Fortinet防火墙设备维护手册

FortiGuard Security Services Product OfferingsFREQUENTLY ASKED QUESTIONSHow does the ordering process work?Consider in three parts:1. New Order. Do one of the following:a.Order the hardware with a bundle that includes FortiCare and FortiGuard serviceb. Order hardware-only (a La Carte), and add FortiCare and FortiGuard services to it.2. Renew ServicesYou can order service renewals as bundles or a La Carte and applied to the device under the FortiCare account. Services will be extended based on the contract purchased.NOTE: Renewal services purchased with a FortiCare quote ID generated by Disti are automatically registered to the serial number.3. Add Services to an Existing UnitNormally, customers want to align the end date, so that all components (existing and new) renew/expire together. This can be performed with a co-term. You can request a co-term quotation to your Fortinet-authorized partner.NSE TRAINING AND CERTIFICATIONSecurity Operations (SOP)Instructor-led learning explore the practicaluse of Fortinet security operations solutions to detect, investigate, and respond to Advanced Persistent Threats (APTs). Comprised of theory lessons and hands-on labs, this course will guide you to understand how to execute advanced threats, how threat actors behave, and how security operations handle such threats.Web Application Security (WAS)Instructor-led learning explore web application threats and countermeasures focused on Fortinet solutions. Comprised of theory lessons and hands-on labs, this course will guide you from the very motivations of attacks on web applications through to understanding and executing attack techniques,recognizing such attacks, and, finally, configure Fortinet solutions to mitigate them.• FT-CST-SOP– CST-SOP Training – 2days • FT-CST-WAS– CST-WAS Training – 1 day Certification ExamsNo certification Pre-requisites (SOP)• You must have an understanding of the topics covered in the following courses, or have equivalent experience:• Basic knowledge of security operations• NSE 4 FortiGate Security• NSE 5 FortiSIEM• NSE 7 FortiSOAR Design and Development• It is also recommended that you have an understanding of the topics covered in the following course, or have equivalent experience:• NSE 7 Advanced Threat ProtectionPre-requisites (WAS)• You must have an understanding of the topics covered in the following courses, or have equivalent experience:• NSE 4 FortiGate Security• NSE 4 FortiGate Infrastructure• NSE 7 FortiSOAR Design and Development• It is also recommended that you have an understanding of the topics covered in the following course, or have equivalent experience:• NSE 6 FortiWeb• NSE 7 Advanced Threat ProtectionReferences:Course description:https:///local/staticpage/view.php?page=library_security-operationshttps:///local/staticpage/view.php?page=library_web-application-securityORDERING GUIDE | FortiGuard Security ServicesCopyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. FGD-OG-R8-20221108。

FortiGate/FortiWiFi® 60E SeriesFortiGate 60E, FortiWiFi 60E, FortiGate 61E and FortiWiFi 61EThe Fortinet Enterprise Firewall Solution delivers end-to-end network security with one platform, one network security operating system and unified policy management with a single pane of glass — for the industry’s best protection against the most advanced security threats and targeted attacks.Powered by SPU SoC3§Combines a RISC-based CPU with Fortinet’s proprietary SPU content and network processors for unmatched performance§Simplifies appliance design and enables breakthrough performance for smaller networks§Supports firewall acceleration across all packet sizes formaximum throughput§Delivers accelerated UTM content processing for superior performance and protection§Accelerates VPN performance for high speed, secureremote access3G/4G WAN ConnectivityThe FortiGate/FortiWiFi 60E Series includes a USB port that allows you to plug in a compatible third-party 3G/4G USB modem, providing additional WAN connectivity or a redundant link for maximum reliability.Compact and Reliable Form FactorDesigned for small environments, you can place it on a desktop or wall-mount it. It is small, lightweight yet highly reliable with superior MTBF (Mean Time Between Failure), minimizing the chance of a network disruption.Superior Wireless CoverageA built-in dual-band, dual-stream access point with internal antennas is integrated on the FortiWiFi 60E and provides speedy 802.11ac wireless access. The dual-band chipset addresses the PCI-DSS compliance requirement for rogue AP wireless scanning, providing maximum protection for regulated environments.Interfaces1. Console Port2. 2x GE RJ45 WAN PortsFortiGate/FortiWiFi 60E/61E3. 1x GE RJ45 DMZ Ports4. 7x GE RJ45 Internal Ports3SERVICESFortiGuard ™ Security ServicesFortiGuard Labs offers real-time intelligence on the threat landscape, delivering comprehensive security updates across the full range of Fortinet’s solutions. Comprised of security threat researchers, engineers, and forensic specialists, the team collaborates with the world’s leading threat monitoring organizations, other network and security vendors, as well as law enforcement agencies:§Real-time Updates — 24x7x365 Global Operations research security intelligence, distributed via Fortinet Distributed Network to all Fortinet platforms.§Security Research — FortiGuard Labs have discovered over 170 unique zero-day vulnerabilities to date, totaling millions of automated signature updates monthly.§Validated Security Intelligence — Based on FortiGuard intelligence, Fortinet’s network security platform is tested and validated by the world’s leading third-party testing labs and customers globally.FortiCare ™ Support ServicesOur FortiCare customer support team provides global technical support for all Fortinet products. With support staff in the Americas, Europe, Middle East and Asia, FortiCare offers services to meet the needs of enterprises of all sizes:§Enhanced Support — For customers who need support during local business hours only.§Comprehensive Support — For customers who need around-the-clock mission critical support, including advanced exchange hardware replacement.§Advanced Services — For global or regional customers who need an assigned Technical Account Manager, enhanced service level agreements, extended software support, priority escalation, on-site visits and more.§Professional Services — For customers with more complex security implementations that require architecture and design services, implementation and deployment services, operational services and more.For more information, please refer to the FortiOS data sheet available at FortiOSControl all the security and networking capabilities across the entire FortiGate platform with one intuitive operating system. Reduce operating expenses and save time with a truly consolidated next generation security platform.§ A truly consolidated platform with one OS for all security and networking services for all FortiGate platforms.§Industry-leading protection: NSS Labs Recommended, VB100, AV Comparatives and ICSA validated security and performance. §Control thousands of applications, block the latest exploits, and filter web traffic based on millions of real-time URL ratings. §Detect, contain and block advanced attacks automatically in minutes with integrated advanced threat protection framework. §Solve your networking needs with extensive routing, switching, WiFi, LAN and WAN capabilities.§Activate all the SPU-boosted capabilities you need on the fastest firewall platform available.Enterprise BundleFortiGuard Labs delivers a number of security intelligence services to augment the FortiGate firewall platform. You can easily optimize the protection capabilities of your FortiGate with the FortiGuard Enterprise Bundle. This bundle contains the full set of FortiGuard security services plus FortiCare service and support offering the most flexibility and broadest range of protection all in one package.GLOBAL HEADQUARTERS Fortinet Inc.899 KIFER ROAD Sunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne FranceTel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST -PROD-DS-GT60E FGFWF-60E-DAT -R6-201702FortiGate/FortiWiFi ® 60E SeriesORDER INFORMATIONProduct SKU DescriptionFortiGate 60E FG-60E 10x GE RJ45 ports (including 7x Internal ports, 2x WAN ports, 1x DMZ port). Maximum managed FortiAPs (Total / Tunnel) 10 / 5.FortiWiFi 60E FWF-60E 10x GE RJ45 ports (including 7x Internal ports, 2x WAN ports, 1x DMZ port), Wireless (802.11a/b/g/n/ac). Maximum managed FortiAPs (Total / Tunnel) 10 / 5.FortiGate 61E FG-61E 10x GE RJ45 ports (including 7x Internal ports, 2x WAN ports, 1x DMZ port), 128 GB SSD onboard storage. Maximum managed FortiAPs (Total / Tunnel) 10 / 5.FortiWiFi 61EFWF-61E10x GE RJ45 ports (including 7x Internal ports, 2x WAN ports, 1x DMZ port), Wireless (802.11a/b/g/n/ac), 128 GB SSD onboard storage. Maximum managed FortiAPs (Total / Tunnel) 10 / 5.。

飞塔配置安装使用手册FortiGuard产品家族fortinet 的产品家族涵盖了完备的网络安全解决方案包括邮件，日志，报告，网络管理，安全性管理以及fortigate 统一安全性威胁管理系统的既有软件也有硬件设备的产品。

更多fortinet产品信息，详见/products.FortiGuard服务订制fortiguard 服务定制是全球fortinet安全专家团队建立,更新并管理的安全服务。

fortinet安全专家们确保最新的攻击在对您的资源损害或感染终端用户使用设备之前就能够被检测到并阻止。

fortiguard服务均以最新的安全技术构建，以最低的运行成本考虑设计。

fortiguard 服务订制包括：1、fortiguard 反病毒服务2、fortiguard 入侵防护（ips）服务3、fortiguard 网页过滤服务4、fortiguard 垃圾邮件过滤服务5、fortiguard premier伙伴服务并可获得在线病毒扫描与病毒信息查看服务。

FortiClientforticlient 主机安全软件为使用微软操作系统的桌面与便携电脑用户提供了安全的网络环境。

forticlient的功能包括：1、建立与远程网络的vpn连接2、病毒实时防护3、防止修改windows注册表4、病毒扫描forticlient还提供了无人值守的安装模式，管理员能够有效的将预先配置的forticlient分配到几个用户的计算机。

FortiMailfortimail安全信息平台针对邮件流量提供了强大且灵活的启发式扫描与报告功能。

fortimail 单元在检测与屏蔽恶意附件例如dcc（distributed checksum clearinghouse）与bayesian扫描方面具有可靠的高性能。

在fortinet卓越的fortios 与fortiasic技术的支持下，fortimail反病毒技术深入扩展到全部的内容检测功能，能够检测到最新的邮件威胁。

INDUSTRY INSIGHTSThree Ways FortinetHybrid Mesh FirewallsSecure Edge NetworksEnterprise IT is changing. Applications are shifting to hybrid deployments across on-premises data centers and the cloud. Corporate campuses and branches are migrating from MPLS to low-cost broadband in Direct Internet Access (DIA) models. Employees no longer work exclusively at offices but can access company resources anywhere and with any device, often at home. Egress points multiply from a few to hundreds and even thousands, creating complex edge networks. The internet ties these changes together as the new corporate backbone.Despite the wonders of edge networks, challenges remain. Management is complex with siloed domains across data centers, public clouds, distributed sites, and remote locations. In fact, according to Gartner, 99% of all firewall breaches through 2025 will be the result of user errors borne from complexity.1In 2022, Fortinet surveyed global enterprises and found that 78% felt they were “very” or “extremely” prepared to thwart a ransomware breach, yet half of those respondents still fell victim to an attack.2 In addition, enterprises struggle to manage edge networks as most internet traffic is encrypted, with the latest estimate by Google at 95%.3 For enterprises relying on the internet to conduct business, that means IT teams are blind to everything being sent to and from the network, including cyberattacks. To address these challenges, Fortinet Hybrid Mesh Firewalls (HMFs) provide unified and centralized visibility, management, and protection for data centers, branches and campuses, public clouds, and remote sites. With FortiManager centralized management, Fortinet offers simple management for unified protection. Fortinet HMFs leverage FortiGuard AI-Powered Security Services to protect edge networks and devices against known and unknown cyberthreats. Proprietary security processing units (SPUs) deliver unparalleled performance at the network edge, even when decrypting traffic, ensuring malware hiding in encrypted traffic does not slip through.Centralized and Unified ManagementThe most important aspect of an HMF is unified management. Hybrid mesh firewall solutions cannot be disjointed solutions where different areas of IT require their own individual management consoles. Centralized and unified management integrates traditionally separate IT domains—data centers, distributed sites, public clouds, and remote workers—into one platform.Figure 1: Example of a hybrid mesh firewall deploymentFortiManager allows for consistent policies across the entire HMF deployment. Policies are entered once, automated, andenforced wherever needed across the enterprise. Efficient management and automation reduce manual work, filling workplace shortages. Our easy-to-use centralized management shortens new-hire ramp times and reduces churn, allowing IT professionals to focus on strategic tasks.AI-Powered Security ServicesFortiGuard AI-Powered Security Services integrate critical capabilities into Fortinet HMFs (FortiGate Next-Generation Firewalls) to protect against threats in real time. These services include URL and DNS filtering, application control, anti-malware, and sandboxing, as well as hardware-accelerated IPS for high-performance SSL inspection and virtual patching. Fortinet also has a proven track record protecting IoT and OT environments and devices.Figure 2: FortiGuard AI-Powered Security ServicesWith over 660,000 customers and 8 million sensors deployed, Fortinet leverages industry-leading telemetry, along with trustedpartnerships, open-source intelligence (OSINT), Cyber Threat Alliance (CTA) feeds, and more to keep customers safe.Cloud and Cloud-NGFW for Data Center,Custom-Built SPUsTraditional network security vendors rely on general-purpose CPUs to deliver networking and security capabilities. Their products cause poor experiences when resource-intensive functions like decryption, IPsec, or IPS are enabled. Fortinet HMFs leverage proprietary SPUs to offload resource-intensive functions from device CPUs and improve user experiences. Our SPUs provide performance advantages so edge traffic can be inspected with no network slowdowns. Fortinet SPUs also provide the highest ROI for businesses while offering lower power consumption, thereby reducing TCO while adhering to environmental, social, and governance (ESG) goals.The Fortinet Hybrid Mesh Firewall for Edge NetworksAs enterprise networks transform into edge networks with multiple domains across data centers, distributed sites, public clouds, and remote locations, a unified security solution is needed to address the associated challenges and complexity. Fortinet HMFs can help enterprises overcome transformational challenges, offering unified, centralized management and protection and operational simplicity.1 Gartner, Control Network Security Complexity, Inefficiencies and Security Failures by Minimizing Firewall Diversity, Accessed May 31, 2023.2 Fortinet, The 2023 Global Ransomware Report, April 20, 2023.3 Google, HTTPS Transparency Report, Accessed May 22, 2023. Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.。

防火墙系统日常运维指南V1.00防火墙系统日常运维指南一、每日例行维护1、系统管理员职责为保证防火墙设备的正常运行，系统管理员需要在每日对设备进行例行检查。

系统管理员在上班后，登录防火墙管理界面，查看系统的CPU、内存的使用率及网接口的工作状态是否正常。

➢确保CPU使用率在80%以下，内存使用率85%以下：如出现CPU及内存使用率过高的情况，查看防火墙设备的会话连接总数、半连接数以及端口流量是否正常。

➢如果存在会话连接总数、半连接数、端口流量异常，超出平时的正常范围的情况下，可能是有人在进行ARP攻击或蠕虫攻击，通过会话管理查看各会话的连接情况，查找异常会话，并对其进行手动阻断。

如果会话连接总数、半连接数及端口流量处在正常范围内，但此时网络访问效率明显变慢的情况下，重启防火墙设备。

➢在管理界面中的网络接口状态正常情况下是绿色：如果工作端口出现红色的情况下，需要及时通知网络管理员，配合查看交换机与防火墙之间的端口链路是否正常。

➢如交换机及线路都正常的情况下，重启防火墙；如果还存在问题请及时电话联系厂商工程师。

➢按照要求，添加新增的防护对象。

2）安全管理员职责安全管理员在每日上班后定时（每日至少二次，9点、17点），通过数据中心，查看日志是否存在高级别的告警日志（警示级别以上）；如果出现高级别告警日志，立即按以下步骤进行处理：◆设备本身造成中高级别告警：高级别告警主要为设备本身的硬件故障告警!处理方式如下：➢立即通知厂商工程师到达现场处理。

➢处理完毕后，形成报告，并发送主管领导。

◆网络故障造成的中高级别告警：网络负载过大!（ARP攻击，蠕虫等）处理方式如下：➢分析会话记录，查询可疑会话，协同系统管理员阻断可疑会话的源地址。

➢查出源地址后，应立即安排相关技术人员到现场处理问题机器。

➢问题机器处理完毕后，形成处理报告，分析此次高告警事件的原因，并发送主管领导（主管室主任、主管副部长）。

（下同）◆网络攻击行为造成的中高级别告警：如IP扫描，端口扫描等➢防火墙一般会自动阻断该连接，并同时生成告警日志。

FortiGate NIDS GuideFortiGate NIDS指南FortiGate 用户手册第四卷版本2.50 MR22003年8月6日© Copyright 2003 美国飞塔有限公司版权所有。

本手册中所包含的任何文字、例子、图表和插图，未经美国飞塔有限公司的许可，不得因任何用途以电子、机械、人工、光学或其它任何手段翻印、传播或发布。

FortiGate NIDS 指南版本2.50 MR22003年8月8日注册商标本手册中提及的产品由他们各自的所有者拥有其商标或注册商标。

服从规范FCC Class A Part 15 CSA/CUS请访问以获取技术支持。

请将在本文档或任何Fortinet技术文档中发现的错误信息或疏漏之处发送到techdoc@。

目录概述 (1)NIDS 模块 (1)使用NIDS检测模块检测入侵企图 (1)使用NIDS预防模块预防入侵 (1)使用NIDS响应模块管理消息 (2)NIDS检测和预防特性 (2)拒绝服务(DoS)攻击 (2)嗅探 (2)权利提升 (3)NIDS躲避 (3)关于本文档 (3)2.50版中的新增内容 (3)文档约定 (4)Fortinet的文档 (5)Fortinet技术文档的注释 (5)客户服务和技术支持 (6)检测攻击 (7)特征组 (7)特征举例 (9)一般配置步骤 (11)NIDS常规配置 (11)选择要监视的网络接口 (11)禁用NIDS (11)配置校验和检验 (12)选择一个特征组 (12)查看特征列表 (12)启用和禁用NIDS攻击特征 (13)更新攻击定义 (14)创建用户定义的特征 (15)创建用户自定义的特征 (15)用户定义特征提示 (17)常规配置步骤 (17)用户定义特征的语法 (17)语法约定 (17)完整的特征语法 (17)特征语法的细节 (19)管理用户定义的特征 (24)上载用户定义特征列表 (24)下载用户定义特征列表 (24)FortiGate NIDS 指南iii预防攻击 (25)一般配置步骤 (26)启用NIDS攻击预防 (26)启用NIDS预防特征 (27)配置特征临界值 (31)配置syn淹没特征值 (32)举例：NIDS配置 (33)预防TCP和UDP攻击 (33)管理NIDS消息 (37)记录攻击消息日志 (37)配置FortiGate设备发送报警邮件 (38)启用FortiGate设备发送入侵报警邮件功能 (38)定制报警邮件消息 (39)减少NIDS攻击日志和邮件消息的数量 (39)自动减少消息 (39)术语表 (41)索引 (43)iv美国飞塔有限公司FortiGate NIDS 指南版本2.50 MR2概述FortiGate NIDS是一个实时的网络入侵探测器，它使用攻击定义库库检测和预防各种各样的可疑的网络数据流和基于网络的直接攻击。

美国FORTINET 公司系列产品技术手册V4.0版2004年7月北京办事处地址:北京市海淀区中关村南大街２号数码大厦Ｂ座９０３室　邮编１０００８６　电话：（010）8251 2622 传真：（010）8251 2630网站：Fortinet 内部资料2004年目 录1． 公司介绍.................................................................................................................................................................4 1.1 公司背景............................................................................................................................................................4 1.2 产品简介............................................................................................................................................................4 1.3 关键技术............................................................................................................................................................4 1.4 总裁介绍............................................................................................................................................................5 1.5 业务范围 (5)2. 产品系列介绍 (6)2.1 F ORTI G ATE -50A................................................................................................................................................7 2.2 F ORTI G ATE -60...................................................................................................................................................7 2.3 F ORTI G ATE -100.................................................................................................................................................7 2.4 F ORTI G ATE -200.................................................................................................................................................8 2.5 F ORTI G ATE -300.................................................................................................................................................8 2.6 F ORTI G ATE -400.................................................................................................................................................9 2.7 F ORTI G ATE -500.................................................................................................................................................9 2.8 F ORTI G ATE -800...............................................................................................................................................10 2.9 F ORTI G ATE -1000............................................................................................................................................10 2.10 F ORTI G ATE -3000............................................................................................................................................10 2.11 F ORTI G ATE -3600............................................................................................................................................11 2.12 F ORTI G ATE -4000............................................................................................................................................12 2.13 F ORTI G ATE -5000............................................................................................................................................13 2.14 F ORTI M ANAGER 系统. (13)3. 产品功能和特点 (14)3.1 病毒防火墙新理念........................................................................................................................................14 3.2 F ORTI G ATE 系列.............................................................................................................................................14 3.3 基于网络的防病毒........................................................................................................................................15 3.4 分区域安全管理的特色...............................................................................................................................15 3.5 VPN 功能..........................................................................................................................................................15 3.6 防火墙功能.....................................................................................................................................................16 3.7 独特的内容过滤.............................................................................................................................................16 3.8 基于网络IDS 的/IDP 功能.............................................................................................................................16 3.9 VPN 远程客户端软件....................................................................................................................................17 3.10F ORTI ASIC F 技术和ORTI OS 操作系统 (17)3.10.1 高性能并行处理................................................................................................17 3.10.2 实时体系结构...................................................................................................17 3.10.3 实时内容级智能................................................................................................17 3.10.4 提供分区间安全的虚拟系统支撑.......................................................................18 3.10.5 高可用性(HA)...................................................................................................18 3.11 F ORTI G ATE 提供整体解决方案. (18)4.FORTIGATE 防火墙典型应用方案..................................................................................................................19 4.1 中小型企业防火墙应用...............................................................................................................................19 4.2 中大型企业防火墙应用...............................................................................................................................20 4.3 分布型企业防火墙应用...............................................................................................................................21 4.4 校园网安全部署应用....................................................................................................................................22 5. 销售许可证和认证证书. (23)5.1 公安部硬件防火墙销售许可证..................................................................................................................23 5.2公安部病毒防火墙销售许可证 (23)5.3中国信息安全产品测评认证中心 (24)5.4计算机世界推荐产品奖 (24)5.5中国 (24)5.6ICSA认证证书 (25)5.7在美国获奖 (26)6.技术支持方式 (27)6.1北京办事处技术支持 (27)6.1.1 技术支持、售后服务及人员培训 (27)6.1.2 服务组织结构 (27)6.1.3 技术咨询和培训 (27)6.2F ORTI P ROTECT防护服务中心 (27)6.3F ORT P ROTECT安全防护小组 (28)6.4F ORTI P ROTECT推进式网络 (28)7.说明 (29)7.1附件：公司与产品介绍资料 (29)7.2联系我们 (29)Fortinet 内部资料2004年1．公司介绍1.1 公司背景美国Fortinet(飞塔)公司是新一代的网络安全设备的技术引领厂家。

手把手学配置FortiGate设备FortiGate CookbookFortiOS 4.0 MR3目录介绍 (1)有关本书中使用的IP地址 (3)关于FortiGate设备 (3)管理界面 (5)基于Web的管理器 (5)CLI 命令行界面管理 (5)FortiExplorer (6)FortiGate产品注册 (6)更多信息 (7)飞塔知识库（Knowledge Base） (7)培训 (7)技术文档 (7)客户服务与技术支持 (8)FortiGate新设备的安装与初始化 (9)将运行于NAT/路由模式的FortiGate设备连接到互联网 (10)面临的问题 (10)解决方法 (11)结果 (13)一步完成私有网络到互联网的连接 (14)面临的问题 (14)解决方法 (15)结果 (16)如果这样的配置运行不通怎么办？ (17)使用FortiGate配置向导一步完成更改内网地址 (20)面临的问题 (20)解决方法 (20)结果 (22)NAT/路由模式安装的故障诊断与排除 (23)面临的问题 (23)解决方法 (23)不更改网络配置部署FortiGate设备（透明模式） (26)解决方法 (27)结果 (30)透明模式安装的故障诊断与排除 (31)面临的问题 (31)解决方法 (32)当前固件版本验证与升级 (36)面临的问题 (36)解决方法 (36)结果 (39)FortiGuard服务连接及故障诊断与排除 (41)面临的问题 (41)解决方法 (42)在FortiGate设备中建立管理帐户 (48)面临的问题 (48)解决方法 (48)结果 (49)FortiGate设备高级安装与设置 (51)将FortiGate设备连接到两个ISP保证冗余的互联网连接 (52)面临的问题 (52)解决方法 (53)结果 (60)使用调制解调器建立到互联网的冗余连接 (63)面临的问题 (63)解决方法 (64)结果 (70)使用基于使用率的ECMP在冗余链路间分配会话 (70)面临的问题 (70)解决方法 (71)结果 (73)保护DMZ网络中的web服务器 (74)面临的问题 (74)解决方法 (75)结果 (81)在不更改网络设置的情况下配置FortiGate设备保护邮件服务器（透明模式） (86)解决方法 (87)结果 (92)使用接口配对以简化透明模式下安装 (96)面临的问题 (96)解决方法 (97)结果 (101)不做地址转换的情况下连接到网络（FortiGate设备运行于路由模式） (101)面临的问题 (101)解决方法 (102)结果 (107)对私网中的用户设置显式web代理 (107)面临的问题 (107)解决方法 (108)结果 (110)私有网络的用户访问互联网内容的web缓存建立 (110)面临的问题 (110)解决方法 (111)结果 (112)应用HA高可用性提高网络的可靠性 (113)面临的问题 (113)解决方法 (114)结果 (118)升级FortiGate设备HA群集的固件版本 (120)面临的问题 (120)解决方法 (121)结果 (123)使用虚拟局域网（VLAN）将多个网络连接到FortiGate设备 (124)面临的问题 (124)解决方法 (124)结果 (129)使用虚拟域,在一台FortiGate设备实现多主机 (130)面临的问题 (130)解决方法 (130)结果 (137)建立管理员帐户监控防火墙活动与基本维护 (138)面临的问题 (138)解决方法 (139)结果 (140)加强FortiGate设备的安全性 (142)面临的问题 (142)解决方法 (143)为内部网站和服务器创建本地DNS服务器列表 (152)面临的问题 (152)解决方法 (152)结果 (154)使用DHCP根据MAC地址分配IP地址 (154)面临的问题 (154)解决方法 (155)结果 (156)设置FortiGate设备发送SNMP陷阱 (157)面临的问题 (157)解决方法 (157)结果 (160)通过数据包嗅探方式（数据包抓包）发现并诊断故障 (161)面临的问题 (161)解决方法 (162)通过数据包嗅探方式（数据包抓包）进行高级的故障发现与诊断 (170)面临的问题 (170)解决方法 (171)创建、保存并使用数据包采集过滤选项（通过基于web的管理器嗅探数据包） (179)面临的问题 (179)解决方法 (180)调试FortiGate设备配置 (184)面临的问题 (184)解决的方法 (185)无线网络 (195)FortiWiFi设备创建安全的无线访问 (196)面临的问题 (196)解决方法 (197)结果 (200)通过FortiAP在FortiGate设备创建安全无线网络 (200)面临的问题 (200)解决方法 (201)结果 (205)使用WAP-enterprise安全提高WiFi安全 (207)面临的问题 (207)解决方法 (208)结果 (211)使用RADIUS建立安全的无线网络 (212)面临的问题 (212)解决方法 (213)结果 (217)使用网页认证建立安全的无线网络 (218)面临的问题 (218)解决方法 (219)结果 (222)在无线与有线客户端之间共享相同的子网 (224)面临的问题 (224)解决方法 (224)结果 (227)通过外部DHCP服务器创建无线网络 (228)面临的问题 (228)解决方法 (229)结果 (232)使用Windows AD验证wifi用户 (234)面临的问题 (234)解决方法 (234)结果 (244)使用安全策略和防火墙对象控制流量 (245)安全策略 (245)定义防火墙对象 (247)限制员工的互联网访问 (250)面临的问题 (250)结果 (255)基于每个IP地址限制互联网访问 (255)面临的问题 (255)解决方法 (256)结果 (259)指定用户不执行UTM过滤选项 (260)面临的问题 (260)解决方法 (260)结果 (263)校验安全策略是否应用于流量 (264)面临的问题 (264)解决方法 (265)结果 (267)以正确的顺序执行安全策略 (270)面临的问题 (270)解决方法 (271)结果 (273)允许只对一台批准的DNS服务器进行DNS查询 (274)面临的问题 (274)解决方法 (275)结果 (278)配置确保足够的和一致的VoIP带宽 (279)面临的问题 (279)解决方法 (280)结果 (283)使用地理位置地址 (285)面临的问题 (285)解决方法 (286)结果 (288)对私网用户(静态源NAT)配置提供互联网访问 (288)面临的问题 (288)解决方法 (289)结果 (290)对多个互联网地址(动态源NAT)的私网用户配置提供互联网访问 (292)面临的问题 (292)解决方法 (292)不更改源端口的情况下进行动态源NAT(一对一源地址NAT) (295)面临的问题 (295)解决方法 (296)结果 (297)使用中央NAT表进行动态源NAT (298)面临的问题 (298)解决方法 (299)结果 (301)在只有一个互联网IP地址的情况下允许对内网中一台web服务器的访问 (303)面临的问题 (303)解决方法 (304)结果 (305)只有一个IP 地址使用端口转换访问内部web 服务器 (307)面临的问题 (307)解决方法 (308)结果 (310)通过地址映射访问内网Web 服务器 (311)面临的问题 (311)解决方法 (312)结果 (313)配置端口转发到FortiGate设备的开放端口 (316)面临的问题 (316)解决方法 (317)结果 (320)对某个范围内的IP地址进行动态目标地址转换(NAT) (321)面临的问题 (321)解决方法 (322)结果 (323)UTM选项 (325)网络病毒防御 (327)面临的问题 (327)解决方法 (328)结果 (329)灰色软件防御 (330)解决方法 (331)结果 (331)网络旧有病毒防御 (332)面临的问题 (332)解决方法 (332)结果 (333)将病毒扫描检测文件的大小最大化 (334)面临的问题 (334)解决方法 (335)结果 (336)屏蔽病毒扫描中文件过大的数据包 (337)面临的问题 (337)结果 (338)通过基于数据流的UTM扫描提高FortiGate设备的性能 (338)面临的问题 (338)解决方法 (339)限制网络用户可以访问的网站类型 (342)面临的问题 (342)解决方案 (342)结果 (343)对设定用户取消FortiGuard web过滤 (344)面临的问题 (344)结果 (346)阻断Google、Bing以及Yahoo搜索引擎中令人不快的搜索结果 (347)面临的问题 (347)解决方法 (347)结果 (348)查看一个URL在FortiGuard Web过滤中的站点类型 (348)面临的问题 (348)解决方法 (349)结果 (349)设置网络用户可以访问的网站列表 (350)面临的问题 (350)解决方法 (351)使用FortiGuard Web过滤阻断对web代理的访问 (353)面临的问题 (353)解决方法 (353)结果 (354)通过设置Web过滤阻断对流媒体的访问 (354)面临的问题 (354)解决方法 (355)结果 (355)阻断对具体的网站的访问 (356)面临的问题 (356)解决方法 (356)结果 (358)阻断对所有网站的访问除了那些使用白名单设置的网站 (358)面临的问题 (358)解决方案 (359)结果 (361)配置FortiGuard Web过滤查看IP地址与URL (361)面临的问题 (361)解决方法 (362)结果 (362)配置FortiGuard Web过滤查看图片与URL (364)面临的问题 (364)解决方法 (364)结果 (365)识别HTTP重新定向 (365)面临的问题 (365)解决方法 (366)结果 (366)在网络中实现应用可视化 (366)面临的问题 (366)解决的方法 (367)结果 (367)阻断对即时消息客户端的使用 (368)面临的问题 (368)结果 (369)阻断对社交媒体类网站的访问 (370)面临的问题 (370)解决方法 (371)结果 (371)阻断P2P文件共享的使用 (372)面临的问题 (372)解决方法 (372)结果 (373)启用IPS保护Web服务器 (374)面临的问题 (374)解决方法 (375)结果 (378)扫描失败后配置IPS结束流量 (378)面临的问题 (378)解决方法 (379)结果 (379)DoS攻击的防御 (380)面临的问题 (380)解决方法 (381)结果 (382)过滤向内的垃圾邮件 (382)面临的问题 (382)解决方法 (383)结果 (384)使用DLP监控HTTP流量中的个人信息 (384)面临的问题 (384)解决方法 (385)结果 (387)阻断含有敏感信息的邮件向外发送 (387)面临的问题 (387)解决方法 (388)结果 (388)使用FortiGate漏洞扫描查看网络的漏洞 (389)解决方法 (389)结果 (391)SSL VPN (392)对内网用户使用SSL VPN建立远程网页浏览 (393)面临的问题 (393)解决方法 (394)结果 (398)使用SSL VPN对远程用户提供受保护的互联网访问 (399)面临的问题 (399)解决方法 (400)结果 (403)SSL VPN 通道分割：SSL VPN 用户访问互联网与远程私网使用不同通道 (405)面临的问题 (405)解决方法 (405)结果 (409)校验SSL VPN用户在登录到SSL VPN时具有最新的AV软件 (411)面临的问题 (411)解决方法 (411)结果 (412)IPsec VPN (414)使用IPsec VPN进行跨办公网络的通信保护 (415)面临的问题 (415)解决方法 (416)结果 (420)使用FortiClient VPN进行到办公网络的安全远程访问 (421)面临的问题 (421)解决方法 (422)结果 (428)使用iPhone通过IPsec VPN进行安全连接 (430)面临的问题 (430)解决方法 (430)结果 (436)使用安卓（Android）设备通过IPsec VPN进行安全连接 (438)面临的问题 (438)结果 (443)使用FortiGate FortiClient VPN向导建立到私网的VPN (444)面临的问题 (444)解决方法 (445)结果 (449)IPsec VPN通道不工作 (450)面临的问题 (450)解决方法 (451)认证 (463)创建安全策略识别用户 (464)面临的问题 (464)解决方法 (464)结果 (466)根据网站类别识别用户并限制访问 (467)面临的问题 (467)解决方法 (468)结果 (468)创建安全策略识别用户、限制到某些网站的访问并控制应用的使用 (470)面临的问题 (470)解决方法 (471)结果 (472)使用FortiAuthenticator配置认证 (474)面临的问题 (474)解决方案 (475)结果 (478)对用户帐户添加FortiT oken双因子认证 (478)面临的问题 (478)解决方法 (479)结果 (482)添加SMS令牌对FortiGate管理员帐户提供双因子认证 (483)面临的问题 (483)解决方法 (484)结果 (486)撤消“非信任连接”信息 (487)解决方法 (488)日志与报告 (490)认识日志信息 (491)面临的问题 (491)解决方法 (492)创建备份日志解决方案 (497)面临的问题 (497)解决方法 (498)结果 (500)将日志记录到远程Syslog服务器 (502)面临的问题 (502)解决方法 (503)结果 (505)SSL VPN登录失败的告警邮件通知 (506)面临的问题 (506)解决方法 (507)结果 (509)修改默认的FortiOS UTM报告 (510)面临的问题 (510)解决方法 (510)结果 (512)测试日志配置 (513)面临的问题 (513)解决方法 (513)结果 (515)介绍本书《手把手学配置FortiGate设备》意在帮助FortiGate设备的管理员以配置案例的形式实现基本以及高级的FortiGate设备配置功能。

纳智捷汽车生活馆IT主管日常操作指导目录一、设备维护 (02)二、网络设备密码重置步骤 (20)三、飞塔限速设置 (05)四、飞塔SSLVPN设置及应用 (07)五、服务需求 (15)六、安装调试流程 (16)七、备机服务流程 (17)八、安装及测试 (18)九、注意事项 (19)一、设备维护1、登录防火墙内网登录防火墙，可在浏览器中https://172.31.X.254 或 https://192.168.X.254（注：登录地址中的X代表当前生活馆的X值），从外网登录可输当前生活馆的WAN1口的外网IP 地址（例如：https://117.40.91.123）进入界面输入用户名密码即可对防火墙进行管理和配置。

2、登录交换机从内网登录交换机，在浏览器输入交换机的管理地址即可。

http://172.31.X.253\252\251\250（注：同样登录地址中的X代表当前生活馆的X值）3、登录无线AP从内网登录无线AP，在浏览器输入无线AP的管理地址即可。

员工区http://172.31.X.241客户区 http://192.168.X.241（注：同样登录地址中的X代表当前生活馆的X值）二、网络设备密码重置步骤2.1 防火墙Fortigate-80C重置密码1，连上串口并配置好；2，给设备加电启动；3，启动完30秒内从串口登陆系统，用户名为：maintainer；4，密码：bcpb＋序列号（区分大小写）；注意:有些序列号之间有-字符,需要输入.如序列号为FGT-100XXXXXXX,则密码为bcpbFGT-100XXXXXXX.不然无法登陆.5，在命令行下执行如下系列命令重新配置“admin”的密码：config system adminedit adminset password “需要配置的新密码“end6，可以用新密码从Web界面登陆系统了。

具体命令行如下图设置：2.2交换机DES-3028密码重置步骤1，连上串口并配置好；2，给设备加电启动；3，当界面出现第二个100%时，立即按住shift + 6,然后出现一下界面4，按任意键，转入下一个命令行界面5，根据上图操作，最后重启设备；交换机所有配置恢复为出厂设置。

FortiOS™ 6.0Fortinet’s Network Operating SystemControl all the security and networking capabilities in all your Fortinet Security Fabric elements with one intuitive operating system. Improve your protection and visibility while reducing operating expenses and saving time with a truly consolidated next-generation enterprise firewall solution. FortiOS enables the Fortinet Security Fabric vision for enhancedprotection from IoT to Cloud.FortiOS is a security-hardened, purpose-built operating system that is the software foundation of FortiGate. Control all the security and networking capabilities in all your FortiGates across your entire network with one intuitive operating system. FortiOS offers anextensive feature set that enables organizations of all sizes to deploy the security gateway setup that best suits theirenvironments. As requirements evolve, you can modify them withminimal disruptions and cost.As companies look to transform everything from their business operating models to service delivery methods, they are adopting technologies such as mobile computing, IoT and multi-cloud networks to achieve business agility, automation, and scale. Theincreasing digital connectedness of organizations is driving the requirement for a security transformation, where security is integrated into applications, devices, and cloud networks to protect business data spread across these complex environments. FortiOS™ 6.0 delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence, and automated response required for digital business. The Fortinet Security Fabric, empowered by FortiOS 6.0, is an intelligent framework designed for scalable, interconnected security combined with high awareness, actionable threat intelligence, and open API standards for maximum flexibility and integration to protect even the most demanding enterprise environments. Fortinet’s security technologies have earned the most independent certifications for security effectiveness and performance in the industry. The Fortinet Security Fabric closes gaps left by legacypoint products and platforms by providing the broad, powerful, and automated protection that today’s organizations require across their physical and virtual environments, from endpoint to the cloud.Introducing FortiOS 6.0FortiOS 6.0 AnatomyFEATURE HIGHLIGHTS System Integration§Standard-based monitoring output – SNMP Netflow/Sflow and Syslog support to external (third-party) SIEM and logging system§Security Fabric integration with Fortinet products and technology allianceCentral Management and Provisioning§Fortinet/third-party automation and portal services support via APIs and CLI scripts§Rapid deployment features including cloud-based provisioning solutions§Developer community platform and professional service options for complex integrationsCloud and SDN Integration §Multi-cloud support via integration with Openstack, VMware NSX, Nuage Virtualzed Services, and Cisco ACI infrastructure§NEW: Ease of configuration with GUI support and dyanamic address objectsconfident that your network is getting more secure over time.Fortinet offers the most integrated and automated Advanced Threat Protection (ATP) solution available today through an ATP framework that includes FortiGate, FortiSandbox, FortiMail, FortiClient, and FortiWeb. These products easily work together to provide closed loop protection across all of the most common attack vectors.FSA Dynamic Threat DB UpdateDetailed Status Report File Submission124AutomationStitches are new administrator-defined automated work flows that use if/then statements to cause FortiOS to automatically respond to an event in a pre-programmed way. Because stitches are part of the security fabric, you can set up stitches for any device in the Security Fabric.HIGHLIGHTSMonitoring§Real-time monitors§NOC Dashboard§NEW: IOS push notification via FortiExplorer app§Dashboard NOC view allows you to keep mission-critical information inview at all times. Interactive and drill-down widgets avoid dead-endsduring your investigations, keeping analysis moving quickly and smoothly. OperationFortiOS provides a broad set of operation tools that make identification and response to security and network issues effective. Security operations is further optimized with automations, which contribute to faster and more accurate problem resolutions.Policy and ControlFortiGate provides a valuable policy enforcement point in your network where you can control your network traffic and apply security technologies. With FortiOS, you can set consolidated policies that include granular security controls. Every security service is managed through a similar paradigm of control and can easily plug into a consolidated policy. Intuitive drag-and-drop controls allow you to easily create policies, and one-click navigation shortcuts allow you to more quickly quarantine end points or make policy edits.SecurityFortiGuard Labs provides the industry-leading security services and threat intelligence delivered through Fortinet solutions. FortiOS manages the broad range of FortiGuard services available for the FortiGate platform, including application control, intrusion prevention, web filtering, antivirus, advanced threat protection, SSL inspection, and mobile security. Service licenses are available a-la-carte or in a cost-effective bundle for maximum flexibility of deployment.Industry-leading security effectivenessFortinet solutions are consistently validated for industry-leading security effectiveness inindustry tests by NSS Labs for IPS and application control, by Virus Bulletin in the VB100comparative anti-malware industry tests, and by AV Comparatives.§Recommended Next Generation Firewall with near perfect, 99.47% securityeffectiveness rating. (2017 NSS Labs NGFW Test of FortiGate 600D & 3200D)§Recommended Breach Prevention Systems with 99% overall detection. (2017 NSSBreach Prevention Systems Test of FortiGate with FortiSandbox)§Recommended Data Center Security Gateway with 97.87% and 97.97% securityeffectiveness. (2017 NSS Data Center Security Gateway Test with FortiGate 7060Eand 3000D)§Recommended Next Generation IPS with 99.71% overall security effectiveness. (2017NSS Next Generation IPS Test with FortiGate 600D)§ICSA Certified network firewalls, network IPS, IPsec, SSL-TLS VPN, antivirus.NetworkingWith FortiOS you can manage your networking and security in one consistent native OS on the FortiGate. FortiOS delivers a wide range of networking capabilities, including extensive routing, NAT, switching, Wi-Fi, WAN, load balancing, and high availability, making the FortiGate a popular choice for organizations wanting to consolidate their networking and security functions.SD WANFortiGate SD-WAN integrates next generation WAN and security capabilities into a single, multi-path WAN edge solution. Secure SD-WAN makes edge application aware and keeps application performance high with built-in WAN path controller automation. With integrated NGFW, it is easier to enable direct interent access and continues to keep high security posture with reduced complexity.Platform SupportPerformanceThe FortiGate appliances deliver up to five timesthe next generation firewall performance and10 times the firewall performance of equivalentlypriced platforms from other vendors. The highperformance levels in the FortiGate are basedon a Parallel Path Processing architecture in FortiOS that leveragesperformance, optimized security engines, and custom developednetwork and content processors. Thus, FortiGate achieved thebest cost per Mbps performance value results.Ultimate deployment flexibilityProtect your entire network inside and out through a policy-drivennetwork segmentation strategy using the Fortinet solution. It is easyto deploy segment optimized firewalls, leveraging the wide range ofFortiGate platforms and the flexibility of FortiOS to protect internalnetwork segments, the network perimeter, distributed locations,public and private clouds, and the data center — ensuring youhave the right mix of capabilities and performance for eachdeployment mode.Virtual desktop option to isolate the SSL VPN session from the client computer’s desktop environment IPsec VPN:- Remote peer support: IPsec-compliant dialup clients, peers with static IP/dynamic DNS- Authentication method: Certificate, pre-shared key- IPsec Phase 1 mode: Aggressive and main (ID protection) mode- Peer acceptance options: Any ID, specific ID, ID in dialup user group EMAC-VLAN support: allow adding multiple Layer 2 addresses (or Ethernet MAC addresses) to a single physical interfaceVirtual Wire Pair:- Process traffic only between 2 assigned interfaces on the same network segment- Available on both transparent and NAT/route Mode- Option to implement wildcard VLANs setupGLOBAL HEADQUARTERS Fortinet Inc.899 KIFER ROAD Sunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne FranceTel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST -PROD-DS-FOS FOS-DAT-R6-201804RESOURCEURLThe FortiOS Handbook — The Complete Guide /fgt.html Fortinet Knowledge Base/Virtual Systems (FortiOS Virtual Domains) divide a single FortiGate unit into two or more virtual instances of FortiOS that function separately and can be managed independently.REFERENCESConfigurable virtual systems resource limiting and management such as maximum/guaranteed ‘active sessions’ and log disk quotaVDOM operating modes: NAT/Route or Transparent VDOM security inspection modes: Proxy or Flow-based Web Application Firewall:- Signature based, URL constraints and HTTP method policyServer load balancing: traffic can be distributed across multiple backend servers: - B ased on multiple methods including static (failover), round robin, weighted or based on round trip time, number of connections.- Supports HTTP , HTTPS, IMAPS, POP3S, SMTPS, SSL or generic TCP/UDP or IP protocols.- Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.NOTE: F eature set based on FortiOS V6.0 GA, some features may not apply to all models. For availability, please refer to Softwarefeature Matrix on 。

目录一实施细则 (2)1 设备基本设置 (2)2 HA配置（可选） (2)3 网络配置 (2)4 安全策略配置 (3)二管理维护流程 (4)三设备配置简要 (5)1 系统管理 (5)2 防火墙 (8)3 用户管理 (12)4 VPN (13)5 IPS (15)6 防病毒 (17)7 Web过滤 (18)8 垃圾邮件过滤 (21)9 系统日志 (25)10 常用的CLI命令 (26)四快速维护流程 (28)一实施细则1 设备基本设置此处配置为HA配置前的单个设备的基本配置。

包括如下内容：✧配置设备名称制定一个全网统一的名称规范，以便管理。

如TJ_FG300A_A、TJ_FG300A_B✧修改设备时钟建议采用NTP server同步全网设备时钟。

如果没有时钟服务器，则手工设置，注意做HA的两台设备的时钟要一致。

✧设置admin口令缺省情况下，admin的口令为空，需要设置一个口令。

✧设置LCD口令从设备前面板的LCD可以设置各接口IP地址、设备模式等。

需要设置口令，只允许管理员修改。

✧在fortiprotect注册设备，升级fortiOS、病毒库、IPS特征库到最新（在签订采购合同后，需及时登陆fortinet网站登记该设备）2 HA配置（可选）Fortigate可以提供Active-Active和Active-Passive两种HA模式。

根据目前只有防火墙防护的需求，建议每台设备设置完后都要重启，然后依次设置另一台。

3 网络配置✧接入模式：Fortigate可以提供透明模式和路由/NA T模式两种网络接入模式。

由于机场离港网络和航信网络之间互访时存在地址转换的需求，因此采用路由/NA T模式。

✧根据IP规划设置接口IP地址和路由4 安全策略配置NA T地址转换对应表✧根据需要设置IPS策略✧根据需要设置A V策略二管理维护流程✧设备管理权限的设置从哪个接口、来自哪些IP、可以获得哪些管理方式（建议采用https和ssh方式）✧SNMP的设定：监控接口状态及接口流量、监控CPU/Memory等系统资源使用情况SNMP community：SNMP TRAP host：✧Syslog的设定Syslog server IP：Log发送策略：event log发到syslog服务器，其他log保留在本地硬盘上✧Update策略的设定（update center）：要求先注册因为机场离港网属于生产性网络，不和外网连接，因此fortigate设备的升级需要网络管理员手工完成。

第1章第2章2.1 2.2 2.2.1 2.2.2 2.2.3 2.3 2.4 第3章3.1 3.2录FORTINET 配置步骤配置步骤...... 2 FORTINET 防火墙日常操作和维护命令 (29)防火墙配置......29 防火墙日常检查 (29)防火墙的会话表：（系统管理－状态－会话）......29 检查防火墙的CPU、内存和网络的使用率......31 其他检查 (31)异常处理……31 使用中技巧……32 FORTGATE 防火墙配置维护及升级步骤……33 FORTIGATE 防火墙配置维护......33 FORTIGATE 防火墙版本升级 (33)第1章Fortinet 配置步骤章1.1.1.1 Fortigate 防火墙基本配置Fortigate 防火墙可以通过“命令行”或“WEB 界面”进行配置。

本手册主要介绍后者的配置方法。

首先设定基本管理IP 地址，缺省的基本管理地址为P1 口192.168.1.99，P2 口192.168.100.99。

但是由于P1 口和P2 口都是光纤接口，因此需要使用Console 口和命令行进行初始配置，为了配置方便起见，建议将P5 口配置一个管理地址，由于P5 口是铜缆以太端口，可以直接用笔记本和交叉线连接访问。

之后通过https 方式登陆到防火墙Internal 接口，就可以访问到配置界面1.系统管理”菜单1.1 “状态”子菜单1.1.1 “状态”界面“状态”菜单显示防火墙设备当前的重要系统信息，包括系统的运行时间、版本号、OS 产品序列号、端口IP 地址和状态以及系统资源情况。

如果CPU 或内存的占用率持续超过80%，则往往意味着有异常的网络流量（病毒或网络攻击）存在。

1.1.2 “会话”显示界面Fortigate 是基于“状态检测”的防火墙，系统会保持所有的当前网络“会话”（sessions）。

这个界面方便网络管理者了解当前的网络使用状况。

FORTINET® PROTECT MANUAL FOR ERECTING FORTINET PROTECT FENCETable of contents1. The Betafence concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Post system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Tools for professional installation . . . . . . . . . . . . . . . . . . . . . . . . . 32. Preparation of the perimeter fence line . . . . . . . . . . . . . . . . . 43. Embedding the posts into the concrete . . . . . . . . . . . . . . . . . 64. Installation of the mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . .75. To continue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106. Supplementary fixation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 107. Supplementary indications to keep in mind . . . . . . . . . . . . . . 118. Reparation of fortinet welded mesh . . . . . . . . . . . . . . . . . . . 178.1 Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178.2 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179.Fixing of Y-extension arms with barbed wire and clipped razortape on Bekaclip posts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20A. Fixation of the Y-extension arms on straight posts. . . . . . . . . . . . . .20B. Fixation of the barbed wire on the Y-extension . . . . . . . . . . . . . . . .20C.Installation & fixation of the concertina coil on top of theY-extension arms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211.THE BETAFENCE CONCEPTPOST SYSTEMTOOLS FOR PROFESSIONAL INSTALLATIONTension combClip tongsCrimping tongsProfessional Bekaclip postsThe welded mesh is fixed to the posts using stainless steel fixing clips.For even distribution of thetension across the welded mesh.For netting 1,50 meter to 2 meterhigh.For fixing the clips to theattachment strips on the posts.For adjusting the tension(increases the crimping in thehorizontal wires of the mesh)2.PREPARATION OF THE PERIMETER FENCELINELevel the fence line as much as possible over a width of about 3 meter and over the total length: endless undulations make the erecting of the fence very difficult.Normal ground constitutionHoles can be drilled by means of a drill screwed on an excavator: see dimensions as indicated on attached shopdrawing.Sandy groundWork with precast concrete foundation blocks ( off-site or “in sito” )Make full slots following the fence line and install the foundation blocks.Fill up the slot with back fill, gravel or something alike. Level the area in front (=outside the property) over about 3 meter.Hard rocky groundDrill holes with diameter +/- 20 cm, 60 cm deep by means of an adapted widia drill screwed on an excavator: posts can be shortened.After putting the postst in the holes fill up the holes with rigid liquid concrete.In areas where there is water accumulationDepending on the dept, use longer posts or check the possibility to put the fence on another track.Important note:▪Take at least one week for hardening of the concrete▪Make wet several times a day and protect against sunshine especially when temperatures are high▪We advice to use concrete as dry as possibleSample of a propertyInner- and outer cornersVerify the details related to the direction of the fixing strip on the post when making inner- and outer-corners.OUTER CORNER3.EMBEDDING THE POSTS INTO THE CONCRETE (+ ONE WEEK FOR HARDENING)STEP 1Start embedding the corner-, first- and end- posts and the intermediate tension posts first, together with the brace posts. STEP 2Fix the brace posts properly: each hole has to be directed to the mid point of the Bekaclip post; screws have to be fixed properly. Holes diameter 8 mm for hook bolts to be drilled on site/off site by a contractor. STEP 3Tension a rope from top to top of these tension units and embed theintermediate posts properly whilst touching the rope on top of the intermediateposts to ensure the right level and direction.4.INSTALLATION OF THE MESHBekaclip post with Bekaclip tong andstainless steel clipsSTEP 1 & STEP 2Unroll two Fortinet Protect rolls over the ground in front of the posts. STEP 3Connect them by means of the Fortinet clips.Lift up the start of the roll and fix on the first post.Fix each horizontal wire to start.Horizontal wires of the welded mesh on the outside of theproperty.The overhangs directed to the top of the fence.Secure the fixation by means of double knotted tie wire all over the height of the fence. STEP 5Insert the tension comb in the welded mesh acouple of meters over the first intermediatetension unit (at least 30 meter away from the firstpost).Hang on the belt/rope between tension comb andthe scoop of the excavator and start tensioning.The welded mesh will lift up by itself.Once you have full tension (= welded mesh isperfectly straight and “feels hard”, fix the rollon the fixation strip of the tension post withclips about each 30 cm.ORVerify the distance between the lower part of the roll and ground level before fixing properly.STEP 7Do the same on each intermediate post: distance between two clips is about 40 cm.Check height above ground level on each post before fixing.OR5.TO CONTINUEOnce the first 30 linear meter are installedproperly, untension the tension comb and thebelt/rope.Connect 2 or 3 new rolls on the first end andtension by means of the tension comb, the beltand the excavator.Always check the distance between welded meshand ground level and make yourself pleased withthe tension on the welded mesh before fixing.Always fix the mesh first on the tension units(step 6 each +/- 30 linear meter) and later on theintermediate posts (step 7) .6.SUPPLEMENTARY FIXATIONSupplementary double tie wire can be added afterwards and knotted on the inside of the property. We advice once at the top, once at the bottom and once in the middle of the welded mesh.7.SUPPLEMENTARY INDICATIONS TO KEEP IN MIND1.We advice to start erecting the fence on a normal, flat and horizontal groundlevel to learn and to feel how to handle .2.Inner and outer cornersIt is very important to think about the position of the fixation strip of theBekaclip posts before embedding them into the concrete, see the details. Also think about the direction of tensioning before embedding and drilling thecorner posts: sometimes it can be better to turn the post over 90°. Ensure yourself before starting.3.Slopes▪Fix all intermediate posts/fence(detail 3).4.It is important to have some rigid ladders to allow labourers to work up to2,5 meter high .5.Never walk over the welded mesh when spread over the ground, except tojoin two rolls. Otherwise, each step damages/deforms the fence and willinfluence the look afterwards. Of course, this can be adjusted by means of the crimp tong but takes supplementary time afterwards. If there areundulations in the fence after fixing properly, they can be removed by means of the same crimp tong.Crimp tong Tension fork6.When interrupting erecting fence ( for instance after a shift/before aweekend), always fix the last end of the welded mesh on the “lastintermediate tension unit” with clips 10 to 15cm spacing between.7.Prepare the fence line as straight levelled as possible and remove all dirt(rock blocs, wooden planks,….) over a width of about 3 meter in front of the posts: this decreases damages on the welded mesh and increases safety on the job, the speed and the end look of the fence.8.In case of concrete on the lower part of the Bekaclip posts, clean them beforeeverything is hardened, otherwise it will be difficult or impossible to install the clips properly.9.If axe holes of the Fortinet Protect rolls are damaged during uncharging thecontainers, cut away two or tree meshes. Keep in mind that, when fixing two rolls together, it is important that the join is as flat as possible .10.If intermediate posts are not perfectly levelled, it is possible to adjust beforefixing the mesh by means of the black small tension forks by pushing theposts to the left or to the right: this will upgrade the look afterwards .11.Number of clips : For a 2 meter high fenceFor a 2,5 meter high fence with extension arm :12.Unloading a container :To avoid damage to the rolls, replace the standard flat forks on the forklift by round pointed beam.Make sure the forklift can drive into the container to unload to unload. Try to organise a ramp for unloading the container.Such a tool will increase the speed of unloading substantially.13.Verify the dimensions and capacities of the excavator:This is an essential tool to tension in a proper way in all conditions and eliminates working with a winch. In the mean time, the workman with the excavator can transport the heavy rolls, level and backfill the perimeter area.PROCEDURE1.Problem of broken mesh2.Hang on both sides of the mesh a tension comb as close as possible on the inside of the fence, connected with the winch.3.Pull both ends together by using the winch4.Adjust the pieces of Fortinet welded mesh and connect all parts using the Fortinet clips9.FIXING OF Y-EXTENSION ARMS WITH BARBED WIRE AND CLIPPED RAZOR TAPE ON BEKACLIP POSTSA.Fixation of the Y-extension arms on straight postsOff the site▪Enter the Bekaclip post into the small part of the extension arm. If there isa hole diameter 8 mm in the Bekaclip post. This is the part of the post tobe embedded into the concrete .▪Using the self drilling screws 4,8x25 mm, you also need a hard steel drive pen to prepare a hole, a specific bit WERA type 851/1 BDC f.i. and a drilland driver with variable speed (450..1500 r/min.) and adjustable torque(3Nm…10Nm).On site▪Install the extension arm in top of the post .▪Using the self drilling screws 4,8x25 mm : you will need the same tooling as described above AND a contra block f.i. a hammer of min. 1.25kg), toprepare a hole in the extension arm to make drilling and screwing easier .B.Fixation of the barbed wire on the Y-extension▪Unroll a 250 meter long coil of barbed wire in front of the fence.▪Fix the barbed wire on top of an Y-extension, +/- 3 cm beyond the top of the extension arm, at about 125 meter distance from the first post, therewhere you have brace posts.▪Turn the barbed wire around the Bekaclip extension arm and secure the fixation b.m.o. the standard stainless steel clip on the fixing strip.▪Fix a tensioner on both ends of the barbed wire, see drawing below, and tension the barbed wire properly.▪Start with a second layer of barbed wire in the same way, taking into account a spacing of about 20 cm from the top layer.▪Do the installation of the barbed wire on both sites of the fence simultaneously to avoid sacks in the barbed wire rope or lower tension on one of both sides of the fence.C.Installation & fixation of the concertina coil ontop of the Y-extension arms▪necessary tools:-high truck with platform or hollow tube 12 meter long about 5 forks, 3 meter long, to be arranged locally▪using a high truck passing the fence:-whilst truck is moving slowly along the fence, have the coilextended and lay down on the barbed wire ropes over 12 meter ▪using a hollow tube of >12 meter:-Extend the coil over 12 meter-Enter the tube throughout the axe hole of the coil-Fix start & end of the extended coil on the tube = 12 meterextended-Lift up the extended 12 meter long coil by means of minimum 5 forks & 5 people and drop the extended coil on the barbed wireropes▪connection of two coils by means of 3 stainless steel clips▪connection of the coil on the barbed wire ropes: with about 27 stainless steel clips between two extension arms = join each contact point between razor tape and barbed wire.。

© Copyright 2009 Fortinet Incorporated. All rights reserved.Products mentioned in this document are trademarks or registered trademarks of their respective holders.Regulatory ComplianceFCC Class B Part 15 CSA/CUS 25 September 2009DC+12V CONSOLE FX01FX02FX03FX04WAN1WAN212345678INTERNALUSB Power LED WANinterfacesInternal interfacePOWER STATUS HA ALARMFortiGate Voice-80C FX01FX02FX03FX04LINK/ACT10/100/1000WAN1WAN2INTERNALLINK/ACT 10/10012345678Phone portsHA LEDStatus LEDAlarmLED Power connectionGround Consoleconnection USBInternal interface/switch connectors 1 to 8WAN1/WAN2Phone ports 1 to 4FRONTBACKPower cable connects topower supplyOptional RJ-45 serial cable connects to serial port on management computerStraight-through Ethernet cables connect to InternetStraight-through Ethernet cables connect to computers on internal networkOptional RJ-11 telephone cable connects to phoneportStraight-through Ethernet cable AC Power Cable RJ-45 toDB-9 Serial CablePower Supply4 Rubber feetInterface Type Speed Protocol DescriptionPorts 1 to 8 RJ-4510/100 Base-T Ethernet An eight-port switch connection for the internal network. WAN1 and WAN2RJ-4510/100/1000 Base-T Ethernet Redundant connections to the Internet.Console RJ-45 9600 Bps 8/N/1RS-232Optional connection to the management computer. Provides access to the command line interface (CLI). USBUSB USBTwo optional connections for the USB key, modem, or backup operation.FXO1 to FXO4RJ-11Four phone ports.01-40000-111139-20090925Web ConfigThe FortiGate Web Config is an easy to use management tool. Use it to configure the administrator password, the interface and default gateway addresses, and the DNS server addresses.Requirements: • An Ethernet connection between the FortiGate unit and management computer. •A web browser such as FireFox or Internet Explorer on the management computer.Command Line Interface (CLI)The CLI is a full-featured management tool. Use it to configure the administrator password, the interface addresses, the default gateway address, and the DNS server addresses. To configure advanced settings, see the Tools and Documentation CD included with the FortiGate unit.Requirements: • The RJ-45 to DB9 serial connection between the FortiGate unit and management computer. •A terminal emulation application (HyperTerminal for Windows) on the management computer.LED State Description Power Green The unit is on.OffThe unit is off.StatusFlashing Green The unit is starting up. Green The unit is running normally. Ports 1 to 8LINK/ACT Green Port is online (link).Flashing Port is receiving or sending data (activity).10/100Amber Connected at 100 Mbps.OffConnected at 10 Mbps.HA Green The unit being used in an HA cluster.AlarmRed A critical error has occurred.Amber A minor error has occurred.Off No errors detected.WAN1, WAN2LINK/ACTGreen Port is online (link).Flashing Port is receiving or sending data (activity).10/100/ 1000Green Connected at 1000Mbps.Amber Connected at 100 Mbps.OffConnected at 10 Mbps.FXO1 to FXO4Green Administrative status is up.OffAdministrative status is down.Ensure the FortiGate unit is placed on a stable surface. Connect the following to the FortiGate unit:• Insert a network cable to WAN1. Insert the other end to the router connected to the Internet, or to the modem.• Connect a network cable to an Internal port (ports 1 to 8). Insert the other end to a computer or switch. • Connect the AC Power Cable to the Power Supply.• Connect the Power Cord to a surge protected power bar or power supply.Caution: Power supply voltage is 90-240 VAC.• Optionally, connect an RJ-45 serial cable into the Console port and insert the other end into the management computer.•Optionally, connect an RJ-11 telephone cable to a phone port (FXO1 to FXO4) and insert the other end into the public switched telephone network (PSTN).CAUTION: To reduce the risk of fire, use only No. 26 AWG or larger telecommunication line cord.Visit these links for more information and documentation for your Fortinet product:Technical Documentation - Fortinet Technical Support - Training Services - Fortinet Knowledge Center - NAT/Route ModePort 1IP:____.____.____.____Netmask:____.____.____.____ Port 2IP:____.____.____.____Netmask:____.____.____.____ Port 3IP:____.____.____.____Netmask:____.____.____.____ Port 4IP:____.____.____.____Netmask:____.____.____.____ Port 5IP:____.____.____.____Netmask:____.____.____.____ Port 6IP:____.____.____.____Netmask:____.____.____.____ Port 7IP:____.____.____.____Netmask:____.____.____.____ Port 8IP:____.____.____.____Netmask:____.____.____.____ WAN1IP:____.____.____.____Netmask:____.____.____.____ WAN2IP:____.____.____.____Netmask:____.____.____.____ The internal interface IP address and netmask must be valid for the internal network.Transparent modeManagement IP:IP:____.____.____.____Netmask:____.____.____.____The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit.General settingsAdministrative accountsettingsUser name adminPassword(none)Network Settings Default Gateway: ____.____.____.____Primary DNS Server:____.____.____.____Secondary DNS Server:____.____.____.____A default gateway is required for the FortiGate unit to route connections to the Internet. Factory default settingsNAT/Route modeInternal192.168.1.99WAN1WAN2DHCP server on Internal interface192.168.1.110 – 192.168.1.210To reset the FortiGate unit to the factory defaults, in the CLI type the command execute factory resetWeb Config1. Connect the FortiGate internal interface to a management computer Ethernet interface. Use across-over Ethernet cable to connect the devices directly. Use straight-through Ethernet cables to connect the devices through a hub or switch.2. Configure the management computer to be on the same subnet as the internal interface of theFortiGate unit. To do this, change the IP address of the management computer to 192.168.1.2 and the netmask to 255.255.255.0.3. To access the FortiGate web-based manager, start Internet Explorer and browse tohttps://192.168.1.99 (remember to include the “s” in https://).4. Type admin in the Name field and select Login.NAT/Route modeTo change the administrator password1. Go to System > Admin > Administrators.2. Select Change Password for the admin administrator and enter a new password.To configure interfaces1. Go to System > Network > Interface.2. Select the edit icon for each interface to configure.3. Set the addressing mode for the interface. (See the online help for information.)• For manual addressing, enter the IP address and netmask for the interface.• For DHCP addressing, select DHCP and any required settings.• For PPPoE addressing, select PPPoE, and enter the username and password and any other required settings.To configure the Primary and Secondary DNS server IP addresses1. Go to System > Network > Options, enter the Primary and Secondary DNS IP addresses that yourecorded above and select Apply.To configure a Default Gateway1. Go to Router > Static and select Edit icon for the static route.2. Set Gateway to the Default Gateway IP address you recorded above and select OK. Transparent modeTo switch from NAT/route mode to transparent mode1. Go to System > Config > Operation Mode and select Transparent.2. Set the Management IP/Netmask to 192.168.1.99/24.3. Set a default Gateway and select Apply.To change the administrator password1. Go to System > Admin > Administrators.2. Select Change Password for the admin administrator and enter a new password.To change the management interface1. Go to System > Config > Operation Mode.2. Enter the Management IP address and netmask that you recorded above and select Apply.To configure the Primary and Secondary DNS server IP addresses1. Go to System > Network > Options, enter the Primary and Secondary DNS IP addresses that yourecorded above and select mand Line Interface1. Use the RJ-45 to DB9 serial cable to connect the FortiGate Console port to the managementcomputer serial port.2. Start a terminal emulation program (HyperTerminal) on the management computer. Use these set-tings:3. Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.4. At the Login: prompt, type admin and press Enter twice (no password required).NAT/Route mode1. Configure the FortiGate internal interface.config system interfaceedit internalset ip <interface_ipv4mask>end2. Repeat to configure each interface, for example, to configure the WAN1 interface.config system interfaceedit wan1...3. Configure the primary and secondary DNS server IP addresses.config system dnsset primary <dns_ipv4>set secondary <dns_ipv4>end4. Configure the default gateway.config router staticedit 1set gateway <gateway_address_ipv4>endTransparent Mode1. Change from NAT/Route mode to Transparent mode and configure the Management IP address.config system settingsset opmode transparentset manageip <manage_ipv4>set gateway <gw_ipv4>end2. Configure the DNS server IP address.config system dnsset primary <dns_ipv4>set secondary <dns_ipv4>endNAT/Route modeYou would typically use NAT/Route mode when the FortiGate unit is deployed as a gateway between private and public networks. In its default NAT/Route mode configuration, the unit functions as a firewall. Firewall policies control communications through the FortiGate unit. Transparent modeYou would typically use the FortiGate unit in Transparent mode on a private network behind an existingfirewall or behind a router. In its default Transparent mode configuration, the unit functions as a firewall.Use Web Config to configure the PBX features below. You will need to configure the following PBX features:• PSTN Interfaces to establish connection with the telephone network and the FortiGate unit.• VoIP Provider that provides digital telephone service that uses the Internet for call transport.• Dial Plan to determine the expected number and pattern of digits for a telephone number. This includes country codes, area codes, and any combination of digits dialed. Dial plans must comply with the telephone networks to which they connect.Note that this is only basic configuration information. For more information on configuring the PBX features, see the FortiGate Administration Guide.To set the PSTN Interfaces1. Go to System > Network > PSTN Interface tab.2. Select one of the fxo ports and click the Edit icon to set up the interface.To set the VoIP Provider1. Go to PBX > Config > VoIP Provider tab.2. Create a VoIP provider and configure the properties.To set the Dial Plan1. Go to PBX > Call > Dial Plan tab.2. Create a new Dial Plan and apply the PSTN Interfaces and/or VoIP Provider to the pattern of digits and the telephone network.。

华为技术安全服务Fortigate防火墙简明配置指导书华为技术华为技术有限公司二〇一三年六月版权声明©2003 华为技术有限公司版权所有，保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本书的部分或全部，并不得以任何形式传播。

作者信息修订记录目录第一章、产品简介 (4)第二章、FORTIGATE防火墙简明配置指导 (8)1、恢复缺省 (8)2、串口配置 (8)3、交叉网线连port3，进入web配置 (9)4、配置外口网关 (9)5、配置路由 (10)6、配置虚拟外网IP (10)7、配置端口服务 (11)8、组合服务 (11)9、将组合服务关联到映射IP (12)第一章、产品简介FortiGate安全和内容控制系列产品，是利用一种新的体系结构方法研发的，具有无与伦比的价格/性能比；是完全的、所有层网络安全和内容控制的产品。

经过一些安全行业深受尊重的安全专家多年的研究开发，FortiGate解决方案突破了网络的“内容处理障碍”。

提供了在网络边界所有安全威胁类型（包括病毒和其它基于内容的攻击）的广泛保护。

并且具备空前的消除误用和滥用文字的能力，管理带宽和减少设备与管理的费用。

常规的安全系统，像防火墙和VPN 网关在防止称为网络层攻击是有效的，它通过检查包头信息来保证来自信任源合法请求的安全。

但在现今，绝大多数破坏性的攻击包括网络层和应用层或基于内容的攻击进行联合攻击，例如病毒和蠕虫。

在这些更多诡辩的攻击中，有害的内容常常深入到包内容，通过许多表面上“友好的”很容易穿过传统防火墙的数据包传播。

同样的，有效的网络保护依靠辨认复杂和狡猾的若干信息包模式样本，并且需要除了网络层实时信息，还有分解和分析应用层内容（例如文件和指令）的能力。

然而，在现今的网络速度下，完成高效率的内容处理所必需的处理能力要超过最强大网络设备的性能。

结果，使用常规解决方案的机构面临着“内容处理障碍”，这就迫使他们在桌面和服务器上加强内容服务的配置。

F ortiExtender™ SeriesExtend, Ensure, and Secure Your NetworkFortiExtender offers scalable, cost-effective, and resilient 5G, LTE, and Ethernet solutions. Driven by Fortinet’s unique approach of Security-driven networking FortiExtender allows organizations business continuity, improved network availability while securing connectivity with wired broadband and cellular networks.From secure point of sale (POS) systems to vehicle fleet communication, FortiExtender provides reliable broadband access to the internet and extends the value of the Fortinet Security Fabric to support fluid business operations dependent on remote device connectivity.HighlightsImproves user experience though optimal 5G and LTE wireless signalProvides secure network failover with out of band management (OBM), dual SIM, and dual Modem capabilitiesIntegrates with Fortinet Secure SD-WAN for ease of deployment, management, and securityOffers dynamic, flexible edge connectivity—switch links among ISPs based on data consumption, schedules, or ad hocEnables network access for remote sites and branches located beyond fixed broadbandAccelerates cloudconnectivity for any user with flexible on-ramp paths to SaaS/IaaSReduces overall WAN TCO with FortiGate NetworkSecurity Platform integration Cloud-based management empowers businesses with globally distributed locations Four LAN ports and routing capabilities enable remote Available in ApplianceData SheetSecurity-Driven NetworkingSecurity Fabric IntegrationIntegration with Fortinet SD-WAN and FortiGate appliances secures internet edge breakouts with a complete set of Web, Content, and Device security controls far beyond other industry solutions.Optimal Signal StrengthA single PoE cable provides optimal 5G/LTE signal vs complex, lossy antenna cables or limited strength USB modems. Dual SIM and Dual Modem options offer up to 5X network reliability.Simplified ManagementManage your FortiExtender from the FortiManager, FortiGate, or FortiExtender Cloud dashboard, making network changes, security controls, and policy automation simple.FortiExtender managed with FortiGateFeaturesSuperior Management, Security, and ControlFortiExtenders are a true plug-and-play device. Once connected to the FortiGate, they appear as a regular network interface in FortiOS management. IT administrators can manage the connection as well as implement complete UTM security and control, just like any other FortiGate interface. In addition, FortiOS will display data quota usage on the wireless WAN interface, providing complete visibility of the connection to ensure costly carrier data limits are not exceeded. The superior management, security, and control of the FortiExtender ultimately reduces IT costs while extending, ensuring, and securing the network.Flexible Deployment for Optimal Signal StrengthFortiExtender devices are designed to receive the best possible 5G/LTE signal. The device utilizes Power over Ethernet (PoE) so you can run a high-quality ethernet cable to a location with optimal signal strength, up to 100 m away from the FortiGate or Network Switch.FortiExtender can be placed near a window for optimal signal strengthDeploymentFlexible 5G/LTE ConnectivityThe FortiExtender family of 5G/LTE appliances support dual SIMand dual modem options, enabling up to four different ISPs for 5G/LTE connectivity. Our dual SIM models allow for one active and onepassive cellular link, providing fast failover. Dual Modem options providetwo active and two passive links, for the fastest failover and disasterrecovery. You can also configure the FortiExtender to utilize an ISPlink until a certain data usage threshold is reached. At that point,FortiExtender can automatically shift over to another ISP and usethat 5G/ LTE connection. Additional conditions can be set to shift theconnection between SIM cards, allowing you to balance connectivity andcost.Switch between ISPs based on cost or data usageFlexible WAN ConnectivityFortiExtender offers new WAN connectivity options with an EthernetWAN port, in addition to the LTE WAN links. With this WAN port, youcan connect to a DSL, cable, or another modem for additional WANconnectivity options. Load-balancing and failover options enable yourFortiExtender to manage your WAN connections across several optionsto ensure connectivity at the best cost point.Mix LTE and Cable/DSL connections for load-balancing and/or failoverHybrid WAN-LAN ConnectivityFortiExtender offers four LAN Ethernet ports to enable multipleconnections to the LTE connection. Ideal for High Availability (HA)pairs of FortiGates, each FortiGate can be directly connected to theFortiExtender. Either FortiGate can run in load-balancing or failovermodes and receive WAN connectivity from the FortiExtender.Easily supports two FortiGates in HA mode without additional hardwareHardware SpecificationsIC ICES-003, RSS-102—ICES-003, RSS-247, RSS-102—CE—EMC 2014/30/EU (EN 55032, EN55024, EN 55035, EN 61000-3-2/-3; EN 301 489-1/-19, Draft EN 301489-52)RED 2014/53/EU (EN 303 413, EN 301908-1/-2/-13, EN 62311)LVD 2014/35/EU (EN 62368-1)—EMC 2014/30/EU (EN 55032, EN55035, EN 61000-3-2/-3; EN 301 489-1/-17/-52, Draft EN 301 489-19)RED 2014/53/EU (EN 300 328, EN 303413, EN 301 908-1/-2/-13, EN 62311)LVD 2014/35/EU (EN 62368-1)UL UL/CSA 62368-1UL/CSA 62368-1UL/CSA 62368-1UL/CSA 62368-1CB IEC/EN 60950-1, IEC/EN 62368-1IEC/EN 60950-1, IEC/EN 62368-1IEC/EN 62368-1IEC/EN 62368-1Certification notes:The built-in modem offers quad-band connectivity to HSPA+ networks worldwide and expected to work in 3G mode worldwide, subject to carrier support.There are exceptions however, as some carriers control the access to their network to specific carrier certified devices. These carriers allow only certified modem IMEI numbers on their network and have the ability to disable the LTE connection after a period of time.The following carriers are known to require additional testing to obtain certification. Please reach out to the Fortinet sales team and to evaluate your specific regional requirements: Brazil (VIVO),Hardware SpecificationsCertification notes:The built-in modem offers quad-band connectivity to HSPA+ networks worldwide and expected to work in 3G mode worldwide, subject to carrier support.There are exceptions however, as some carriers control the access to their network to specific carrier certified devices. These carriers allow only certified modem IMEI numbers on their network and have the ability to disable the LTE connection after a period of time.The following carriers are known to require additional testing to obtain certification. Please reach out to the Fortinet sales team and to evaluate your specific regional requirements: Brazil (VIVO),IC ICES-003, RSS-247, RSS-102—ICES-003, RSS-247, RSS-102CE—EMC 2014/30/EU (EN 55032, EN 55035, EN61000-3-2/-3; EN 301 489-1/-17/-52, Draft EN301 489-19)RED 2014/53/EU (EN 300 328, EN 303 413,EN 301 908-1/-2/-13, EN 62311)LVD 2014/35/EU (EN 62368-1)EMC 2014/30/EU (EN 55032, EN 55024, EN55035EN 61000-3-2/-3; EN 301 489-1/-17)RED 2014/53/EU (EN 300 328, EN 62311)LVD 2014/35/EU (EN 60950-1, EN 62368-1)UL UL/CSA 62368-1UL/CSA 62368-1UL/CSA 60950-1, UL/CSA 62368-1CBIEC/EN 62368-1IEC/EN 62368-1IEC/EN 60950-1, IEC/EN 62368-1Hardware SpecificationsIC ICES-003, RSS-247, RSS-102ICES-003, RSS-247, RSS-102ICES-003, RSS-247, RSS-102ICES-003, RSS-247, RSS-102CE EMC 2014/30/EU (EN 55032, EN55024, EN 55035, EN 61000-3-2/-3;EN 301 489-1/-17/-19,Draft EN 301 489-52)RED 2014/53/EU (EN 300 328,EN 303 413, EN 301 908-1/-2/-13,EN 62311, EN 50382, EN 50665,EN 50663, EN 62479)LVD 2014/35/EU (EN 60950-1, EN62368-1)EMC 2014/30/EU (EN 55032, EN55024, EN 55035, EN 61000-3-2/-3;EN 301 489-1/- 17/-19, Draft EN 301489-52)RED 2014/53/EU (EN 300 328, EN 303413, EN 301 908-1/-2/-13, EN 62311)LVD 2014/35/EU (EN 60950-1, EN62368-1)EMC 2014/30/EU (EN 55032, EN55024, EN 55035, EN 61000-3-2/-3; EN 301 489-1/-17, Draft EN 301489-19/-52)RED 2014/53/EU (EN 300 328, EN 303413, EN 301 908-1/-2/-13, EN 62311,EN 50665, EN 50385)LVD 2014/35/EU (EN 62368-1)EMC 2014/30/EU (EN 55032, EN55024, EN 55035, EN 61000-3-2/-3;EN 301 489-1/-17/-19, Draft EN 301489-52)RED 2014/53/EU(EN 300 328, EN 303 413, EN 301908-1/-2/-13/-25, EN 62311)LVD 2014/35/EU (EN 60950-1, EN62368-1)UL UL/CSA 60950-1, UL/CSA 62368-1UL/CSA 62368-1UL/CSA 62368-1UL/CSA 62368-1)CB IEC/EN 60950-1, IEC/EN 62368-1IEC/EN 60950-1, IEC/EN 62368-1IEC/EN 60950-1, IEC/EN 62368-1(IEC/EN 60950-1, IEC/EN 62368-1)Certification notes:The built-in modem offers quad-band connectivity to HSPA+ networks worldwide and expected to work in 3G mode worldwide, subject to carrier support.There are exceptions however, as some carriers control the access to their network to specific carrier certified devices. These carriers allow only certified modem IMEI numbers on their network and have the ability to disable the LTE connection after a period of time.The following carriers are known to require additional testing to obtain certification. Please reach out to the Fortinet sales team and to evaluate your specific regional requirements: Brazil (VIVO),Regional CompatibilityNorth America Carriers EMEA, Brazil, some APACCarriersNorth America Carriers EMEA, APAC Carriers North America Carriers EMEA, APAC Carriers Internal Modem SpecificationsModem Model Quectel EM06-A Quectel EM06-E Sierra Wireless EM7411Sierra Wireless EM7421Sierra Wireless EM7411(2x Modem)Sierra Wireless EM7421 (2x Modem)5G NR SA and NSA————4G: LTE CAT-6FDD Bands:2, 4, 5, 7, 12, 13, 25, 26,29, 30, 66TDD Bands:41CAT-6FDD Bands:1, 3, 5, 7, 8, 20, 28, 32TDD Bands:38, 40, 41CAT-7Bands:2, 4, 5, 7, 12, 13, 14, 25, 26,41, 42, 43, 48, 66, 71CAT-7Bands:1, 3, 7, 8, 20, 28, 32, 38,40, 41, 42, 43CAT-7Bands:2, 4, 5, 7, 12, 13, 14, 25, 26,41, 42, 43, 48, 66, 71CAT-7Bands:1, 3, 7, 8, 20, 28, 32, 38,40, 41, 42, 433G: UMTS/HSPA+Bands: 2, 4, 5Bands: 1, 3, 5, 8Bands: 2, 4, 5Bands: 1, 5, 8Bands: 2, 4, 5Bands: 1, 5, 8 3G: WCDMA Bands: 2, 4, 5Bands: 1, 3, 5, 8Bands: 2, 4, 5Bands: 1, 5, 8Bands: 2, 4, 5Bands: 1, 5, 8 Additional Ports GPS antenna port GPS antenna port GPS antenna port GPS antenna port GPS antenna port GPS antenna portConnector Type SMA (MAIN, AUX, GPS)SMA (MAIN, AUX, GPS)SMA (MAIN, AUX, GPS)SMA (MAIN, AUX, GPS)SMA LTE1(MAIN, AUX,GPS) LTE2(MAIN, AUX,GPS)SMA LTE1(MAIN, AUX, GPS) LTE2(MAIN, AUX,GPS)Module Certifications FCC, IC, GCF, PTCRB GCF, CE, NCC, RCM,ICASAFCC, IC, GCF, PTCRB GCF, NCC FCC, IC, GCF, PTCRB GCF, NCC Diversity Yes Yes Yes Yes Yes YesMIMO Yes Yes Yes Yes Yes YesGNSS Bias Yes Yes Yes Yes Yes YesRegional CompatibilityGlobal Carriers Global Carriers Global Carriers Global CarriersInternal Modem SpecificationsModem Model Sierra Wireless EM7565Sierra Wireless EM7565 (2x Modem)Quectel EM160R-GL Quectel RM502Q-AE5G NR SA and NSA——5G Sub-6Bands:n1, n2, n3, n5, n7, n8, n12, n20, n25, n28, n38,n40, n41, n48, n66, n71, n77, n78, n794G: LTE CAT-12Bands:1, 2, 3, 4, 5, 7, 8, 9, 12, 13, 18, 19,20, 26, 28, 29, 30, 32, 41, 42, 43,46, 48, 66(Bands 42, 43, 46 are supported onRev: P24254-02 and later)CAT-12Bands:1, 2, 3, 4, 5, 7, 8, 9, 12, 13, 18, 19, 20,26, 28, 29, 30, 32, 41, 42, 43, 46,48, 66CAT-16FDD Bands:1, 2, 3, 4, 5, 7, 8, 12, 13, 14, 17, 18, 19,20, 25, 26, 28, 29, 30, 32, 66TDD Bands:38, 39, 40, 41, 42, 43, 46 (LAA), 48(CBRS)CAT-20FDD Bands:1, 2, 3, 4, 5, 7, 8, 12(17), 13, 14, 18, 19, 20, 25,26, 28, 29, 30, 32, 66, 71TDD Bands:34, 38, 39, 40, 41, 42, 43, 483G: UMTS/HSPA+Bands: 1, 2, 4, 5, 6, 8, 9, 19Bands: 1, 2, 4, 5, 6, 8, 9, 19Bands: 1, 2, 3, 4, 5, 6, 8, 19Bands: 1, 2, 3, 4, 5, 6, 8, 19 3G: WCDMA Bands: 1, 2, 4, 5, 6, 8, 9, 19Bands: 1, 2, 4, 5, 6, 8, 9, 19Bands: 1, 2, 3, 4, 5, 6, 8, 19Bands: 1, 2, 3, 4, 5, 6, 8, 19 Additional Ports GPS antenna port GPS antenna port MIMO1, MIMO2MIMO1, MIMO2Connector Type SMA (MAIN, AUX, GPS)SMA LTE1 (MAIN, AUX, GPS)LTE2 (MAIN, AUX, GPS)4x SMA (MAIN, MIMO1, MIMO2,Diversity/GPS)4x SMA (MAIN, MIMO1, MIMO2, Diversity/GPS)Module Certifications FCC, IC, CE, GCF, PTCRB FCC, IC, CE, GCF, PTCRB GCF, CE, PTCRB, FCC, IC, Anatel,IFETEL, SRRC/NAL/CCC, NCC, KC,JATE/TELEC, RCM, ICASAGCF, CE, PTCRB, FCC, IC, JATE/TELEC, RCMDiversity Yes Yes Yes YesMIMO Yes Yes Yes YesGNSS Bias Yes Yes Yes Yes3G/4G-LTE/5G SpecificationsFeaturesAuto-connect✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝Auto-select Network✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝Data Byte Count✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝Network Profile✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝Self-diagnostics✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝Power Management —standby and hibernate✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝selective suspendDIAG and AT Commands✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝Private IP SIM Support✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝L2 Tunnel Mode via VLAN orCAPWAP for fast and flexible✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝deploymentsSingle Pane of GlassManagement via FortiGate✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝✓⃝and FortiManagerThe built-in modem offers quad-band connectivity to HSPA+ networks worldwide and is expected to work in 3G mode worldwide, subject to carrier support. There are exceptions however, as some carriers control the access to their network to specific carrier certified devices. These carriers allow only certified modem IMEI numbers on their network and have the ability to disable the LTE connection after a period of time.FeaturesATT✓⃝—✓⃝—✓⃝—✓⃝✓⃝✓⃝✓⃝PTCRB✓⃝—✓⃝—✓⃝—✓⃝✓⃝✓⃝✓⃝T-Mobile——————————Public Safety Network—————————FirstNetReady®The built-in modem offers quad-band connectivity to HSPA+ networks worldwide and is expected to work in 3G mode worldwide, subject to carrier support. There are exceptions however, as some carriers control the access to their network to specific carrier certified devices. These carriers allow only certified modem IMEI numbers on their network and have the ability to disable the LTE connection after a period of time.FortiExtender™ Series Data Sheet Ordering Information211E, FEX-212F, FEX-311F and FEX-511F models.Power Adapter SP-FEX12V3A-PA-1-EU AC Power adapter with EU plug for Europe, for use with FortiExtender FEX-101F, FEX-201F, FEX-202F, FEX-211E, FEX-212F, FEX-311F and FEX-511F models.11 Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.January 17, 2023FEXT-DAT-R36-20230117。

Fortinet防火墙设备维护手册Fortinet是全球领先的网络安全解决方案提供商。

其防火墙设备是企业网络安全保护的重要组成部分。

本手册将介绍Fortinet防火墙设备的常见问题及故障处理方法，帮助管理员更好地维护和管理防火墙设备。

1. 防火墙设备的基本维护1.1 定期备份配置文件防火墙的配置文件包含了所有配置信息，是防火墙正常工作的重要依赖。

定期备份配置文件可以确保在出现问题的情况下快速恢复防火墙的配置信息。

在Fortinet防火墙上进行配置备份，方法如下：1.登录Fortinet设备控制台。

2.在控制台左侧导航栏中选择“System Settings”->“Dashboard”。

3.点击“Backup”按钮，进行备份。

1.2 清理日志文件防火墙设备的日志对于故障排除和安全审计非常重要。

然而，由于日志文件的数量会随着时间的推移而增加，因此需要定期清理旧的日志文件，以释放磁盘空间。

在Fortinet防火墙上进行日志文件清理，方法如下：1.登录Fortinet设备控制台。

2.在控制台左侧导航栏中选择“Log & Report”->“Log View”。

3.选择需要删除的日志文件，点击“Delete”按钮。

1.3 定期更新软件Fortinet防火墙设备固件的更新通常包括安全补丁程序和性能优化等。

定期更新软件可以保护设备免受常见的网络攻击，并提高设备的运行效率。

在Fortinet防火墙上进行固件更新，方法如下：1.登录Fortinet设备控制台。

2.在控制台左侧导航栏中选择“System Settings”->“Dashboard”。

3.选择“Update”选项卡，点击“Check”按钮检查更新。

4.如果有更新可用，点击“Download”按钮下载更新。

5.下载完成后，点击“Install”按钮安装更新。

2. 常见故障处理方法2.1 防火墙无法上网2.1.1 网络配置检查首先，确认防火墙的网络配置是否正确。