Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

The FortiGate Cookbook 5.0.6 (Expanded Version) Essential Recipes for Success w

The FortiGate Cookbook 5.0.6 (Expanded Version) Essential Recipes for Success with your FortiGate March 5, 2014 Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Video Tutorials - http://video.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - https://support.fortinet.com Please report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com. Contents Change log. .................................................................................................................... 1 Introduction................................................................................................................... 2 Tips for using the FortiGate Cookbook. ......................................................................... 3 Installing & Setup.......................................................................................................... 5 Connecting a private network to the Internet using NAT/Route mode...............................7 Extra help: NAT/Route mode. ............................................................................................11 Quickly connecting a network to the Internet using DHCP. ..............................................14 Extra help: Private networks with DHCP. ..........................................................................16 Adding a FortiGate unit without changing the network configuration. ..............................18 Extra help: Transparent mode...........................................................................................22 Using VDOMs to host two FortiOS instances on a single FortiGate unit. .........................26 Verifying and updating the FortiGate unit’s firmware........................................................33 Setting up FortiGuard services. .........................................................................................36 Extra help: FortiGuard.......................................................................................................38 Logging network traffic to gather information. ..................................................................39 Extra help: Logging...........................................................................................................43 Using FortiCloud to record log messages. ........................................................................44 Setting up a limited access administrator account. ..........................................................48 Using SNMP to monitor the FortiGate unit.......................................................................52 Setting up an explicit proxy for users on a private network. .............................................58 Adding packet capture to help troubleshooting. ...............................................................62 Contents iii iv The FortiGate Cookbook 5.0.6 Protecting a web server on the DMZ network. ..................................................................65 Using port pairing to simplify transparent mode. ..............................................................69 Using two ISPs for redundant Internet connections.........................................................74 Adding a backup FortiGate unit to improve reliability.......................................................79 Associating a domain name with an interface that has a dynamic IP. ..............................84 Allowing VoIP calls using FortiVoice and FortiCall............................................................86 Allowing access from the Internet to a FortiCamera unit. .................................................93 Security Policies & Firewall Objects. ........................................................................... 99 Ordering security policies to allow different access levels. .............................................100 Using port forwarding on a FortiGate unit. ......................................................................104 Using AirPlay with iOS, AppleTV, FortiAP , and a FortiGate unit......................................109 Using AirPrint with iOS and OS X and a FortiGate unit. ..................................................117 Security Features...................................................................................................... 126 Monitoring your network using client reputation. ............................................................127 Controlling network access using application control....................................................130 . Using custom signatures to block web traffic from Windows XP..................................136 Protecting a web server from external attacks. ...............................................................141 Blocking outgoing traffic containing sensitive data........................................................145 Blocking large files from entering the network................................................................150 Preventing credit card numbers from escaping your network........................................153 Blocking access to specific websites.............................................................................163 Extra help: Web filtering..................................................................................................166 Blocking HTTP and HTTPS traffic with web filtering. ......................................................167 Contents v Limiting access to personal interest websites using quotas. ..........................................172 Setting up YouTube for Education. ..................................................................................176 Using web filter overrides to control website access. .....................................................182 Inspecting traffic content using flow-based inspection..................................................190 Excluding specific users from security scanning............................................................195 Wireless Networking. ................................................................................................. 199 Setting up a temporary guest WiFi user. .........................................................................200 Setting up a network using a FortiGate unit and a FortiAP unit. .....................................207 Providing remote users access to the corporate network and Internet. .........................212 Assigning wireless users to different networks using dynamic VLANs...........................218 Extending the range of a wireless network by using mesh topology. .............................228 Authentication........................................................................................................... 243 Identifying network users and applying web filters based on identity............................244 Controlling when specific types of devices can access the Internet..............................250 Providing Single Sign-On for a Windows AD network with a FortiGate. .........................254 Providing Single Sign-On in advanced mode for a Windows AD network.....................260 Providing Single Sign-On for Windows AD with LDAP...................................................263 Allowing Single Sign-On access with a FortiGate and a FortiAuthenticator...................267 Preventing security certificate warnings when using SSL inspection. ............................271 Extra help: Certificates....................................................................................................275 Adding FortiToken two-factor authentication to a user account. ....................................276 Using two-factor authentication with IPsec VPN............................................................280 Using two-factor authentication with SSL VPN..............................................................287 vi The FortiGate Cookbook 5.0.6 Authenticating SSL VPN users using LDAP....................................................................293 SSL and IPsec VPN.................................................................................................... 301 Providing remote users with access using SSL VPN......................................................302 Connecting an Android to a FortiGate with SSL VPN. ....................................................310 Configuring SSL VPN with strong authentication using certificates...............................318 Using IPsec VPN to provide communication between offices. .......................................325 Extra help: IPsec VPN.....................................................................................................333 Using policy-based IPsec VPN for communication between offices. .............................335 Providing secure remote access to a network for an iOS device...................................342 Connecting an Android to a FortiGate with IPsec VPN. ..................................................350 Configuring a FortiGate unit as an L2TP/IPsec server....................................................359 Configuring IPsec VPN with a FortiGate and a Cisco ASA.............................................367 Creating a VPN with overlapping subnets. ......................................................................373 Using redundant OSPF routing over IPsec VPN.............................................................379 Change log 1 Date Change Description March 5, 2014 New recipes: - Using a custom signature to block web traffic from Windows XP - Preventing credit card numbers from escaping your network Updated recipes: - Connecting a private network to the Internet using NAT/Route mode - Using IPsec VPN to provide communications between offices February 3, 2014 New recipes: - Extra help: IPsec VPN Reordered SSL and IPsec VPN section. Added FortiGate ports section to Tips for the FortiGate Cookbook. Added a note to Providing secure remote access to a network for an iOS device. Updated to FortiOS version 5.0.6. January 14, 2014 New recipes: - Quickly Connecting a network to the Internet using DHCP - Extra help: Private networks with DHCP - Configuring SSL VPN with strong authentication using certificates - Connecting an Android to a FortiGate using SSL VPN Providing secure remote access to a network for an Android device renamed to Connecting an Android to a FortiGate using IPsec VPN Change log 2 The FortiGate Cookbook 5.0.6 Introduction The FortiGate Cookbook (Expanded Version) is a web-only version of the FortiGate Cookbook that will be continuously updated with new examples not contained in the print version. See the Change log for a list of the most recent additions. The FortiGate Cookbook provides examples, or recipes, of basic and advanced FortiGate configurations to administrators who are unfamiliar with the unit. All examples require access to the graphical user interface (GUI), also known as the web-based manager. Each example begins with a description of the desired configuration, followed by step-by-step instructions. Some topics include extra help sections, containing tips for dealing with some common challenges of using a FortiGate unit. Using the FortiGate Cookbook, you can go from idea to execution in simple steps, configuring a secure network for better productivity with reduced risk. The Cookbook is divided into the following chapters: Installing & Setup: This chapter explains the configuration of common network functions and the different network roles a FortiGate unit can have. Security Policies & Firewall Objects: This chapter describes security policies and firewall objects, which determine whether to allow or block traffic. Security Features: This chapter describes the core security features that you can apply to the traffic accepted by your FortiGate unit. Wireless Networking: This chapter explains how to configure and maintain a wireless network. Authentication: This chapter describes the FortiGate authentication process for network users and devices. SSL and IPsec VPN: This chapter explains the configuration and application of SSL and IPsec virtual private networks (VPNs). This edition of the FortiGate Cookbook (Expanded Version) was written using FortiOS 5.0.6. 2 Tips for using the FortiGate Cookbook 3 Tips for using the FortiGate Cookbook Before you get started, here are a few tips about using the FortiGate Cookbook: Understanding the basics While the FortiGate Cookbook was written with new FortiGate users in mind, some basic steps, such as logging into the FortiGate unit, are not included in most recipes. This information can be found in the first example, “Connecting a private network to the Internet using NAT/Route mode” on page 7, or in the QuickStart guide for your FortiGate unit. Screenshots vs. text The FortiGate Cookbook uses both screenshots and text to explain the steps of each example. The screenshots display the entire configuration, while the text highlights key details (i.e. the settings that are strictly necessary for the configuration) and provides additional information. To get the most out of the FortiGate Cookbook, start with the screenshots and then read the text for more details. Model and firmware GUI menus, options, and interface names may vary depending on the FortiGate model you are using and the firmware build. For example, the menu Router > Static > Static Routes is not available on some models. Also, on different models, the uploads/Management/ fortigate-cookbook-506-expanded.pdf