I N S T A L L G U I D E FortiGate-1000A and
FortiGate-1000AFA2
FortiOS 3.0 MR4
https://www.doczj.com/doc/3d2907184.html,
FortiGate-1000A and FortiGate-1000AFA2 Install Guide
FortiOS 3.0 MR4
15 February 2007
01-30004-0284-20070215
? Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Risk of Explosion if Battery is replaced by an Incorrect Type.
Contents
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
Contents
Contents (3)
Introduction (7)
About the FortiGate unit (7)
FortiGate-1000A (7)
FortiGate-1000AFA2 (8)
Register your FortiGate unit (8)
Fortinet Family Products (8)
FortiGuard Subscription Services (8)
FortiClient (9)
FortiMail (9)
FortiAnalyzer (9)
FortiReporter (10)
FortiBridge (10)
FortiManager (10)
About this document (10)
Document conventions (10)
Typographic conventions (11)
Fortinet documentation (12)
Fortinet documentation CDs (13)
Fortinet Knowledge Center (13)
Comments on Fortinet technical documentation (13)
Customer service and technical support (13)
Installing the FortiGate unit (15)
Package Contents (15)
FortiGate-1000A/FA2 (15)
Mounting (16)
Air Flow (16)
Mechanical loading (17)
Powering on the FortiGate unit (17)
Powering off the FortiGate unit (18)
Connecting the FortiGate unit (18)
Web-based manager (18)
Front control buttons and LCD (18)
Command line interface (18)
Connecting to the web-based manager (19)
System Dashboard (20)
Connecting to the CLI (20)
LCD front control buttons (21)
Using the front control buttons and LCD (21)
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
Contents Factory defaults............................................................................... 23Factory default NAT/Route mode network configuration............................ 24Factory default Transparent mode network configuration........................... 24Factory default firewall configuration .......................................................... 25Factory default protection profiles............................................................... 25Restoring the default settings........................................................................ 26Restoring the default settings using the web-based manager.................... 26Restoring the default settings using the CLI............................................... 26Configuring the FortiGate............................................................... 27Planning the FortiGate configuration............................................................ 27NAT/Route mode........................................................................................ 27NAT/Route mode with multiple external network connections.................... 28Transparent mode....................................................................................... 29Preventing the public FortiGate interface from responding to ping requests 30NAT/Route mode installation......................................................................... 31Preparing to configure the FortiGate unit in NAT/Route mode................... 31DHCP or PPPoPE configuration................................................................. 32Using the web-based manager................................................................... 32Configuring basic settings .................................................................... 32Adding a default route.......................................................................... 33Verifying the web-based manager configuration.................................. 34Verify the connection............................................................................ 34Using the front control buttons and LCD..................................................... 34Adding a default gateway using the front control buttons and LCD...... 35Verifying the front control buttons and LCD.......................................... 35Verify the connection............................................................................ 35Using the command line interface............................................................... 35Configuring the FortiGate unit to operate in NAT/Route mode............. 35Adding a default route.......................................................................... 37Verify the connection............................................................................ 37Connecting the FortiGate unit to the network(s)......................................... 38Configuring the networks............................................................................ 38Transparent mode installation....................................................................... 39Preparing to configure Transparent mode.................................................. 39Using the web-based manager................................................................... 39Using the front control buttons and LCD..................................................... 40Adding a default gateway using the LCD ............................................. 40Verifying the front control buttons and LCD.......................................... 41Verify the connection............................................................................ 41Using the command line interface............................................................... 41Reconnecting to the web-based manager............................................ 42Connecting the FortiGate unit to your network ........................................... 42Verify the connection. (43)
Contents
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
Next Steps (43)
Set the date and time (43)
Updating antivirus and IPS signatures (44)
Updating antivirus and IPS signatures from the web-based manager.. 45
Updating the IPS signatures from the CLI (45)
Scheduling antivirus and IPS updates (45)
Adding an override server (46)
FortiGate Firmware (49)
Upgrading to a new firmware version (49)
Upgrading the firmware using the web-based manager (49)
Upgrading the firmware using the CLI (50)
Reverting to a previous firmware version (51)
Reverting to a previous firmware version using the web-based manager .. 51
Reverting to a previous firmware version using the CLI (52)
Installing firmware images from a system reboot using the CLI (53)
Restoring the previous configuration (56)
The FortiUSB key (56)
Backup and Restore from the FortiUSB key (56)
Using the USB Auto-Install feature (57)
Additional CLI Commands for the FortiUSB key (58)
Testing a new firmware image before installing it (58)
Index (63)
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
Contents
Introduction
About the FortiGate unit FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide Fortinet Family Products
Introduction USB
Introduction Fortinet Family Products
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
?FortiGuard Web Filtering
?FortiGuard Antispam Service
?FortiGuard Premier Service
An online virus scanner and virus encyclopedia is also available for your
reference.
FortiClient
FortiClient? Host Security software provides a secure computing environment for
both desktop and laptop users running the most popular Microsoft Windows
operating systems. FortiClient offers many features including:
?creating VPN connections to remote networks
?configuring real-time protection against viruses
?guarding against modification of the Windows registry
?virus scanning
FortiClient also offers a silent installation feature, enabling an administrator to
efficiently distribute FortiClient to several users’ computers with preconfigured
settings.
FortiMail
FortiMail? Secure Messaging Platform provides powerful, flexible heuristic
scanning and reporting capabilities to incoming and outgoing email traffic. The
FortiMail unit has reliable, high performance features for detecting and blocking
malicious attachments such as Distributed Checksum Clearinghouse (DCC)
scanning and Bayesian scanning. Built on Fortinet’s award winning FortiOS and
FortiASIC technology, FortiMail antivirus technology extends full content
inspection capabilities to detect the most advanced email threats.
FortiAnalyzer
FortiAnalyzer? provides network administrators with the information they need to
enable the best protection and security for their networks against attacks and
vulnerabilities. The FortiAnalyzer unit features include:
?collects logs from FortiGate devices and syslog devices
?creates hundreds of reports using collected log data
?scans and reports vulnerabilities
?stores files quarantined from a FortiGate unit
The FortiAnalyzer unit can also be configured as a network analyzer to capture
real-time traffic on areas of your network where firewalls are not employed. You
can also use the unit as a storage device where users can access and share files,
including the reports and logs that are saved on the FortiAnalyzer hard disk.
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
About this document
Introduction
FortiReporter
FortiReporter? Security Analyzer software generates easy-to-understand reports
and can collect logs from any FortiGate unit, as well as over 30 network and
security devices from third-party vendors. FortiReporter reveals network abuse,
manages bandwidth requirements, monitors web usage, and ensures employees
are using the office network appropriately. FortiReporter allows IT administrators
to identify and respond to attacks, including identifying ways to proactively secure
their networks before security threats arise.
FortiBridge
FortiBridge? products are designed to provide enterprise organizations with
continuous network traffic flow in the event of a power outage or a FortiGate
system failure. The FortiBridge unit bypasses the FortiGate unit to make sure that
the network can continue processing traffic. FortiBridge products are easy to use
and deploy, and you can customize the actions a FortiBridge unit takes when a
power failure or a FortiGate system failure occurs.
FortiManager
The FortiManager? system is designed to meet the needs of large enterprises
(including managed security service providers) responsible for establishing and
maintaining security policies across many dispersed FortiGate installations. With
this system, you can configure multiple FortiGate devices and monitor their status.
You can also view real-time and historical logs for the FortiGate devices, including
updating firmware images of managed FortiGate devices. The FortiManager
System emphasizes ease of use, including easy integration with third party
systems.
About this document
This document explains how to install and configure your FortiGate unit onto your
network. This document also includes how to install and upgrade new firmware
versions on your FortiGate unit.
This document contains the following chapters:
?
Installing the FortiGate unit – Describes setting up and powering on a FortiGate unit. ?
Factory defaults – Provides the factory default settings for the FortiGate unit. ?
Configuring the FortiGate – Provides an overview of the operating modes of the FortiGate unit and how to integrate the FortiGate unit into your network. ?FortiGate Firmware – Describes how to install, update, restore and test
firmware for the FortiGate device.
Document conventions
The following document conventions are used in this guide:
?
In the examples, private IP addresses are used for both private and public IP addresses.?Notes and Cautions are used to provide important information:
Introduction About this document
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide Fortinet documentation
Introduction
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at https://www.doczj.com/doc/3d2907184.html, . The following FortiGate product documentation is available:?FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit.?FortiGate Install Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number.?FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protection, web content filtering, and spam filtering; and how to configure a VPN. ?FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.?FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands.?FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center , the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units.?FortiGate High Availability User Guide Contains in-depth information about the FortiGate high availability feature and the FortiGate clustering protocol.?FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks.?FortiGate IPSec VPN User Guide Provides step-by-step instructions for configuring IPSec VPNs using the web-based manager.?FortiGate SSL VPN User Guide Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and describes how to configure web-only mode and tunnel-mode SSL VPN access for remote users through the web-based manager.?FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web-based manager.
Introduction Customer service and technical support
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
?FortiGate Certificate Management User Guide
Contains procedures for managing digital certificates including generating
certificate requests, installing signed certificates, importing CA root certificates
and certificate revocation lists, and backing up and restoring installed
certificates and private keys.
?FortiGate VLANs and VDOMs User Guide
Describes how to configure VLANs and VDOMS in both NAT/Route and
Transparent mode. Includes detailed examples.
Fortinet documentation CDs
All Fortinet documentation is available from the Fortinet documentation CD
shipped with your Fortinet product. The documents on this CD are current at
shipping time. For up-to-date versions of Fortinet documentation see the Fortinet
Knowledge Center.
Fortinet Knowledge Center
Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at
https://www.doczj.com/doc/3d2907184.html, .
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@https://www.doczj.com/doc/3d2907184.html,.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Please visit the Fortinet Technical Support web site at https://www.doczj.com/doc/3d2907184.html,
to learn about the technical support services that Fortinet provides.
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide Customer service and technical support
Introduction
Installing the FortiGate unit
Package Contents FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
Installing the FortiGate unit
This section provides information on installing and setting up the FortiGate unit on
your network. This section includes the following topics:
?Package Contents
?Air Flow
?Mechanical loading
?Powering on the FortiGate unit
?Connecting the FortiGate unit
Package Contents
Review the contents of your FortiGate package to ensure all components were
included.
FortiGate-1000A/FA2
The FortiGate-1000A/FA2 package contains the following items:
?FortiGate-1000A/FA2 Unified Threat Management System
?one orange crossover Ethernet cable (CC300248)
?one gray straight-through Ethernet cable (CC300249)
?one RJ-45 to DB-9 serial cable (CC300302)
?SFP Transceivers (FortiGate-1000AFA2 only)
?two 19-inch rack mount brackets
?one power cable
?FortiGate-1000A/FA2 QuickStart Guide
?Fortinet Tools and Documentation CD
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide Package Contents
Installing the FortiGate unit The FortiGate-1000A/FA2 unit can be mounted in a standard 19-inch rack. It U of vertical space in the rack. The FortiGate-1000A/FA2 unit can also Control Management Modem Port (FortiGate-1000AFA2 only)x2 SFP Transceivers (FortiGate-1000AFA2 only)USB USER MANUAL FortiGate-1000A/FA2Copyright 2006 Fortinet Incorporated. All rights reserved.Trademarks Products mentioned in this document are trademarks.Q u i c k S t a r t G u i d e
Installing the FortiGate unit Powering on the FortiGate unit
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
Mechanical loading
For rack installation, make sure the mechanical loading of the FortiGate unit is
evenly distributed to avoid a hazardous condition.
Powering on the FortiGate unit
The FortiGate unit does not have an on/off switch.
To power on the FortiGate unit
1Connect the power cables to the power connections on the back of the FortiGate
unit.
2Connect the power cables to power outlets.
Each power cable should be connected to a different power source. If one power
source fails, the other may still be operative.
After a few seconds, SYSTEM STARTING appears on the LCD.
The main menu setting appears on the LCD when the system is running.
The FortiGate unit starts and the Power LEDs light up.
Table 2: LED indicators
Menu [ Fortigat -> ]
NAT, Standalone
LED State Description
Power Green The FortiGate unit is powered on.
Off The FortiGate unit is powered off.
1 to 10 Ports Green The correct cable is in use, and the connected equipment has power.
Flashing green Network activity at this interface.
Off No link established.
Port A1 and Port A2 on the FortiGate-1000AFA2
only Green The correct cable is in use, and the connected equipment
has power.
Flashing Green Network activity at this interface.
Green The correct cable is in use, and the connected equipment has power.
Off No link established.
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide Connecting the FortiGate unit
Installing the FortiGate unit Powering off the FortiGate unit
Always shut down the FortiGate operating system properly before turning off the
power switch to avoid potential hardware problems.
To power off the FortiGate unit
1
From the web-based manager, go to System > Status .2
In the Unit Operation display, select Shutdown, or from the CLI enter: execute shutdown 3Disconnect the power cables from the power supply.
Connecting the FortiGate unit
There are three methods of connecting and configuring the basic FortiGate
settings:
?
the web-based manager ?
the front control buttons and LCD ?the command line interface (CLI)
Web-based manager
You can configure and manage the FortiGate unit using HTTP or a secure HTTPS
connection from any computer running Microsoft Internet Explorer 6.0 or recent
browser. The web-based manager supports multiple languages.
You can use the web-based manager to configure most FortiGate settings, and
monitor the status of the FortiGate unit.
Front control buttons and LCD
You can use the front control buttons and LCD on the FortiGate unit to configure
IP addresses, default gateways and switch operating modes. The LCD shows you
what mode you are in without having to go to the command line interface or the
web-based manager. For more information on the front control buttons and LCD,
see “LCD front control buttons” on page 21.
Command line interface
You can access the FortiGate command line interface (CLI) by connecting a
management computer serial port to the FortiGate serial console connector. You
can also use Telnet or a secure SSH connection to connect to the CLI from any
network that is connected to the FortiGate unit, including the Internet.
Note: If only one power supply is connected, an audible alarm sounds to indicate a failed
power supply. Press the red alarm cancel button on the rear panel next to the power supply
to stop the alarm.
Installing the FortiGate unit Connecting the FortiGate unit
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide
Connecting to the web-based manager
Configuration changes made with the web-based manager are effective immediately, without resetting the firewall or interrupting service.
To connect to the web-based manager, you require:
? a computer with an Ethernet connection
?Microsoft Internet Explorer version 6.0 or higher or any recent version of the
most popular web browser
? a crossover Ethernet cable or an Ethernet hub and two Ethernet cables
To connect to the web-based manager
1Set the IP address of the computer with an Ethernet connection to the static IP
address 192.168.1.2 with a netmask of 255.255.255.0.
2Using the crossover cable or the Ethernet hub and cables, connect the internal
interface of the FortiGate unit to the computer Ethernet connection.
3Start Internet Explorer and browse to the address https://192.168.1.99.
(remember to include the “s” in https://).
To support a secure HTTPS authentication method, the FortiGate unit ships with a
self-signed security certificate, and is offered to remote clients whenever they
initiate a HTTPS connection to the FortiGate unit. When you connect, the
FortiGate unit displays two security warnings in the browser.
The first warning prompts you to accept and optionally install the FortiGate unit’s
self-signed security certificate. If you do not accept the certificate, the FortiGate
unit refuses the connection. If you accept the certificate, the FortiGate login page
appears. The credentials entered are encrypted before they are sent to the
FortiGate unit. If you choose to accept the certificate permanently, the warning is
not displayed again.
Just before the FortiGate login page is displayed, a second warning informs you
that the FortiGate certificate distinguished name differs from the original request.
This warning occurs because the FortiGate unit redirects the connection. This is
an informational message. Select OK to continue logging in.
Figure 2:FortiGate login
Note: Before starting Internet Explorer, (or any recent version of the most popular web
browser), ping to your FortiGate unit to see if the connection between the computer and the
FortiGate unit is working properly.
FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 Install Guide Connecting the FortiGate unit
Installing the FortiGate unit 4Type admin in the Name field and select Login.
System Dashboard
After logging into the web-based manager, the web browser displays the system
dashboard. The dashboard provides you with all system status information in one
location. For details on the information displayed on the dashboard, see the
FortiGate Administration Guide .
Connecting to the CLI
As an alternative to the web-based manager, you can install and configure the FortiGate unit using the CLI. Configuration changes made with the CLI are effective immediately, without resetting the firewall or interrupting service. To connect to the FortiGate CLI you require: ? a computer with an available communications port ?the RJ-45 to DB-9 serial cable included in your FortiGate package ?terminal emulation software such as HyperTerminal for Microsoft Windows To connect to the CLI 1Connect the RJ-45 to DB-9 serial cable to the communications port of your computer and to the FortiGate console port. 2Start HyperTerminal, enter a name for the connection, and select OK.3Configure HyperTerminal to connect directly to the communications port on your computer and select OK. 4Select the following port settings and select OK:5Press Enter to connect to the FortiGate CLI. The login prompt appears. 6Type admin and press Enter twice.The following prompt is displayed:Welcome!Type ? to list available commands. For information about how to use the CLI, see the FortiGate CLI Reference .Note: The following procedure uses Microsoft Windows HyperTerminal software. You can apply these steps to any terminal emulation program. Bits per second 9600Data bits 8Parity None Stop bits 1Flow control None
Fortigate防火墙安全配置规范
1.概述 1.1. 目的 本规范明确了Fortigate防火墙安全配置方面的基本要求。为了提高Fortigate防火墙的安全性而提出的。 1.2. 范围 本标准适用于 XXXX使用的Fortigate 60防火墙的整体安全配置,针对不同型号详细的配置操作可以和产品用户手册中的相关内容相对应。
2.设备基本设置 2.1. 配置设备名称 制定一个全网统一的名称规范,以便管理。 2.2. 配置设备时钟 建议采用NTP server同步全网设备时钟。如果没有时钟服务器,则手工设置,注意做HA的两台设备的时钟要一致。 2.3. 设置Admin口令 缺省情况下,admin的口令为空,需要设置一个口令。密码长度不少于8个字符,且密码复杂。 2.4. 设置LCD口令 从设备前面板的LCD可以设置各接口IP地址、设备模式等。需要设置口令,只允许管理员修改。密码长度不少于8个字符,且密码复杂。 2.5. 用户管理 用户管理部分实现的是对使用防火墙某些功能的需认证用户(如需用户认证激活的防火墙策略、IPSEC扩展认证等)的管理,注意和防火墙管理员用于区分。用户可以直接在fortigate上添加,或者使用RADIUS、LDAP服务器上的用户数据库实现用户身份认证。 单个用户需要归并为用户组,防火墙策略、IPSEC扩展认证都是和用户组关联的。 2.6. 设备管理权限设置 为每个设备接口设置访问权限,如下表所示:
接口名称允许的访问方式 Port1 Ping/HTTPS/SSH Port2 Ping/HTTPS/SSH Port3 Ping/HTTPS/SSH Port4 HA心跳线,不提供管理方式 Port5 (保留) Port6 (保留) 且只允许内网的可信主机管理Fortinet设备。 2.7. 管理会话超时 管理会话空闲超时不要太长,缺省5分钟是合适的。 2.8. SNMP设置 设置SNMP Community值和TrapHost的IP。监控接口状态及接口流量、监控CPU/Memory等系统资源使用情况。 2.9. 系统日志设置 系统日志是了解设备运行情况、网络流量的最原始的数据,系统日志功能是设备有效管理维护的基础。在启用日志功能前首先要做日志配置,包括日志保存的位 置(fortigate内存、syslog服务器等)、需要激活日志功能的安全模块等。如下图 所示:
H3C SecPath F100系列防火墙配置教程初始化配置 〈H3C〉system-view 开启防火墙功能 [H3C]firewall packet-filter enable [H3C]firewall packet-filter default permit 分配端口区域 [H3C] firewall zone untrust [H3C-zone-trust] add interface GigabitEthernet0/0 [H3C] firewall zone trust [H3C-zone-trust] add interface GigabitEthernet0/1 工作模式 firewall mode transparent 透明传输 firewall mode route 路由模式 http 服务器 使能HTTP 服务器undo ip http shutdown 关闭HTTP 服务器ip http shutdown 添加WEB用户 [H3C] local-user admin [H3C-luser-admin] password simple admin [H3C-luser-admin] service-type telnet [H3C-luser-admin] level 3 开启防范功能 firewall defend all 打开所有防范 切换为中文模式language-mode chinese 设置防火墙的名称sysname sysname 配置防火墙系统IP 地址firewall system-ip system-ip-address [ address-mask ] 设置标准时间clock datetime time date 设置所在的时区clock timezone time-zone-name { add | minus } time
fortigate 简易设置手册 一、更加语言设置: 1、首先把PC的网卡IP修改成192.168.1.*的网段地址,在IE中输入: https://192.168.1.99进入设置界面,如下图: 2、进入设置界面后,点击红框标注的位置(系统管理→状态→管理员设置), 进入如下图:在红框标注的位置进行语言选择。 二、工作模式的设置:
Fortigate防火墙可以工作在以下几种模式:路由/NAT模式、透明模式; 要修改工作模式可在下图标注处进行更改,然后设置相应的IP地址和掩码等。 三、网络接口的设置: 在系统管理→点击网络,就出现如下图所示,在下图所指的各个接口,您可以自已定义各个接口IP地址。 点击编辑按钮,进入如下图所示: 在下图地址模式中,在LAN口上根据自已需要进行IP地址的设置,接着在管理访问中指定管理访问方式。
在WAN口上,如果是采用路由/NAT模式可有两种方式: 1、采用静态IP的方式:如下图: 在红框标注的地方,选中自定义,输入ISP商给你的IP地址、网关、掩码。 在管理访问的红框中,指定您要通过哪种方式进行远程管理。 如果你从ISP商获得多个IP的话,你可以在如下图中输入进去。 在如下图红框标注的地方,输入IP地址和掩码以及管理访问方式,点击ADD 即可。
注: 采用静态IP地址的方式,一定要加一条静态路由,否则就不能上网。如下图:
2、如采用ADSL拨号的方式,如下图: 当你选中PPOE就会出现如下图所示的界面: 在红框标注的地址模式中,输入ADSL用户和口令,同时勾选上‘从服务器上重新获得网关‘和改变内部DNS。 在管理访问方式中根据自已的需要,选中相应的管理方式,对于MTU值一般情况下都采用默认值就行了.
如何启用防火墙的AV,IPS,Webfilter和 AntiSpam服务 版本 1.0 时间2013年4月 支持的版本N/A 状态已审核 反馈support_cn@https://www.doczj.com/doc/3d2907184.html, 1.用Web浏览器打开防火墙的管理页面,进入系统管理-----维护----FortiGuard,如下图, 启用“防病毒与IPS选项”里面的定期升级,并在“Web过滤和反垃圾邮件选项”里面的Enable Web过滤和Enable 反垃圾邮件前面复选框中打上勾,这样就在防火墙上启用了AV,IPS,Webfilter和AntiSpam服务功能了。 2.启用防病毒与IPS选项的同时可以手动点击“立即升级”按钮让防火墙马上升级防病 毒,入侵检测数据库到最新版本,以后防火墙会按照“定期升级”配置自动定期升级防火墙的防病毒,入侵检测,web过虑和垃圾邮件分类;如果同时选上“允许服务器推送方式升级”的话,我们FortiGuard服务器在有新的升级包的同时会主动把最新的升级包推送到配置了该选项的防火墙上,如下所示:
3,检查是否成功升级到最新版本,可以打开防火墙系统管理----状态页面,看许可证信息部分或进入系统管理-----维护----FortiGuard里面也可以查看到许可证相关信息,注意许可证信息会在启用试用或合同注册完后的4个小时内得到更新,那时候才能验证确保防火墙防病毒、入侵检测数据库是最新的: 4,进入到防火墙----保护内容表,点击新建或打开一个已经存在的保护内容表,按下图显示内容启用病毒及攻击检测功能:
5,同样的在保护内容表里面,如上图所示,可以启用“FortiGuard网页过滤”和“垃圾过滤”功能,如下2图显示: 6,在保护内容表的最后一部分,可以把相关的攻击等日志记录下来,送给日志服务器:
方正软件保护卡 公司名称:方正科技集团股份有限公司 网址:https://www.doczj.com/doc/3d2907184.html, 服务热线:4006-000-666 如果本手册和软件有所不符,请以软件为准。本手册会在不断修改中,恕不另行通知。对于该文档中可能出现的错误或者因使用本文档而造成的任何损失,本公司对此并不负有任何法律责任。
产品介绍 方正软件保护卡是方正科技集团股份有限公司最新推出的局域网计算机维 护系统,集数据保护、磁盘分区管理和局域网计算机部署三大功能于一身,并创造性地将所有功能的操作界面移植到了Windows操作系统之上,极大地增强了产品的易用性和扩展性,方便了客户的使用。 与传统保护卡相比,方正软件保护卡具有如下创新点: 1.Windows操作模式,产品模块化 突破了传统保护卡底层实模式(DOS界面)操作方式的限制,将主要功能分为三个功能模块“EzBACK”-数据保护、“EzClone”-网络部署、“Partition”-磁盘分区,创造性的与Windows操作系统相结合,提高了产品的稳定性、可操作性和界面的美观性。最多可以支持安装8个操作系统。解决了网络传输时使用DOS驱动封装包的问题,解决了网络传输时设备的兼容性问题,较Dos保护卡大幅度提高了机房维护的效率。 2.立即还原,采用独立的多点复原方式 方正软件保护卡采用了先进的数据隔离技术,突破了传统保护卡单点或两点保护的极限,可自动或手动建立多个还原点(最多可达到256个还原点)。EzBACK 模块支持在Windows之上创建进度(还原点),突破了原有的在DOS下建立还原点的方式,并且建立后无需重新启动Windows。采用多点后,可以针对不同的用户需求,建立不同的还原点,实现在一套操作系统平台下,快速在多种软件环境之间的切换。 3.网络部署,多点批量部署模式 方正软件保护卡的“网络部署”功能将传统保护卡“增量拷贝”的单点增 量拷贝功能,创新的提升为多点批量部署的功能,实现增量传输。 “网络部署”模块,在Windows系统中实现,传输时调用Windows下的网卡驱动进行网络传输,解决使用DOS下网卡包驱动传输时不稳定的问题。同时突破了“在系统上不能拷贝系统”的瓶颈,实现了“在Windows上拷贝Windows”的功能。 4.磁盘划分,可以在Windows系统下做到重新规划 方正软件保护卡突破了传统保护卡底层实模式(DOS界面)“磁盘划分”的限制,Partion模块在Windows状态下实现对“资料盘”空间的“合并”和“重新划分”;实现了在完成分区后,再次分区时,不会破坏整个硬盘分区,从而提高了用户管理和使用的灵活性。
飞塔防火墙fortigate的show命令显示相关配置,而使用get命令显示实时状态 show full-configuration显示当前完全配置 show system global 查看主机名,管理端口 显示结果如下 config system global set admin-sport 10443 set admintimeout 480 set hostname "VPN-FT3016-02" set language simch set optimize antivirus set sslvpn-sport 443 set timezone 55 end show system interface 查看接口配置 显示结果如下 edit "internal" set vdom "root" set ip 88.140.194.4 255.255.255.240 set allowaccess ping https ssh snmp http telnet set dns-query recursive set type physical next get system inter physical查看物理接口状态,,如果不加physical参数可以显示逻辑vpn接口的状态 ==[port1] mode: static ip: 218.94.115.50 255.255.255.248 status: up speed: 100Mbps Duplex: Full ==[port2] mode: static ip: 88.2.192.52 255.255.255.240 status: up speed: 1000Mbps Duplex: Full show router static 查看默认路由的配置 显示结果如下 config router static edit 1 set device "wan1" set gateway 27.151.120.X
对于目前的环境我们可以考虑两种方法来设置: 1,透明桥接模式 这种模式就是把三个网卡的IP地址设置成一个网段,比如NET1设置成10.10.200.101(连接PC机)、NET2设置成10.10.200.102(连接服务器网段)、NET3设置成10.10.200.103(上连路由器的以太口),然后指定每个网卡的有效网络范围(先在对象当中定义好IP范围,然后对每个网卡绑定相应的有效网络)因为是透明桥接模式,所以所有机器的网关均指向10.10.200.1(路由器的以太口) 2,混合模式 这时防火墙的工作方式是NET1和NET3做透明桥接,NET2和NET3之间做NAT模式(地址映射),NET1和NET3的网络地址保持不变或者NET1和NET3的地址一样(都为10.10.200.101或者10.10.200.103)都无所谓,NET2的网络地址为192.168.0.1,这种模式很重要的一点是每个网卡的有效网络一定要绑对,并且NET3的有效网络要包括NET1的有效网络,既NET3的有效网络只需要把NET2的有效网络抠去就可以了。(比如NET1的有效网络是10.10.200.1-10.10.200.254;NET2的有效网络是192.168.0.1-192.168.0.254;那么NET3的有效网络是0.0.0.1-192.167.255.255和192.168.1.0-255.255.255.255;主要是因为NET1和NET3之间是透明桥接模式,所以NET3的有效网络只需要把NET2的有效网络抠掉,并且在192.168.0.0这个网段的网关应该是192.168.0.1。这一步做完以后,然后就要对防火墙做NA T,我们现在要保证192.168.0.0这个网段能够上网,只要把这个网段映射到NET1或者NET3或者是10.10.200.0这个网段的任何一个IP地址(10.10.200.1)除外。比如假设我们已经把相应的对象定义好了,具体的NA T规则应该是: 转换之前转换之后 方向源地址目的地址服务源地址目的地址服务OUTGOING:192.168.0.0/24 外网范围ANY 10.10.200.101 外网范围ANY OUTGOING:192.168.0.0/24 外网范围ANY 10.10.200.103 外网范围ANY OUTGOING:192.168.0.0/24 外网范围ANY 见说明1 外网范围ANY 说明1:这里的源地址也可以是10.10.200.0/24这个网段中没有用过的IP地址比如也可以是10.10.200.99。 外网范围指的是NET3绑定的有效网络。 上面的意思是保证192.168.0.0这个网段能够上网;如果要保证10.10.200.0这个网段能够去访问192.168.0.0这个网段的一台电脑(192.168.0.2)我们还需要做一个INCOMING的NAT 规则既把192.168.0.2映射成10.10.200.101或者103,由于是从外面发起的连接访问内网所以是INCOMING。 转换之前转换之后 方向源地址目的地址服务源地址目的地址服务INCOMING 10.10.200/24 10.10.200.101 ANY 10.10.200/24 192.168.0.2 ANY INCOMING 10.10.200/24 10.10.200.103 ANY 10.10.200/24 192.168.0.2 ANY 以上均可。
飞塔配置安装使用手册 FortiGuard产品家族 fortinet 的产品家族涵盖了完备的网络安全解决方案包括邮件,日志,报告,网络管理,安全性管理以及fortigate 统一安全性威胁管理系统的既有软件也有硬件设备的产品。 更多fortinet产品信息,详见https://www.doczj.com/doc/3d2907184.html,/products. FortiGuard服务订制 fortiguard 服务定制是全球fortinet安全专家团队建立,更新并管理的安全服务。fortinet安全专家们确保最新的攻击在对您的资源损害或感染终端用户使用设备之前就能够被检测到并阻止。fortiguard服务均以最新的安全技术构建,以最低的运行成本考虑设计。 fortiguard 服务订制包括: 1、fortiguard 反病毒服务 2、fortiguard 入侵防护(ips)服务 3、fortiguard 网页过滤服务 4、fortiguard 垃圾邮件过滤服务 5、fortiguard premier伙伴服务 并可获得在线病毒扫描与病毒信息查看服务。 FortiClient forticlient 主机安全软件为使用微软操作系统的桌面与便携电脑用户提供了安全的网络环境。forticlient的功能包括: 1、建立与远程网络的vpn连接 2、病毒实时防护 3、防止修改windows注册表 4、病毒扫描 forticlient还提供了无人值守的安装模式,管理员能够有效的将预先配置的forticlient分配到几个用户的计算机。 FortiMail
fortimail安全信息平台针对邮件流量提供了强大且灵活的启发式扫描与报告功能。fortimail 单元在检测与屏蔽恶意附件例如dcc(distributed checksum clearinghouse)与bayesian扫描方面具有可靠的高性能。在fortinet卓越的fortios 与fortiasic技术的支持下,fortimail反病毒技术深入扩展到全部的内容检测功能,能够检测到最新的邮件威胁。 FortiAnalyzer fortianalyzer tm 为网络管理员提供了有关网络防护与安全性的信息,避免网络受到攻击与漏洞威胁。fortianalyzer具有以下功能: 1、从fortigate与syslog设备收集并存储日志。 2、创建日志用于收集日志数据。 3、扫描与报告漏洞。 4、存储fortigate设备隔离的文件。 fortianalyzer也可以配置作为网络分析器用来在使用了防火墙的网络区域捕捉实时的网络流量。您也可以将fortianalyzer用作存储设备,用户可以访问并共享存储在fortianalyzer 硬盘的报告与日志。 FortiReporter fortireporter安全性分析软件生成简洁明的报告并可以从任何的fortigate设备收集日志。fortireporter可以暴露网络滥用情况,管理带宽,监控网络使用情况,并确保员工能够较好的使用公司的网络。fortireporter还允许it管理员能够识别并对攻击作出响应,包括在安全威胁发生之前先发性的确定保护网络安全的方法。 FortiBridge fortibridge产品是设计应用于当停电或是fortigate系统故障时,提供给企业用户持续的网络流量。fortibridge绕过fortigate设备,确保网络能够继续进行流量处理。fortibridge产品使用简单,部署方便;您可以设置在电源或者fortigate系统故障发生的时fortibridge设备所应采取的操作。 FortiManager fortimanager系统设计用来满足负责在许多分散的fortigate安装区域建立与维护安全策略的大型企业(包括管理安全服务的提供商)的需要。拥有该系统,您可以配置多个fortigate 并监控其状态。您还能够查看fortigate设备的实时与历史日志,包括管理fortigate更新的固件镜像。fortimanager 系统注重操作的简便性包括与其他第三方系统简易的整合。 关于FortiGate设备 fortigate-60系列以及fortigate-100a设备是应用于小型企业级别的(包括远程工作用户),集基于网络的反病毒、内容过滤、防火墙、vpn以及基于网络的入侵检测与防护为一体的fortigate 系统模块。fortigate-60系列以及fortigate-100a设备支持高可靠性(ha)性能。
第1章第2章2.1 2.2 2.2.1 2.2.2 2.2.3 2.3 2.4 第3章3.1 3.2 录 FORTINET 配置步骤配置步骤...... 2 FORTINET 防火墙日常操作和维护命令 (29) 防火墙配置......29 防火墙日常检查 (29) 防火墙的会话表:(系统管理-状态-会话)......29 检查防火墙的CPU、内存和网络的使用率......31 其他检查 (31) 异常处理……31 使用中技巧……32 FORTGATE 防火墙配置维护及升级步骤…… 33 FORTIGATE 防火墙配置维护......33 FORTIGATE 防火墙版本升级 (33) 第1章Fortinet 配置步骤章 1.1.1.1 Fortigate 防火墙基本配置 Fortigate 防火墙可以通过“命令行”或“WEB 界面”进行配置。本手册主要介绍后者的配置方法。首先设定基本管理IP 地址,缺省的基本管理地址为P1 口192.168.1.99,P2 口192.168.100.99。但是由于P1 口和P2 口都是光纤接口,因此需要使用Console 口和命令行进行初始配置,为了配置方便起见,建议将P5 口配置一个管理地址,由于P5 口是铜缆以太端口,可以直接用笔记本和交叉线连接访问。之后通过https 方式登陆到防火墙Internal 接口,就可以访问到配置界面 1. 系统管理”菜单 1.1 “状态”子菜单1.1.1 “状态”界面 “状态”菜单显示防火墙设备当前的重要系统信息,包括系统的运行时间、版本号、OS 产品序列号、端口IP 地址和状态以及系统资源情况。如果CPU 或内存的占用率持续超过80%,则往往意味着有异常的网络流量(病毒或网络攻击)存在。 1.1.2 “会话”显示界面 Fortigate 是基于“状态检测”的防火墙,系统会保持所有的当前网络“会话”(sessions)。这个界面方便网络管理者了解当前的网络使用状况。通过对“源/目的IP”和“源/目的端口”的过滤,可以了解更特定的会话信息。例如,下图是对源IP 为10.3.1.1 的会话的过滤显示 通过“过滤器”显示会话,常常有助于发现异常的网络流量。1.2 “网络”子菜单1.2.1 网络接口 如上图,“接口”显示了防火墙设备的所有物理接口和VLAN 接口(如果有的话),显示IP 地址、访问选项和接口状态。“访问选项”表示可以使用哪种方式通过此接口访问防火墙。例如:对于“PORT1”,我们可以以“HTTPS,TELNET”访问,并且可以PING 这个端口。点击最右边的“编辑”图标,可以更改端口的配置。 如上图,“地址模式”有三类: a.如果使用静态IP 地址,选择“自定义”;b.如果由DHCP 服务器分配IP,选择“DHCP”;c.如果这个接口连接一个xDSL 设备,则选择“PPPoE”。在“管理访问”的选项中选择所希望的管理方式。最后点击OK,使配置生效。 “区”是指可以把多个接口放在一个区里,针对一个区的防火墙策略配置在属于这个区的所有接口上都生效。在本项目中,没有使用“区”。1.2.2 DNS 如上图,在这里配置防火墙本身使用的DNS 服务器,此DNS 与内部网络中PC 和SERVER 上指定的DNS 没有关系。 1.3 DHCP 如上图,所有的防火墙端口都会显示出来。端口可以1)不提供DHCP 服务;2)作为DHCP 服务器;3)提供DHCP 中继服务。在本例中,External 端口为所有的IPSEC VPN 拨
FortiGate OSPF设置
目录 1.目的 (3) 2.环境介绍 (3) 3.OSPF介绍 (4) 3.1 DR与BDR选举 (4) 3.2 OSPF邻居建立过程 (5) 3.3 LSA的类型 (6) 3.4 OSPF的区域 (7) 4.FortiGate OSPF配置 (8) 4.1 GateA配置 (8) 4.2 GateB配置 (8) 4.3 GateC配置 (8) 4.4 配置完成后各个Gate路由表 (9) 4.5 通过命令查看OSPF状态 (9) 5.OSPF路由重发布 (10) 6.Total stub与T otal NSSA (11) 7.OSPF的Troubleshooting (12) 8.参考 (13)
1.目的 本文档针对FortiGate的OSPF动态路由协议说明。OSPF路由协议是一种典型的链路状态(Link-state)的路由协议,一般用于同一个路由域内。在这里,路由域是指一个自治系统,即AS,它是指一组通过统一的路由政策或路由协议互相交换路由信息的网络。在这个AS中,所有的OSPF路由器都维护一个相同的描述这个AS结构的数据库,该数据库中存放的是路由域中相应链路的状态信息,OSPF路由器正是通过这个数据库计算出其OSPF路由表的。作为一种链路状态的路由协议,OSPF将链路状态广播数据LSA(Link State Advertisement)传送给在某一区域内的所有路由器。 2.环境介绍 本文使用4台FortiGate进行说明, 本文使用的系统版本为FortiOS v4.0MR2 Patch8。 Router Router ID Role Interface IP Area
FortiAP 介绍 FortiAP 无线接入点提供企业级别的无线网络扩展的FortiGate整合安全功能的控制器管理的设备。每个FortiAP无线控制器将通过的流量集成到FortiGate平台,提供了一个单独的控制台来管理有线和无线网络通信。 FortiAP 无线接入点提供更多的网络可视性和策略执行能力,同时简化了整体网络环境。采用最新的802.11n为基础的无线芯片技术,提供高性能集成无线监控并支持多个虚拟AP的每个无线发送的无线接入。FortiAP与FortiGate 设备的controller(控制器)连接,可以提供强大完整的内容保护功能的无线部署空间。FortiGate设备controller控制器可以集中管理无线发送点操作、信道分配、发射功率,从而进一步简化了部署和管理。 FortiAP 外观与连接 这里我们用FortiAP 210B来做示例,FortiAP 210B 是可持续性使用的商务级802.11n解决方案,提供达300Mbps 的总吞吐率,可满足苛刻使用要求的应用场所。FortiAP 210B应用了单射频双频段(2.4GHz和5GHz)的2x2 MIMO 技术。FortiAP 210B是一款企业级接入点,不但提供快速客户端接入,而且具有智能应用检测和流量整形功能,具有两根内部天线,支持IEEE 802.11a、b、g和n无线标准。 这是FortiAP 210B正面的样子。
FortiAP 210B连接的方式很简单,只要一根网线的一端连接设备的ETH接口,另一端连接交换机或飞塔防火墙,设备带独立的12V、1.5A电源,如果防火墙或交换机支持PoE接口(自带48V电源),也可以直接通过网线供电,不需要连接独立的电源,这样在布线安装时会方便很多。 FortiAP 访问 和普通的交换机、路由器一样,FortiAP也可以通过浏览器进行访问,ETH接口的默认地址是192.168.1.2,用户名为admin,密码为空。笔记本电脑IP设为同网段的192.168.1.8,打开火狐浏览器,输入http://192.168.1.2进行访问。 输入用户名admin,密码不填,直接点击登录; 可以看到FortiAP 210B的基本信息,在这里可以升级固件,修改管理员密码(为了安全起见建议立即修改),当有多个AP时为了不引起冲突,又能访问每个IP,建议修改默认的192.168.1.2 IP地址。
FortiGate 常用配置命令 一、命令结构 config Configure object. 对策略,对象等进行配置get Get dynamic and system information. 查看相关关对象的参数信息show Show configuration. 查看配置文件 diagnose Diagnose facility. 诊断命令 execute Execute static commands. 常用的工具命令,如ping exit Exit the CLI. 退出 二、常用命令 1、配置接口地址: FortiGate # config system interface FortiGate (interface) # edit lan FortiGate (lan) # set ip 192.168.100.99/24 FortiGate (lan) # end 2、配置静态路由 FortiGate (static) # edit 1 FortiGate (1) # set device wan1 FortiGate (1) # set dst 10.0.0.0 255.0.0.0
FortiGate (1) # set gateway 192.168.57.1 FortiGate (1) # end 3、配置默认路由 FortiGate (1) # set gateway 192.168.57.1 FortiGate (1) # set device wan1 FortiGate (1) # end 4、添加地址 FortiGate # config firewall address FortiGate (address) # edit clientnet new entry 'clientnet' added FortiGate (clientnet) # set subnet 192.168.1.0 255.255.255.0 FortiGate (clientnet) # end 5、添加 ip 池 FortiGate (ippool) # edit nat-pool new entry 'nat-pool' added FortiGate (nat-pool) # set startip 100.100.100.1 FortiGate (nat-pool) # set endip 100.100.100.100 FortiGate (nat-pool) # end
I N S T A L L G U I D E FortiGate-1000A and FortiGate-1000AFA2 FortiOS 3.0 MR4 https://www.doczj.com/doc/3d2907184.html,
FortiGate-1000A and FortiGate-1000AFA2 Install Guide FortiOS 3.0 MR4 15 February 2007 01-30004-0284-20070215 ? Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Regulatory compliance FCC Class A Part 15 CSA/CUS Risk of Explosion if Battery is replaced by an Incorrect Type.
HA配置步骤 步骤1、配置设备1的HA 进入菜单" 系统管理--配置--高可用性;模式选择"主动-被动"模式,优先级配置200(主机高于从机);组名:SYQ-300D/密码:123456;勾选"启用会话交接"。 模式:单机模式、主动-被动、主动-主动。修改单机模式为HA模式的时候,需要确保所有接口的"IP地址模式"处于"自定义"的方式,不能有启用PPPOE和DHCP的方式。 如果无法在命令行下配置A-P、A-A模式,命令行会提示: "The system may run in HA A-A or HA A-P mode only when all interfaces are NOT using DHCP/PPPoE as an addressing mode." 步骤2、配置设备2的HA 进入菜单" 系统管理--配置--高可用性;模式选择"主动-被动"模式,优先级配置100;组名:SYQ-300D/密码:123456;勾选"启用会话交接"。
步骤3、组建HA a)连接心跳线,FGT-主的port2、port4,连接到 FGT-从的port2、port4; b)防火墙开始协商建立HA集群,此时会暂时失去和防火墙到连接,这是因为在HA协商过程中会改变防火墙接口到MAC地址。可以通过更新电脑的arp表来恢复连接,命令为arp -d。c)连接业务口链路。 d)组建好HA后,两台防火墙配置同步,具有相同的配置,通过访问主防火墙来进行业务配置,如IP地址,策略等,更新的配置会自动同步。 步骤4、查看HA集群 进入菜单" 系统管理--配置--高可用性",就可以看到HA的建立情况。
纳智捷汽车生活馆 IT主管日常操作指导 目录 一、设备维护 (02) 二、网络设备密码重置步骤 (20) 三、飞塔限速设置 (05) 四、飞塔SSLVPN设置及应用 (07) 五、服务需求 (15) 六、安装调试流程 (16) 七、备机服务流程 (17) 八、安装及测试 (18) 九、注意事项 (19)
一、设备维护 1、登录防火墙 内网登录防火墙,可在浏览器中https://172.31.X.254 或 https://192.168.X.254(注:登录地址中的X代表当前生活馆的X值),从外网登录可输当前生活馆的WAN1口的外网IP 地址(例如:https://117.40.91.123)进入界面输入用户名密码即可对防火墙进行管理和配置。 2、登录交换机 从内网登录交换机,在浏览器输入交换机的管理地址即可。 http://172.31.X.253\252\251\250 (注:同样登录地址中的X代表当前生活馆的X值) 3、登录无线AP 从内网登录无线AP,在浏览器输入无线AP的管理地址即可。 员工区http://172.31.X.241 客户区 http://192.168.X.241 (注:同样登录地址中的X代表当前生活馆的X值) 二、网络设备密码重置步骤 2.1 防火墙Fortigate-80C重置密码 1,连上串口并配置好; 2,给设备加电启动; 3,启动完30秒内从串口登陆系统,用户名为:maintainer; 4,密码:bcpb+序列号(区分大小写);注意:有些序列号之间有-字符,需要输入.如序列号为FGT-100XXXXXXX,则密码为bcpbFGT-100XXXXXXX.不然无法登陆. 5,在命令行下执行如下系列命令重新配置“admin”的密码:
飞塔防火墙f o r t i g a t e 的s h o w命令显示相关 配置 公司标准化编码 [QQX96QT-XQQB89Q8-NQQJ6Q8-MQM9N]
飞塔fortigate的show显示相关,而使用get显示实时状态 show full-configuration显示当前完全 show system global 查看主机名,管理端口 显示结果如下 config system global set admin-sport 10443 set admintimeout 480 set hostname "VPN-FT3016-02" set language simch set optimize antivirus set sslvpn-sport 443 set timezone 55 end show system interface 查看接口配置 显示结果如下 edit "internal" set vdom "root" set ip set allowaccess ping https ssh snmp http telnet set dns-query recursive set type physical next get system inter physical查看物理接口状态,,如果不加physical参数可以显示逻辑vpn接口的状态 ==[port1] mode: static ip: status: up speed: 100Mbps Duplex: Full ==[port2] mode: static ip: status: up speed: 1000Mbps Duplex: Full show router static 查看默认路由的配置 显示结果如下 config router static
FortiGate产品安装及快速配置 Fortinet公司是全球网络安全行业领导者,FortiGate正是这家公司的旗舰产品。FortiGate拥有强大的网络和安全功能,服务于全球数万家客户,产品型号也是业界覆盖最广的,从几十兆产品到几百G产品,能够满足不同规模用户的使用需求。对于大企业和运营商客户来说,IT人员能力强,资源多,对于设备的配置自然不在话下。但是对于规模不大的中小企业来说,IT人员的运维能力可能就没有那么强了。 大家印象中传统的企业级设备配置安装都比较麻烦,友好性远不如家用路由器。因此很多用户也希望他们购买的企业级产品能够像家用级设备一样简单配置。FortiGate就是一款这样的产品。我们以FortiGate-90D-POE设备为演示,来为大家介绍一下FortiGate产品的安装、配置。后续我们还会有设备功能的使用介绍。 图1:FortiGate-90D-POE包装 图2:FortiGate-90D-POE和配件
如上图所示,FortiGate-90D-POE内置了电源,光盘,手册,RJ45网线和一根USB 管理数据线。PC可以通过USB管理数据线,使用FortiExplorer软件实现设备的快速配置。稍后我们会有讲解。 图3:FortiGate-90D-POE前面板和后面板 如图3,前面板的左侧接口是用于调试的console口,中间四个灯为电源,状态等指示灯,右侧的双排指示灯是WAN口和交换口的状态指示灯,红色的ABCD四个灯标示了POE供电的四个接口。后面板的左侧为电源接口,螺丝钉为固定地线用,避免在漏电的情况下用户触电。螺丝钉下面的接口为USB2.0小接口,用于手机连接设备进行配置。再往右两个为USB管理口。后面板上的16个接口中,最右面两个为WAN口,其余14个为交换接口,红色标示的ABCD接口为POE供电口。 FortiGate管理方式 图4:接口示意图
FortiGate HA功能说明 1.1 主用-备用模式 FortiGate防火墙HA的主用-备用(A-P)模式提供了一个双机热备份集群的机制来对网络连接进行可用性保护,在HA集群里面只有一台主用设备在处理所有的网络流量,其他的一台或几台则处于备用状态FortiGate不处理任何网络流量只是在实时的监控着主用FortiGate是否仍然正常工作。 备机主要的工作有: ?实时和主用FortiGate同步配置; ?监控主用FortiGate状态; ?如果启用了会话备份功能(session pick-up)的话,备用设备需要实时同步主用设备上的会话以确保在主用设备出现问题是可以透明接替主用 设备,所有主用设备上已经建立的会话不需要重新建立,会话备份功能目前可以支持没有启用防火墙保护内容表的所有TCP/UDP/ICMP/多播/广播数据流; ?如果没有启用了会话备份功能(session pick-up)的话,备用设备不会实时同步主用设备上的会话,所有主用设备上已经建立的会话在发生HA 切换时需要重新建立; 1.2 主用-主用模式 第1 页共14 页
A-P模式部署的防火墙虽然有多台在网但实际上只有一台设备在工作其他所有的设备都在实时的监控主用机发生故障才会有一台接替工作,这样带来的一个问题是设备资源利用率不足。FortiGate防火墙HA功能同时提供了主用-主用(A-A)模式,也就是在所有HA集群中的所有设备都同时工作以同时达到负载均衡和热备份的功能,在A-A集群里面默认配置下的主设备不会负载均衡没有启用保护内容表的流量给非主工作设备,它只会负载均衡所有的启用了防火墙保护内容表的网络连接,处理时它会先接收下来所有的流量同时根据负载均衡配置把相关连接动态分配给其他的非主工作设备处理。这样处理的原因是:通常启用了防火墙保护内容表的网络连接才是CPU和内存消耗主要来源,这样可以大大增加A-A部分是集群的高层安全处理能力。 实际上也可以开启A-A集群负载所有TCP网络流量的功能,需要进入命令行下面开启HA的load-balance-all功能就可以了。 FortiGate防火墙HA的A-A集群不支持UDP/ICMP/多播/广播流量的负载均衡功能,也不支持VoIP、IM、IPSec VPN、HTTPS和SSL VPN负载均衡功能,所有的以上流量都将只有A-A集群里面的主工作设备处理。 FortiGate防火墙HA的A-A集群会话备份功能(session pick-up)支持没有启用防火墙内容保护表的TCP流量,并不提供基于防火墙内容保护表的流量的会话备份功能(session pick-up),也不支持UDP/ICMP/多播/广播流量会话备份功能(session pick-up)。 第2 页共14 页