URL Block. Select Upload URL Block List Type the path and filename of the URL block list text file, or select Browse and locate the file. Select OK to upload the file to the FortiWiFi unit. Select Return to display the updated Web URL block list. Each page of the Web URL block list displays 100 URLs. to navigate through the Web URL block list. Use Page Down You can continue to maintain the Web URL block list by making changes to the text file and uploading it again. and Page Up Configuring FortiWiFi Web pattern blocking You can configure FortiWiFi web pattern blocking to block web pages that match a URL pattern. Create URL patterns using regular expressions (for example, badsite.* matches badsite.com, badsite.org, badsite.net and so on). FortiWiFi web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list. 1 2 3 To add patterns to the Web pattern block list Go to Web Filter > URL Block > Web Pattern Block. Select New to add an item to the Web pattern block list. Type the web pattern that you want to block. You can use standard regular expressions for web patterns. FortiWiFi-60 Installation and Configuration Guide 259 Configuring Cerberian URL filtering Web filtering Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections. Select Enable to block the pattern. Select OK to add the pattern to the Web pattern block list. 4 5 Note: You must select the Web URL Block option in the content profile to enable the URL blocking. Configuring Cerberian URL filtering The FortiWiFi unit supports Cerberian URL filtering. For information about Cerberian URL filtering, see www.cerberian.com. If you have purchased the Cerberian web filtering functionality with your FortiWiFi unit, use the following configuration procedures to configure FortiWiFi support for Cerberian web filtering. Adding a Cerberian user Configuring Cerberian web filter Enabling Cerberian URL filtering Installing a Cerberian license key Installing a Cerberian license key Before you can use the Cerberian web filter, you must install a license key. The license key determines the number of end users allowed to use Cerberian web filtering through the FortiWiFi unit. To install a Cerberian licence key Go to Web Filter > URL Block. Select Cerberian URL Filtering. Enter the license number. Select Apply. 1 2 3 4 Adding a Cerberian user The Cerberian web policies can be applied only to user groups. You can add users on the FortiWiFi unit and then add the users to user groups on the Cerberian administration web site. When the end user tries to access a URL, the FortiWiFi unit checks whether the users IP address is in the IP address list on the FortiWiFi unit. If the users IP address is in the list, the request is sent to the Cerberian server. Otherwise, an error message is sent to the user saying that the user does not have authorized access to the Cerberian web filter. 260 Fortinet Inc. Web filtering Configuring Cerberian URL filtering To add a Cerberian user Go to Web Filter > URL Block. Select Cerberian URL Filtering. Select New. Enter the IP address and netmask of the user computers. You can enter the IP address of a single user. For example, 192.168.100.19 255.255.255.255. You can also enter a subnet of a group of users. For example, 192.168.100.0 255.255.255.0. Enter an alias for the user. The alias is used as the user name when you add the user to a user group on the Cerberian server. If you do not enter an alias, the users IP is used and added to the default group on the Cerberian server. Select OK. 1 2 3 4 5 6 Configuring Cerberian web filter After you add the Cerberian web filter users on the FortiWiFi unit, you can add these users to the user groups on the Cerberian web filter server. Then you can create policies and apply these policies to the user groups. About the default group and policy There is a default user group, which is associated with a default policy, that exists on the Cerberian web filter server. You can add users to the default group and apply any policies to the group. Use the default group to add:

All the users who are not assigned alias names on the FortiWiFi unit. All the users who are not assigned to other user groups. The Cerberian web filter groups URLs into 53 categories. The default policy blocks the URLs of 12 categories. You can modify the default policy and apply it to any user groups. 1 2 3 To configure Cerberian web filtering Add the user name, which is the alias you added on the FortiWiFi unit, to a user group on the Cerberian server. Web policies can be applied only to user groups. If you did not enter an alias for a users IP address on the FortiWiFi unit, the users IP address is automatically added to the default Cerberian group. Create policies by selecting the web categories that you want to block. Apply the policy to a user group that contains the user. For detailed procedures, see the online help on the Cerberian Web Filter web page. FortiWiFi-60 Installation and Configuration Guide 261 Script filtering Web filtering Enabling Cerberian URL filtering After you add the Cerberian users and groups and configure the Cerberian web filter, you can enable Cerberian URL filtering. To enable cerberian URL filtering Go to Web Filter > URL Block > Cerberian URL Filtering. Select the Cerberian URL Filtering option. Go to Firewall > Content Profile. Create a new or select an existing content profile and enable Web URL Block. Go to Firewall > Policy. Create a new or select an existing policy. Select Anti-Virus & Web filter. Select the content profile from the Content Profile list. Select OK. 1 2 3 4 5 6 7 8 9 Script filtering You can configure the FortiWiFi unit to remove Java applets, cookies, and ActiveX scripts from the HTML web pages. Note: Blocking any of these items might prevent some web pages from working properly. Enabling script filtering Selecting script filter options Enabling script filtering 1 2 3 4 Go to Firewall > Content Profile. Select the content profile for which you want to enable script filtering. Select Script Filter. Select OK. Selecting script filter options 1 2 3 Go to Web Filter > Script Filter. Select the script filter options that you want to enable. You can block Java applets, cookies, and ActiveX. Select Apply. 262 Fortinet Inc. Web filtering Exempt URL list Figure 39: Example script filter settings to block Java applets and ActiveX Exempt URL list Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website are blocked. Adding the address of the reputable website to the exempt URL list allows the content of the website to bypass content blocking. Note: Content downloaded from exempt web pages is not blocked or scanned by antivirus protection. Adding URLs to the URL Exempt list Downloading the URL Exempt List Uploading a URL Exempt List Adding URLs to the URL Exempt list 1 2 3 Go to Web Filter > URL Exempt. Select New to add an item to the URL Exempt list. Type the URL to exempt. Type a complete URL, including path and filename, to exempt access to a page on a website. For example, www.goodsite.com/index.html exempts access to the main page of this example website. You can also add IP addresses; for example, 122.63.44.67/index.html exempts access to the main web page at this address. Do not include http:// in the URL to exempt. Exempting a top-level URL, such as www.goodsite.com, exempts all requested subpages (for example, www.goodsite.com/badpage) from all content and URL filtering rules. Note: Exempting a top-level URL does not exempt pages such as mail.goodsite.com from all content and URL filtering rules unless goodsite.com (without the www) is added to the exempt URL list. FortiWiFi-60 Installation and Configuration Guide 263 Exempt URL list Web filtering 4 5 6 Ensure that the Enable checkbox has been selected. Select OK to add the URL to the exempt URL list. You can enter multiple URLs and then select Check All exempt URL list. You can disable all the URLs in the list by selecting Uncheck All Each page of the exempt URL list displays 100 URLs. Use Page Down and Page Up to navigate the exempt URL list. to activate all items in the Figure 40: Example URL Exempt list Downloading the URL Exempt List 1 2 You can back up the URL Exempt List by downloading it to a text file on the management computer. Go to Web Filter > URL Exempt. Select Download URL Exempt List The FortiWiFi unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file. Uploading a URL Exempt List You can create a URL Exempt list in a text editor and then upload the text file to the FortiWiFi unit. Add one URL or pattern to each line of the text file. The word or phrase should be followed by a parameter specifying the status of the entry. If you do not add this information to the text file, the FortiWiFi unit automatically enables all URLs and patterns that are followed with a 1 or no number when you upload the text file. Table 22: URL Exempt list configuration parameters Parameter Setting Status 0 1 Description Disabled Enabled 264 Fortinet Inc. Web filtering Exempt URL list Figure 41: Example URL Exempt list text file www.goodsite.com 1 www.goodsite.com/index 1 127.33.44.55 1

. Note: All changes made to the URL block list using the web-based manager are lost when you upload a new list. However, you can download your current URL block list, add more items to it using a text editor, and then upload the edited list to the FortiWiFi unit. In a text editor, create the list of URLs to exempt. Using the web-based manager, go to Web Filter > URL Exempt. Select Upload URL Exempt List Type the path and filename of your URL Exempt List text file, or select Browse and locate the file. Select OK to upload the file to the FortiWiFi unit. Select Return to display the updated URL Exempt List. You can continue to maintain the URL Exempt List by making changes to the text file and uploading it again as necessary. 1 2 3 4 5 6 7 FortiWiFi-60 Installation and Configuration Guide 265 Exempt URL list Web filtering 266 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Email filter Email filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how email filtering behaves for email (IMAP and POP3) traffic. Content profiles control the following types of protection to identify unwanted email:

filtering unwanted sender address patterns, filtering unwanted content, exempting sender address patterns from blocking. This chapter describes:

General configuration steps Email banned word list Email block list Email exempt list Adding a subject tag General configuration steps 1 2 3 Configuring email filtering involves the following general steps:

Select email filter options in a new or existing content profile. See Adding content profiles on page 190. Select the Anti-Virus & Web filter option in firewall policies that allow IMAP and POP3 connections through the FortiWiFi unit. Select a content profile that provides the email filtering options that you want to apply to a policy. See Adding content profiles to policies on page 192. Add a subject tag to the unwanted email so that receivers can use their mail client software to filter messages based on the tag. See Adding a subject tag on page 272. Note: For information about receiving email filter log messages, see Configuring logging in the FortiGate Logging Configuration and Reference Guide. For information about email filter log message categories and formats, see Log messages in the FortiGate Logging Configuration and Reference Guide. FortiWiFi-60 Installation and Configuration Guide 267 Email banned word list Email banned word list Email filter When the FortiWiFi unit detects an email that contains a word or phrase in the banned word list, the FortiWiFi unit adds a tag to the subject line of the email and writes a message to the event log. Receivers can then use their mail client software to filter messages based on the subject tag. You can add banned words to the list in many languages using Western, Simplified Chinese, Traditional Chinese, Japanese, or Korean character sets. Adding words and phrases to the email banned word list Downloading the email banned word list Uploading the email banned word list Adding words and phrases to the email banned word list 1 2 3 1 2 To add a word or phrase to the banned word list Go to Email Filter > Content Block. Select New. Type a banned word or phrase. If you type a single word (for example, banned), the FortiWiFi unit tags all IMAP and POP3 email that contains that word. If you type a phrase (for example, banned phrase), the FortiWiFi unit tags email that contains both words. When this phrase appears on the banned word list, the FortiWiFi unit inserts plus signs (+) in place of spaces (for example, banned+phrase). If you type a phrase in quotes (for example, banned word), the FortiWiFi unit tags all email in which the words are found together as a phrase. Content filtering is not case-sensitive. You cannot include special characters in banned words. Select the Language for the banned word or phrase. You can choose Western, Chinese Simplified, Chinese Traditional, Japanese, or Korean. Your computer and web browser must be configured to enter characters in the language that you select. Select OK. The word or phrase is added to the banned word list. Note: Email Content Block must be selected in the content profile for IMAP or POP3 email containing banned words to be tagged. 268 Fortinet Inc. Email filter Email banned word list Downloading the email banned word list You can back up the banned word list by downloading it to a text file on the management computer:

1 2 To download the banned word list Go to Email Filter > Content Block. Select Download. The FortiWiFi unit downloads the banned word list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file. Uploading the email banned word list You can create or edit a banned word list in a text file and upload it from your management computer to the FortiWiFi unit. Each banned word or phrase must appear on a separate line in the text file. Use ASCII, Western, Chinese Simplified, Chinese Traditional, Japanese, or Korean characters. Your computer and web browser must be configured to enter characters in the character set that you use. All words are enabled by default. Optionally, you can enter a space and a 1 after the word to enable it, and another space and a number to indicate the language. 0 1 2 3 4 If you do not add this information to all items in the text file, the FortiWiFi unit automatically enables all banned words and phrases that are followed with a 1 or no number in the Western language when you upload the text file. Western Chinese Simplified Chinese Traditional Japanese Korean Figure 42: Example Western email banned word list text file banned 1 0 banned+phrase+1 1 0 banned phrase 2 1 0 1 2 3 4 To upload the banned word list Go to Email Filter > Content Block. Select Upload. Type the path and filename of the banned word list text file or select Browse and locate the file. Select OK to upload the banned word list text file. Select Return to display the banned word list. FortiWiFi-60 Installation and Configuration Guide 269 Email block list Email block list Email filter You can configure the FortiWiFi unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiWiFi unit detects an email sent from an unwanted address pattern, the FortiWiFi unit adds a tag to the subject line of the email and writes a message to the email filter log. Receivers can then use their mail client software to filter messages based on the subject tag. You can tag email from a specific sender address or from all address subdomains by adding the top-level domain name. Alternatively, you can tag email sent from individual subdomains by including the subdomain to block. Adding address patterns to the email block list Downloading the email block list Uploading an email block list Adding address patterns to the email block list To add an address pattern to the email block list Go to Email Filter > Block List. Select New. Type a Block Pattern. To tag email from a specific email address, type the email address. For example, sender@abccompany.com. To tag email from a specific domain, type the domain name. For example, abccompany.com. To tag email from a specific subdomain, type the subdomain name. For example, mail.abccompany.com. To tag email from an entire organization category, type the top-level domain name. For example, type com to tag email sent from all organizations that use .com as the top-level domain. The pattern can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - (hyphen),_ (underscore), and @. Spaces and other special characters are not allowed. Select OK to add the address pattern to the Email Block list. 1 2 3 4 Downloading the email block list You can back up the email block list by downloading it to a text file on the management computer. 1 2 To download the email block list Go to Email Filter > Block List. Select Download. The FortiWiFi unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file. 270 Fortinet Inc. Email filter Email exempt list Uploading an email block list You can create a email block list in a text editor and then upload the text file to the FortiWiFi unit. Add one pattern to each line of the text file. You can follow the pattern with a space and then a 1 to enable or a zero (0) to disable the pattern. If you do not add this information to the text file, the FortiWiFi unit automatically enables all patterns that are followed with a 1 or no number when you upload the text file. Figure 43: Example email block list text file mail.badsite.com 1 suredeal.org 1 user1@badsite.com 1 You can either create the email block list yourself, or add a block list created by a third-party email blacklist service. For example, you can subscribe to the Realtime Blackhole List service available at http://mail-abuse.org/rbl/ as a starting point for creating your own email block list. You can upload blacklists to the FortiWiFi unit as text files, with only minimal editing to remove comments at the top of each list and to combine the lists that you want into a single file. Note: All changes made to the email block list using the web-based manager are lost when you upload a new list. However, you can download your current email block list, add more patterns to it using a text editor, and then upload the edited list to the FortiWiFi unit. 1 2 3 4 5 6 7 To upload the email block list In a text editor, create the list of patterns to block. Using the web-based manager, go to Email Filter > Block List. Select Upload. Type the path and filename of your email block list text file, or select Browse and locate the file. Select OK to upload the file to the FortiWiFi unit. Select Return to display the updated email block list. You can continue to maintain the email block list by making changes to the text file and uploading it again. Email exempt list Add address patterns to the exempt list to allow legitimate IMAP and POP3 traffic that might otherwise be tagged by email or content blocking. For example, if the email banned word list is set to block email that contains pornography-related words and a reputable company sends email that contains these words, the FortiWiFi unit would normally add a subject tag to the email. Adding the domain name of the reputable company to the exempt list allows IMAP and POP3 traffic from the company to bypass email and content blocking. FortiWiFi-60 Installation and Configuration Guide 271 Adding a subject tag Email filter Adding address patterns to the email exempt list To add an address pattern to the email exempt list Go to Email Filter > Exempt List. Select New. Type the address pattern that you want to exempt. To exempt email sent from a specific email address, type the email address. For example, sender@abccompany.com. To exempt email sent from a specific domain, type the domain name. For example, abccompany.com. To exempt email sent from a specific subdomain, type the subdomain name. For example, mail.abccompany.com. To exempt email sent from an entire organization category, type the top-level domain name. For example, type net to exempt email sent from all organizations that use .net as the top-level domain. The pattern can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - (hyphen),_ (underscore), and @. Spaces and other special characters are not allowed. Select OK to add the address pattern to the email exempt list. 1 2 3 4 Adding a subject tag When the FortiWiFi unit receives email from an unwanted address or email that contains an item in the email banned word list, the FortiWiFi unit adds a tag to the subject line and sends the message to the destination email address. Email users can use their mail client software to filter the messages based on the subject tag. To add a subject tag Go to Email Filter > Config. Type the Subject Tag that you want to display in the subject line of email received from unwanted addresses or that contains banned words. For example, type Unwanted Mail. Note: Do not use quotation marks in the subject tags. Select Apply. The FortiWiFi unit adds the tag to the subject line of all unwanted email. 1 2 3 272 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Logging and reporting You can configure the FortiWiFi unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiWiFi unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events. This chapter describes:

Recording logs Filtering log messages Configuring traffic logging Viewing logs saved to memory Configuring alert email Recording logs the console. You can configure logging to record logs to one or more of:

a computer running a syslog server, a computer running a WebTrends firewall reporting server, You can also configure logging to record event, attack, antivirus, web filter, and email filter logs to the FortiWiFi system memory, if your FortiWiFi unit does not contain a hard disk. Logging to memory allows quick access to only the most recent log entries. If the FortiWiFi unit restarts, the log entries are lost. You can select the same or different severity levels for each log location. For example, you might want to record only emergency and alert level messages to the FortiWiFi memory and record all levels of messages on a remote computer. For information about filtering the log types and activities that the FortiWiFi unit records, see Filtering log messages on page 276. For information about traffic logs, see Configuring traffic logging on page 277. This section describes:

Recording logs on a remote computer Recording logs on a NetIQ WebTrends server Recording logs in system memory Log message levels FortiWiFi-60 Installation and Configuration Guide 273 Recording logs Logging and reporting Recording logs on a remote computer You can configure the FortiWiFi unit to record log messages on a remote computer. The remote computer must be configured with a syslog server. To record logs on a remote computer Go to Log&Report > Log Setting. Select the Log to Remote Host check box to send the logs to a syslog server. Type the IP address of the remote computer running syslog server software. Type the port number of the syslog server. Select the severity level for which you want to record log messages. The FortiWiFi unit logs all levels of severity down to, but not lower than, the level you choose. For example, if you want to record emergency, alert, critical, and error messages, select Error. See Log message levels on page 275. Select Config Policy. Select the Log type for which you want the FortiWiFi unit to record logs. For each Log type, select the activities for which you want the FortiWiFi unit to record log messages. For information about log types and activities, see Filtering log messages on page 276 and Configuring traffic logging on page 277. Select OK. Select Apply. 1 2 3 4 5 6 7 8 Recording logs on a NetIQ WebTrends server Use the following procedure to configure the FortiWiFi unit to record logs on a remote NetIQ WebTrends firewall reporting server for storage and analysis. FortiWiFi log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with WebTrends NetIQ Security Reporting Center 2.0 and Firewall Suite 4.1. For more information, see the Security Reporting Center and Firewall Suite documentation. Note: FortiWiFi traffic log messages include sent and received fields, which are optional but required for drawing a WebTrends graph. 1 2 3 4 To record logs on a NetIQ WebTrends server Go to Log&Report > Log Setting. Select the Log in WebTrends Enhanced Log Format check box. Type the IP address of the NetIQ WebTrends firewall reporting server. Select the severity level for which you want to record log messages. The FortiWiFi logs all levels of severity down to, but not lower than, the level you choose. For example, if you want to record emergency, alert, critical, and error messages, select Error. See Log message levels on page 275. 274 Fortinet Inc. Logging and reporting Recording logs 5 6 7 Select Config Policy. To configure the FortiWiFi unit to filter the types of logs and events to record, use the procedures in Filtering log messages on page 276 and Configuring traffic logging on page 277. Select OK. Select Apply. Recording logs in system memory If your FortiWiFi unit does not contain a hard disk, you can configure the FortiWiFi unit to reserve some system memory for storing current event, attack, antivirus, web filter, and email filter log messages. Logging to memory allows quick access to only the most recent log entries. The FortiWiFi unit can store a limited number of messages in system memory. After all available memory is used, the FortiWiFi unit deletes the oldest messages. If the FortiWiFi unit restarts, the log entries are lost. Note: The FortiWiFi unit can record only the event and attack log messages in system memory. To record logs in system memory Go to Log&Report > Log Setting. Select the Log to memory check box. Select the severity level for which you want to record log messages. The FortiWiFi logs all levels of severity down to, but not lower than, the level you choose. For example, if you want to record emergency, alert, critical, and error messages, select Error. See Log message levels on page 275. Select Config Policy. To configure the FortiWiFi to filter the types of logs and events to record, use the procedures in Filtering log messages on page 276. Select Apply. 1 2 3 4 5 Log message levels Table 23 lists and describes FortiWiFi log message levels. Table 23: FortiWiFi log message levels Levels 0 - Emergency The system has become unstable. Description 1 - Alert 2 - Critical 3 - Error Immediate action is required. Functionality is affected. An error condition exists and functionality could be affected. Generated by Emergency messages not available. NIDS attack log messages. DHCP Error messages not available. FortiWiFi-60 Installation and Configuration Guide 275 Filtering log messages Logging and reporting Table 23: FortiWiFi log message levels Levels 4 - Warning Description Functionality could be affected. 5 - Notice Information about normal events. 6 - Information General information about system operations. Generated by Antivirus, Web filter, email filter, and system event log messages. Antivirus, Web filter, and email filter log messages. Antivirus, Web filter, email filter log messages, and other event log messages. Filtering log messages You can configure the logs that you want to record and the message categories that you want to record in each log. To filter log entries Go to Log&Report > Log Setting. Select Config Policy for the log location that you selected in Recording logs on page 273. Select the log types that you want the FortiWiFi unit to record. Traffic Log Event Log Virus Log Record all connections to and through the interface. To configure traffic filtering, see Adding traffic filter entries on page 279. Record management and activity events in the event log. Management events include changes to the system configuration as well as administrator and user logins and logouts. Activity events include system activities, such as VPN tunnel establishment and HA failover events. Record virus intrusion events, such as when the FortiWiFi unit detects a virus, blocks a file type, or blocks an oversized file or email. Web Filtering Log Record activity events, such as URL and content blocking, and exemption Attack Log Email Filter Log Update of URLs from blocking. Record attacks detected by the NIDS and prevented by the NIDS Prevention module. Record activity events, such as detection of email that contains unwanted content and email from unwanted senders. Record log messages when the FortiWiFi connects to the FDN to download antivirus and attack updates. Select the message categories that you want the FortiWiFi unit to record if you selected Event Log, Virus Log, Web Filtering Log, Attack Log, Email Filter Log, or Update in step 3. Select OK. 1 2 3 4 5 276 Fortinet Inc. Logging and reporting Configuring traffic logging Figure 44: Example log filter configuration Configuring traffic logging resolve IP addresses to host names, You can configure the FortiWiFi unit to record traffic log messages for connections to:

An interface A firewall policy The FortiWiFi unit can filter traffic logs for a source and destination address and service. You can also enable the following global settings:

display the port number or service. The traffic filter list displays the name, source address and destination address, and the protocol type of the traffic to be filtered. This section describes:

Enabling traffic logging Configuring traffic filter settings Adding traffic filter entries FortiWiFi-60 Installation and Configuration Guide 277 Configuring traffic logging Logging and reporting Enabling traffic logging You can enable logging on any interface and firewall policy. Enabling traffic logging for an interface If you enable traffic logging for an interface, all connections to and through the interface are recorded in the traffic log. in the Modify column beside the interface for which you want to To enable traffic logging for an interface Go to System > Network > Interface. Select Edit enable logging. For Log, select Enable. Select OK. Repeat this procedure for each interface for which you want to enable logging. Enabling traffic logging for a firewall policy If you enable traffic logging for a firewall policy, all connections accepted by the firewall policy are recorded in the traffic log. To enable traffic logging for a firewall policy Go to Firewall > Policy. Select a policy tab. Select Log Traffic. Select OK. 1 2 3 4 5 1 2 3 4 Configuring traffic filter settings You can configure the information recorded in all traffic log messages. To configure traffic filter settings Go to Log&Report > Log Setting > Traffic Filter. Select the settings that you want to apply to all traffic log messages. 1 2 Resolve IP Display Select Resolve IP if you want traffic log messages to list the IP address and domain name stored on the DNS server. If the primary and secondary DNS server addresses provided to you by your ISP have not already been added, go to System > Network > DNS and add the addresses. Select Port Number if you want traffic log messages to list the port number, for example, 80/tcp. Select Service Name if you want traffic log messages to list the name of the service, for example, TCP. 3 Select Apply. 278 Fortinet Inc. Logging and reporting Configuring traffic logging Figure 45: Example traffic filter list Adding traffic filter entries Add entries to the traffic filter list to filter the messages that are recorded in the traffic log. If you do not add any entries to the traffic filter list, the FortiWiFi unit records all traffic log messages. You can add entries to the traffic filter list to limit the traffic logs that are recorded. You can log traffic with a specified source IP address and netmask, to a destination IP address and netmask, and for a specified service. A traffic filter entry can include any combination of source and destination addresses and services. To add an entry to the traffic filter list Go to Log&Report > Log Setting > Traffic Filter. Select New. Configure the traffic filter for the type of traffic that you want to record on the traffic log. Name Source IP Address Source Netmask Destination IP Address Destination Netmask Service Type a name to identify the traffic filter entry. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and other special characters are not allowed. Type the source IP address and netmask for which you want the FortiWiFi unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Type the destination IP address and netmask for which you want the FortiWiFi unit to log traffic messages. The address can be an individual computer, subnetwork, or network. Select the service group or individual service for which you want the FortiWiFi unit to log traffic messages. Select OK. The traffic filter list displays the new traffic address entry with the settings that you selected in Enabling traffic logging on page 278. 1 2 3 4 FortiWiFi-60 Installation and Configuration Guide 279 Viewing logs saved to memory Logging and reporting Figure 46: Example new traffic address entry Viewing logs saved to memory If the FortiWiFi unit is configured to save log messages in system memory, you can use the web-based manager to view, search, and clear the log messages. This section describes:

Viewing logs Searching logs Viewing logs Log messages are listed with the most recent message at the top. 1 2 3 4 5 To view log messages saved in system memory Go to Log&Report > Logging. Select Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter Log. The web-based manager lists the log messages saved in system memory. Scroll through the log messages to view them. To view a specific line in the log, type a line number in the Go to line field and select

. To navigate through the log message pages, select Go to next page previous page

. or Go to Searching logs To search log messages saved in system memory Go to Log&Report > Logging. 1 280 Fortinet Inc. Logging and reporting Configuring alert email 2 3 4 5 6 7 to search the messages in the selected log. Select Event Log, Attack Log, Antivirus Log, Web Filter Log, or Email Filter Log. Select Select AND to search for messages that match all the specified search criteria. Select OR to search for messages that match one or more of the specified search criteria. Select either of the following search criteria:

Keyword Time To search for any text in a log message. Keyword searching is case-sensitive. To search log messages created during the selected year, month, day, and hour. Select OK to run the search. The web-based manager displays the messages that match the search criteria. You can scroll through the messages or run another search. Note: After you run a search, if you want to display all log messages again, run another search but leave all the search fields blank. Configuring alert email You can configure the FortiWiFi unit to send alert email to up to three email addresses when there are virus incidents, block incidents, network intrusions, and other firewall or VPN events or violations. After you set up the email addresses, you can test the settings by sending test email. Adding alert email addresses Testing alert email Enabling alert email Adding alert email addresses Because the FortiWiFi unit uses the SMTP server name to connect to the mail server, the FortiWiFi unit must look up this name on your DNS server. Before you configure alert email, make sure that you configure at least one DNS server. To add a DNS server Go to System > Network > DNS. If they are not already there, type the primary and secondary DNS server addresses provided by your ISP. Select Apply. To add alert email addresses Go to Log&Report > Alert Mail > Configuration. Select the Authentication check box if your email server requires an SMTP password. 1 2 3 1 2 FortiWiFi-60 Installation and Configuration Guide 281 Configuring alert email Logging and reporting 3 4 5 6 7 In the SMTP Server field, type the name of the SMTP server where you want the FortiWiFi unit to send email, in the format smtp.domain.com. The SMTP server can be located on any network connected to the FortiWiFi unit. In the SMTP User field, type a valid email address in the format user@domain.com. This address appears in the From header of the alert email. In the Password field, type the password that the SMTP user needs to access the SMTP server. A password is required if you select Authentication. Type up to three destination email addresses in the Email To fields. These are the email addresses to which the FortiWiFi unit sends alert email. Select Apply. Testing alert email You can test the alert email settings by sending a test email. 1 2 To send a test email Go to Log&Report > Alert Mail > Configuration. Select Test to send test email messages from the FortiWiFi unit to the Email To addresses. Enabling alert email You can configure the FortiWiFi unit to send alert email in response to virus incidents, intrusion attempts, and critical firewall or VPN events or violations. If you have configured logging to a local disk, you can enable sending an alert email when the hard disk is almost full. To enable alert email Go to Log&Report > Alert Mail > Categories. Select Enable alert email for virus incidents. Alert email is not sent when antivirus file blocking deletes a file. Select Enable alert email for block incidents to have the FortiWiFi unit send an alert email when it blocks files affected by viruses. Select Enable alert email for intrusions to have the FortiWiFi unit send an alert email to notify the system administrator of attacks detected by the NIDS. Select Enable alert email for critical firewall/VPN events or violations to have the FortiWiFi unit send an alert email when a critical firewall or VPN event occurs. Critical firewall events include failed authentication attempts. Critical VPN events include when replay detection detects a replay packet. Replay detection can be configured for both manual key and AutoIKE Key VPN tunnels. Select Send alert email when disk is full to have the FortiWiFi unit send an alert email when the hard disk is almost full. Select Apply. 1 2 3 4 5 6 7 282 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Glossary Connection: A link between machines, applications, processes, and so on that can be logical, physical, or both. DMZ, Demilitarized Zone: Used to host Internet services without allowing unauthorized access to an internal (private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web

(HTTP) servers, FTP servers, SMTP (email) servers and DNS servers. DMZ interface: The FortiWiFi interface that is connected to a DMZ network. DNS, Domain Name Service: A service that converts symbolic node names to IP addresses. Ethernet: A local-area network (LAN) architecture that uses a bus or star topology and supports data transfer rates of 10 Mbps. Ethernet is one of the most widely implemented LAN standards. A newer version of Ethernet, called 100 Base-T (or Fast Ethernet), supports data transfer rates of 100 Mbps. And the newest version, Gigabit Ethernet, supports data rates of 1 gigabit (1,000 megabits) per second. External interface: The FortiWiFi interface that is connected to the Internet. For the FortiWiFi-60 the external interface is WAN1 or WAN2. FTP, File transfer Protocol: An application and TCP/

IP protocol used to upload or download files. Gateway: A combination of hardware and software that links different networks. Gateways between TCP/IP networks, for example, can link different subnetworks. HTTP, Hyper Text Transfer Protocol: The protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. HTTPS: The SSL protocol for transmitting private documents over the Internet using a Web browser. Internal interface: The FortiWiFi interface that is connected to an internal (private) network. Internet: A collection of networks connected together that span the entire globe using the NFSNET as their backbone. As a generic term, it refers to any collection of interdependent networks. ICMP, Internet Control Message Protocol: Part of the Internet Protocol (IP) that allows for the generation of error messages, test packets, and information messages relating to IP. This is the protocol used by the ping function when sending ICMP Echo Requests to a network host. IKE, Internet Key Exchange: A method of automatically exchanging authentication and encryption keys between two secure servers. IMAP, Internet Message Access Protocol: An Internet email protocol that allows access to your email from any IMAP compatible browser. With IMAP, your mail resides on the server. IP, Internet Protocol: The component of TCP/IP that handles routing. IP Address: An identifier for a computer or device on a TCP/IP network. An IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. L2TP, Layer Two (2) Tunneling Protocol: An extension to the PPTP protocol that enables ISPs to operate Virtual Private Networks (VPNs). L2TP merges PPTP from Microsoft and L2F from Cisco Systems. To create an L2TP VPN, your ISPs routers must support L2TP. IPSec, Internet Protocol Security: A set of protocols that support secure exchange of packets at the IP layer. IPSec is most often used to support VPNs. FortiWiFi-60 Installation and Configuration Guide 283 Glossary LAN, Local Area Network: A computer network that spans a relatively small area. Most LANs connect workstations and personal computers. Each computer on a LAN is able to access data and devices anywhere on the LAN. This means that many users can share data as well as physical resources such as printers. MAC address, Media Access Control address: A hardware address that uniquely identifies each node of a network. MIB, Management Information Base: A database of objects that can be monitored by an SNMP network manager. Modem: A device that converts digital signals into analog signals and back again for transmission over telephone lines. MTU, Maximum Transmission Unit: The largest physical packet size, measured in bytes, that a network can transmit. Any packets larger than the MTU are divided into smaller packets before being sent. Ideally, you want the MTU your network produces to be the same as the smallest MTU of all the networks between your machine and a message's final destination. If your messages are larger than one of the intervening MTUs, they get broken up (fragmented), which slows down transmission speeds. Netmask: Also called subnet mask. A set of rules for omitting parts of a complete IP address to reach a target destination without using a broadcast message. It can indicate a subnetwork portion of a larger network in TCP/IP. Sometimes referred to as an Address Mask. NTP, Network Time Protocol: Used to synchronize the time of a computer to an NTP server. NTP provides accuracies to within tens of milliseconds across the Internet relative to Coordinated Universal Time (UTC). Packet: A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. In IP networks, packets are often called datagrams. Ping, Packet Internet Grouper: A utility used to determine whether a specific IP address is accessible. It works by sending a packet to the specified address and waiting for a reply. POP3, Post Office Protocol: A protocol used to transfer e-mail from a mail server to a mail client across the Internet. Most e-mail clients use POP. PPP, Point-to-Point Protocol: A TCP/IP protocol that provides host-to-network and router-to-router connections. PPTP, Point-to-Point Tunneling Protocol: A Windows-based technology for creating VPNs. PPTP is supported by Windows 98, 2000, and XP. To create a PPTP VPN, your ISP's routers must support PPTP. Port: In TCP/IP and UDP networks, a port is an endpoint to a logical connection. The port number identifies what type of port it is. For example, port 80 is used for HTTP traffic. Protocol: An agreed-upon format for transmitting data between two devices. The protocol determines the type of error checking to be used, the data compression method (if any), how the sending device indicates that it has finished sending a message, and how the receiving device indicates that it has received a message. RADIUS, Remote Authentication Dial-In User Service: An authentication and accounting system used by many Internet Service Providers (ISPs). When users dial into an ISP they enter a user name and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. Router: A device that connects LANs into an internal network and routes traffic between them. Routing: The process of determining a path to use to send data to its destination. Routing table: A list of valid paths through which data can be transmitted. Server: An application that answers requests from other devices (clients). Used as a generic term for any device that provides services to the rest of the network such as printing, high capacity storage, and network access. SMTP, Simple Mail Transfer Protocol: In TCP/IP networks, this is an application for providing mail delivery services. SNMP, Simple Network Management Protocol: A set of protocols for managing networks. SNMP works by sending messages to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases

(MIBs) and return this data to the SNMP requesters. 284 Fortinet Inc. Glossary SSH, Secure shell: A secure Telnet replacement that you can use to log into another computer over a network and run commands. SSH provides strong secure authentication and secure communications over insecure channels. Subnet: A portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with IP addresses that start with 100.100.100. would be part of the same subnet. Dividing a network into subnets is useful for both security and performance reasons. IP networks are divided using a subnet mask. Subnet Address: The part of the IP address that identifies the subnetwork. TCP, Transmission Control Protocol: One of the main protocols in TCP/IP networks. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. UDP, User Datagram Protocol: A connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP, UDP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. It is used primarily for broadcasting messages over a network. VPN, Virtual Private Network: A network that links private networks over the Internet. VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that data cannot be intercepted. Virus: A computer program that attaches itself to other programs, spreading itself through computers or networks by this mechanism usually with harmful intent. Worm: A program or algorithm that replicates itself over a computer network, usually through email, and performs malicious actions, such as using up the computer's resources and possibly shutting the system down. FortiWiFi-60 Installation and Configuration Guide 285 Glossary 286 Fortinet Inc. FortiWiFi-60 Installation and Configuration Guide Version 2.50 Index A accept policy 164 action policy option 164 active log searching 280 ActiveX 263 removing from web pages 262 address 169 adding 169 editing 170 group 171 IP/MAC binding 188 virtual IP 180 address group 171 example 171 address name 169 addressing mode DHCP 115 PPPoE 116 admin access level administrator account 146 administrative access to an interface 117 administrative status changing for an interface 114 administrator account adding 145, 146 admin 146 changing password 147 editing 145, 146 netmask 146, 147 permission 147 trusted host 146, 147 alert email configuring 281 configuring SMTP server 282 content of messages 244 critical firewall or VPN events 282 enabling 282 hard disk full 282 intrusion attempts 282 reducing messages 240 testing 282 virus incidents 282 allow inbound encrypt policy 165 allow outbound encrypt policy 165 allow traffic IP/MAC binding 187 Anti-Virus & Web filter policy 166 antivirus definition updates manual 82 antivirus definitions updating 93 antivirus updates 96 configuring 97 through a proxy server 98 attack definition updates downloading 110 manual 83 attack definitions updating 93, 95 attack detection checksum verification 238 disabling the NIDS 238 enabling and disabling signatures 240 selecting interfaces to monitor 238 viewing the signature list 239 attack log 276 content of messages 244 reducing messages 240 attack prevention configuring signature threshold values 242 enabling prevention signatures 242 NIDS 242 FortiWiFi-60 Installation and Configuration Guide 287 Index attack updates configuring 97 scheduling 96 through a proxy server 98 authentication 165, 193 configuring 194 enabling 199 LDAP server 197 RADIUS server 196 timeout 144 auto device in route 123 AutoIKE 202 certificates 202 introduction 202 pre-shared keys 202 automatic antivirus and attack definition updates configuring 97 B backing up system settings 84 backup mode modem 129, 132 bandwidth guaranteed 165 maximum 165 banned word list adding words 254, 268 restoring 269 blacklist URL 259, 271 block traffic IP/MAC binding 187 blocking access to Internet sites 257, 270 access to URLs 257, 270 adding filename patterns 249 file 249 oversized files and email 250 URL 257 web pages 254, 268 web pattern blocking 259 C certificates introduction 202 checksum verification configuring 238 clearing communication sessions 90 URL block list 258 288 CLI 18 configuring IP addresses 45, 61 configuring NAT/Route mode 45 connecting to 27 upgrading the firmware 75, 77 command line interface 18 Comments firewall policy 167 policy 167 connecting to the FDN 94 to the FortiResponse Distribution Network 94 to your network 47, 62 web-based manager 26, 44 contact information registration 109 SNMP 149 content blocking exempting URLs 263, 271 web page 254, 268 content filter 253, 267 content profiles default 190 cookies blocking 262 CPU status 87, 88 critical firewall events alert email 282 critical VPN events alert email 282 custom ICMP service 175 custom IP service 175 custom TCP service 174 custom UDP service 174 customer service 21 D date and time setting example 144, 155 date setting 143 default gateway default route 29, 128 deny firewall policy 164 policy 164 destination policy option 163, 164 destination route adding 123 adding a default route 122 detection NIDS 237 device auto 123 configuring (Transparent mode) 61 Fortinet Inc. DHCP adding a DHCP server to an interface 127 adding a reserved IP to a DHCP server 128 adding a scope to a DHCP server 127 configuring 126 configuring a DHCP server 127 configuring DHCP relay 126 ending IP address 29 interface addressing mode 115 viewing a dynamic IP list 129 dialup account dialup L2TP connecting the modem 131 configuring Windows 2000 client 233 configuring Windows XP client 235 dialup PPTP configuring Windows 2000 client 229 configuring Windows 98 client 228 configuring Windows XP client 229 dialup VPN viewing connection status 223 disabling NIDS 238 DMZ interface configuring 49 definition 283 DNS server addresses 122 domain DHCP 128 downloading attack definition updates 110 virus definition updates 110 dynamic IP list viewing 129 dynamic IP pool IP pool 164 dynamic IP/MAC list 186 viewing 188 E email alert testing 282 email filter log 276 enabling policy 168 encrypt policy 164 encrypt policy allow inbound 165 allow outbound 165 Inbound NAT 165 Outbound NAT 165 ending IP address DHCP 29 PPTP 226, 231 environmental specifications 25 event log 276 viewing 280 Index exempt URL list 263, 271 adding URL 263, 272 exempting URLs from content and URL blocking 263, 271 expire system status 91 restoring system settings 85 connecting to 94 FortiResponse Distribution Network 94 FortiResponse Distribution Server 94 F factory default FAQs 223 FDN FDS filename pattern adding 249 blocking 249 filter RIP 139 filtering log messages 276 filtering traffic 277 firewall authentication timeout 144 configuring 159 introduction 15 overview 159 firewall events enabling alert email 282 firewall policies modem 133 firewall policy accept 164 Comments 167 deny 164 guaranteed bandwidth 165 Log Traffic 167 maximum bandwidth 165 firewall setup wizard 18, 44, 60 starting 44, 60 firmware changing 74 installing 79 re-installing current version 79 reverting to an older version 79 upgrading 74 upgrading to a new version 74 upgrading using the CLI 75, 77 upgrading using the web-base manager 75, 76 first trap receiver IP address SNMP 149 fixed port 164 FortiCare service contracts 104 support contract number 108 Fortinet customer service 21 Fortinet support recovering a lost password 107 FortiWiFi-60 Installation and Configuration Guide 289 Index FortiResponse Distribution Network 94 connecting to 94 FortiResponse Distribution Server 94 from IP system status 91 from port system status 91 configuring checksum verification 238 enabling web filtering 253, 267 G get community SNMP 149 grouping services 176 groups address 171 user 199 guaranteed bandwidth 165 H hard disk full alert email 282 HTTP HTTPS 17, 173, 283 I ICMP 173, 283 web-based manager 144 ICMP service custom 175 idle timeout IDS log viewing 280 IKE 283 IMAP 173, 283 Inbound NAT encrypt policy 165 interface adding a DHCP server 127 administrative access 117 administrative status 114 changing administrative status 114 DHCP 115 management access 117 manual IP address 114 modem 129 MTU size 118 ping server 117 PPPoE 116 RIP 137 secondary IP address 116 traffic logging 118 viewing the interface list 114 internal address example 170 internal address group example 171 blocking access to Internet sites 257, 270 blocking access to URLs 257, 270 configuring checksum verification 238 configuring from the CLI 45, 61 internal network configuring 48 Internet Internet key exchange 283 intrusion attempts alert email 282 intrusion status 89 IP IP address interface 114 IP/MAC binding 186 IP addresses IP pool adding 184 IP service custom 175 IP spoofing 186 IP/MAC binding 186 adding 188 allow traffic 187 block traffic 187 dynamic IP/MAC list 186 enabling 188 static IP/MAC list 186 IPSec 283 IPSec VPN authentication for user group 199 AutoIKE 202 certificates 202 disabling 234, 235 manual keys 202 pre-shared keys 202 remote gateway 199 status 223 timeout 223 IPSec VPN tunnel testing 224 J Java applets 262, 263 removing from web pages 262 K keyword log search 281 L L2TP 199, 283 configuring Windows XP client 235 L2TP gateway configuring 231 language web-based manager 145 290 Fortinet Inc. LDAP LDAP server example configuration 198 adding server address 197 deleting 198 lease duration DHCP 29, 128 log message levels 275 log setting filtering log entries 96, 276 traffic filter 278 log to memory configuring 275 viewing saved logs 280 Log Traffic firewall policy 167 policy 167 logging 19, 273 attack log 276 configuring traffic settings 278 connections to an interface 118 email filter log 276 enabling alert email 282 event log 276 filtering log messages 276 log to memory 275 log to remote host 274 log to WebTrends 274 message levels 275 recording 273 searching logs 280 selecting what to log 276 traffic log 276 traffic logging 118 traffic sessions 277 update log 276 virus log 276 web filtering log 276 logs recording on NetIQ WebTrends server 274 removing from web pages 262, 272 M MAC address 284 IP/MAC binding 186 malicious scripts management access to an interface 117 management interface 119 management IP address transparent mode 61 manual IP address interface 114 manual keys introduction 202 matching policy 167 Index maximum bandwidth 165 memory status 87, 88 messages replacement 150 MIB mode modem FortiGate 150 Transparent 16 adding firewall policies 133 backup mode 129, 132 configuring 129 configuring settings 130 connecting to a dialup account 131 connecting to FortiGate unit 130 disconnecting 131 interface 129 link status 114 standalone mode 129, 132 viewing status 131 monitor system status 90 monitored interfaces 238 monitoring system status 87 MTU size 118 changing 118 definition 284 improving network performance 118 interface 118 N NAT introduction 16 policy option 164 push update 100 NAT mode adding policy 162 IP addresses 45 NAT/Route mode changing to 86 configuration from the CLI 45 introduction 16 netmask administrator account 146, 147 network address translation introduction 16 network intrusion detection 16 Network Intrusion Detection System 237 network status 88 next hop router 117 NIDS 16, 237 attack prevention 242 detection 237 prevention 242 reducing alert email 244 reducing attack log messages 244 user-defined signatures 240 FortiWiFi-60 Installation and Configuration Guide 291 Index NTP 50, 64, 173, 284 NTP server 143 setting system date and time 143 O one-time schedule 178 creating 177 operating mode changing to NAT/Route mode 86 changing to Transparent mode 85 options changing system options 144 Outbound NAT encrypt policy 165 override serve adding 96, 97 oversized files and email blocking 250 P password adding 194 changing administrator account 147 Fortinet support 109 recovering a lost Fortinet support 107 PAT 182 pattern permission ping server policy web pattern blocking 259 administrator account 147 adding to an interface 117 accept 164 Anti-Virus & Web filter 166 arranging in policy list 167 Comments 167 deny 164 disabling 168 enabling 168 enabling authentication 199 fixed port 164 guaranteed bandwidth 165 Log Traffic 167 matching 167 maximum bandwidth 165 policy list configuring 167 policy routing 125 POP3 173, 284 port address translation 182 port forwarding 182 adding virtual IP 182 virtual IP 180 port number traffic filter display 278 power requirements 24 powering on 25 PPPoE PPTP 199, 284 interface addressing mode 116 configuring gateway 225, 231 configuring Windows 2000 client 229 configuring Windows 98 client 228 configuring Windows XP client 229 enabling 225, 231 ending IP address 226, 231 starting IP 226, 231 PPTP dialup connection configuring Windows 2000 client 229 configuring Windows 98 client 228 configuring Windows XP client 229 PPTP gateway configuring 225 predefined services 172 pre-shared keys introduction 202 prevention NIDS 242 protocol service 172 system status 91 proxy server 98 push updates 98 push update configuring 98 external IP address changes 99 management IP address changes 99 through a NAT device 100 through a proxy server 98 Q quick mode identifier use selectors from policy 211 use wildcard selectors 211 quick mode identity 211 R RADIUS definition 284 example configuration 196 RADIUS server adding server address 196 deleting 196 read & write access level administrator account 146 read only access level administrator account 146 recording logs 273 recording logs in system memory 275 recording logs on NetIQ WebTrends server 274 recovering a lost Fortinet support password 107 292 Fortinet Inc. recurring schedule 179 creating 178 registered FortiGate units viewing the list of 107 registering FortiGate unit 104, 105, 106, 108 FortiGate unit after an RMA 110 list of registered FortiGate units 108 registration contact information 109 security question 109 updating information 107 relay DHCP 126 remote administration 117, 119 replacement messages customizing 150 reporting 19, 273 reserved IP resolve IP 278 traffic filter 278 adding to a DHCP server 128 restarting 86 restoring system settings 84 restoring system settings to factory default 85 reverting firmware to an older version 79 RIP RMA route configuring 135 filters 139 interface configuration 137 settings 135 registering a FortiGate unit 110 adding default 122 adding to routing table 123 adding to routing table (Transparent mode) 124 destination 123 device 123 router next hop 117 routing 284 adding static routes 123 configuring 122 configuring routing table 124 policy 125 routing table 284 adding default route 122 adding routes 123 adding routes (Transparent mode) 124 configuring 124 S scanning antivirus 248 Index schedule 177 applying to policy 179 automatic antivirus and attack definition updates 96 creating one-time 177 creating recurring 178 one-time 178 policy option 164 recurring 179 scheduled antivirus and attack updates 98 scheduled updates through a proxy server 98 scheduling 96 scope adding a DHCP scope 127 script filter 263 example settings 262 scripts removing from web pages 262, 272 searching logs 280 logs saved to memory 280 secondary IP interface 116 security question registration 109 serial number displaying 84 server DHCP 126, 127 service 172 custom ICMP 175 custom IP 175 custom TCP 174 custom UDP 174 group 176 policy option 164 predefined 172 service name 172 user-defined ICMP 175 user-defined IP 175 user-defined TCP 174 user-defined UDP 174 traffic filter display 278 service contracts Forticare 104 service group adding 176 service name session clearing 90 session list 90 session status 88 set time 143 setup wizard 44, 60 starting 44, 60 shutting down 86 signature threshold values 242 SMTP 174 configuring alert email 282 definition 284 FortiWiFi-60 Installation and Configuration Guide 293 Index SNMP configuring 147 contact information 149 definition 284 first trap receiver IP address 149 get community 149 MIBs 150 system location 149 trap community 149 traps 151 source policy option 163 squidGuard 259, 271 SSH 174, 285 SSL 283 service definition 173 standalone mode modem 129, 132 starting IP DHCP 29, 128, 129 PPTP 226, 231 static IP/MAC list 186 static NAT virtual IP 180 adding 180 static route adding 123 status CPU 87 interface 114 intrusions 89 IPSec VPN tunnel 223 memory 87 network 88 sessions 88 viewing dialup connection status 223 viewing VPN tunnel status 223 virus 89 subnet definition 285 subnet address definition 285 support contract number adding 108 changing 108 support password changing 109 syn interval 143 synchronize with NTP server 143 system configuration 143 system date and time setting 143 system location SNMP 149 system name SNMP 149 system options changing 144 system settings backing up 84 restoring 84 restoring to factory default 85 system status 73, 87, 135 system status monitor 90 T TCP configuring checksum verification 238 custom service 174 technical support 21 testing alert email 282 time log search 281 setting 143 time zone 143 timeout firewall authentication 144 idle 144 IPSec VPN 223 web-based manager 144 to IP to port traffic system status 91 system status 91 configuring global settings 278 filtering 277 logging 277 traffic filter adding entries 279 display 278 log setting 278 port number 278 resolve IP 278 service name 278 traffic log 276 Traffic Priority 165 Traffic Shaping 165 Transparent mode 16 adding routes 124 changing to 61, 85 configuring the default gateway 61 management interface 119 management IP address 61 trap community SNMP 149 traps SNMP 151 troubleshooting 223 trusted host administrator account 146, 147 294 Fortinet Inc. U UDP configuring checksum verification 238 custom service 174 unwanted content blocking 254, 268 update 276 attack 97 push 98 updated antivirus 97 updating attack definitions 93, 95 virus definitions 93, 95 upgrade firmware 74 upgrading firmware 74 firmware using the CLI 75, 77 firmware using the web-based manager 75, 76 URL adding to exempt URL list 263, 272 adding to URL block list 259, 270 blocking access 257, 270 URL block list adding URL 259, 270 clearing 258 downloading 255, 258, 264, 270 uploading 256, 258, 264, 271 URL block message 254 URL blocking 257 exempt URL list 263, 271 web pattern blocking 259 URL exempt list see also exempt URL list 263, 271 use selectors from policy quick mode identifier 211 use wildcard selectors quick mode identifier 211 user authentication 193 user groups configuring 199 deleting 200 user name and password adding 195 adding user name 194 user-defined ICMP services 175 user-defined IP services 175 user-defined signature NIDS 240 user-defined TCP services 174 user-defined UDP services 174 Index V viewing dialup connection status 223 logs saved to memory 280 VPN tunnel status 223 virtual IP 180 adding 180 port forwarding 180, 182 static NAT 180 virus definition updates downloading 110 virus definitions updating 93, 95 virus incidents enabling alert email 282 virus list displaying 251 viewing 251 virus log 276 virus protection overview 247 worm protection 14 virus status 89 VPN configuring L2TP gateway 231 configuring PPTP gateway 225, 231 introduction 16 Tunnel 164 viewing dialup connection status 223 VPN events VPN tunnel enabling alert email 282 viewing status 223 W web content filtering introduction 14 web filtering ActiveX 262 cookies 262 Java applets 262 overview 253, 267 web filtering log 276 web page content blocking 254, 268 web pattern blocking 259 web URL blocking 257 web-based manager 18 connecting to 26, 44 introduction 17 language 145 timeout 144 WebTrends recording logs on NetIQ WebTrends server 274 FortiWiFi-60 Installation and Configuration Guide 295 Index Windows 2000 configuring for L2TP 233 configuring for PPTP 229 connecting to L2TP VPN 234 connecting to PPTP VPN 229 Windows 98 Windows XP configuring for PPTP 228 connecting to PPTP VPN 228 configuring for L2TP 235 configuring for PPTP 229 connecting to L2TP VPN 236 connecting to PPTP VPN 230 wireless configuration 120 wizard firewall setup 44, 60 starting 44, 60 WLAN 120 worm list displaying 251 worm protection 251 296 Fortinet Inc.

		frequency	equipment class	purpose
1	2004-04-30	2412 ~ 2462	DTS - Digital Transmission System	Original Equipment

Application Forms

app s	Applicant Information
1	Effective	2004-04-30
1	Applicant's complete, legal business name	Fortinet, Inc
1	FCC Registration Number (FRN)	0010690808
1	Physical Address	920 Stewart Drive
1		Sunnyvale, California 94085
1		United States

app s	TCB Information
1	TCB Application Email Address	t******@timcoengr.com
1	TCB Scope	A4: UNII devices & low power transmitters using spread spectrum techniques

app s	FCC ID
1	Grantee Code	RZW
1	Equipment Product Code	FORTIWIFI-60

app s	Person at the applicant's address to receive grant or for contact
1	Name	S** R******
1	Title	Vice President
1	Telephone Number	408-2********
1	Fax Number	408-7********
1	E-mail	s******@fortinet.com

app s	Technical Contact
		n/a

app s	Non Technical Contact
		n/a

app s	Confidentiality (long or short term)
1	Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?:	Yes
1	Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?:	No
	if no date is supplied, the release date will be set to 45 calendar days past the date of grant.

app s	Cognitive Radio & Software Defined Radio, Class, etc
1	Is this application for software defined/cognitive radio authorization?	No
1	Equipment Class	DTS - Digital Transmission System
1	Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant)	Wireless Firewall
1	Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application?	No
1	Modular Equipment Type	Does not apply
1	Purpose / Application is for	Original Equipment
1	Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization?	No
1	Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization?	No
1	Grant Comments	Power listed is conducted. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. End-users and installers must be provided with antenna installation instructions and transmitter operating conditions for satisfying RF exposure compliance.
1	Is there an equipment authorization waiver associated with this application?	No
1	If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded?	No

app s	Test Firm Name and Contact Information
1	Firm Name	Sporton International, Inc.
1	Name	W** H**
1	Telephone Number	88626********
1	Fax Number	88626********
1	E-mail	k******@sporton.com.tw

Equipment Specifications
	Line	Rule Parts	Grant Notes	Lower Frequency	Upper Frequency	Power Output	Tolerance	Emission Designator	Microprocessor Number
1	1	15C	CE	2412.00000000	2462.00000000	0.0570000

some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details