Fortinet FORTIWIFI-60 Wireless Firewall User Manual users manual 1

Fortinet, Inc Wireless Firewall users manual 1

UserManual.wiki >

Fortinet >

FORTIWIFI-60 User Manual >

users manual 1

1. users manual 1
2. users manual 2

users manual 1

FortiWiFi 60 Installation andConfiguration GuideINTERNALDMZ4321LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100WAN1 WAN2PWR WLANFortiWiFi User Manual Volume 1Version 2.503 March 2004

© Copyright 2003 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FortiGate-60 Installation and Configuration Guide Version 2.50 MR2 18 August 2003 Trademarks Products mentioned in this document are trademarks or registered t This device complete with part 15 of the FCC rules. Operations is subject to the following two conditions: holders. Regulatory Compliance This device complies with part 15 of the FCC rules. Operation is subject to the following two condigions: (1) This Device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause accept any interference received, including interference that may cause undesired operation. NOTE: The manufacturer is not responsible for any radio or TV interference caused by unauthorized modifications to this equipment. Such modifications could void the user’s authority to operate the equipment. please visit http://www.fortinet.com.Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

ContentsFortiWiFi-60 Installation and Configuration Guide 3Table of ContentsIntroduction.......................................................................................................... 13Antivirus protection ........................................................................................................... 14Web content filtering ......................................................................................................... 14Email filtering .................................................................................................................... 15Firewall.............................................................................................................................. 15NAT/Route mode .......................................................................................................... 16Transparent mode......................................................................................................... 16Network intrusion detection............................................................................................... 16VPN................................................................................................................................... 16Secure installation, configuration, and management........................................................ 17Web-based manager .................................................................................................... 17Command line interface................................................................................................ 18Logging and reporting................................................................................................... 19Document conventions ..................................................................................................... 19Fortinet documentation ..................................................................................................... 20Comments on Fortinet technical documentation........................................................... 20Customer service and technical support........................................................................... 21Getting started ..................................................................................................... 23Warnings........................................................................................................................... 23Package contents ............................................................................................................. 24Mounting ........................................................................................................................... 24Powering on...................................................................................................................... 25Connecting to the web-based manager............................................................................ 26Connecting to the command line interface (CLI)............................................................... 27Factory default FortiWiFi configuration settings................................................................ 28Factory default DHCP configuration ............................................................................. 28Factory default NAT/Route mode network configuration .............................................. 29Factory default Transparent mode network configuration............................................. 30Factory default firewall configuration ............................................................................ 31Factory default content profiles..................................................................................... 33Planning the FortiWiFi configuration................................................................................. 35NAT/Route mode .......................................................................................................... 35Transparent mode......................................................................................................... 36Configuration options.................................................................................................... 37FortiGate model maximum values matrix ......................................................................... 39Next steps......................................................................................................................... 40NAT/Route mode installation.............................................................................. 41Installing the FortiWiFi unit using the default configuration............................................... 41Changing the default configuration ............................................................................... 42

Contents4 Fortinet Inc.Preparing to configure NAT/Route mode.......................................................................... 42Advanced NAT/Route mode settings............................................................................ 43DMZ interface ............................................................................................................... 44Wireless settings........................................................................................................... 44Using the setup wizard...................................................................................................... 44Starting the setup wizard .............................................................................................. 44Reconnecting to the web-based manager .................................................................... 44Using the command line interface..................................................................................... 45Configuring the FortiWiFi unit to operate in NAT/Route mode...................................... 45Connecting the FortiWiFi unit to your networks ................................................................ 47Configuring your networks ................................................................................................ 48Completing the configuration ............................................................................................ 49Configuring the DMZ interface ...................................................................................... 49Configuring the WLAN interface ................................................................................... 49Configuring the WAN2 interface ................................................................................... 49Setting the date and time .............................................................................................. 50Changing antivirus protection ....................................................................................... 50Registering your FortiWiFi unit...................................................................................... 50Configuring virus and attack definition updates ............................................................ 50Configuration example: Multiple connections to the Internet ............................................ 51Configuring Ping servers............................................................................................... 52Destination based routing examples............................................................................. 53Policy routing examples ................................................................................................ 56Firewall policy example................................................................................................. 57Transparent mode installation............................................................................ 59Preparing to configure Transparent mode ........................................................................ 59Wireless settings........................................................................................................... 59Using the setup wizard...................................................................................................... 60Changing to Transparent mode .................................................................................... 60Starting the setup wizard .............................................................................................. 60Reconnecting to the web-based manager .................................................................... 60Using the command line interface..................................................................................... 61Changing to Transparent mode .................................................................................... 61Configuring the Transparent mode management IP address....................................... 61Configure the Transparent mode default gateway........................................................ 61Configuring wireless settings ........................................................................................ 62Connecting the FortiWiFi unit to your networks ................................................................ 62Wireless configuration....................................................................................................... 63Completing the configuration ............................................................................................ 63Setting the date and time .............................................................................................. 64Enabling antivirus protection......................................................................................... 64Registering your FortiWiFi ............................................................................................ 64Configuring virus and attack definition updates ............................................................ 64

ContentsFortiWiFi-60 Installation and Configuration Guide 5Transparent mode configuration examples....................................................................... 65Default routes and static routes .................................................................................... 65Example default route to an external network............................................................... 66Example static route to an external destination ............................................................ 67Example static route to an internal destination ............................................................. 70System status....................................................................................................... 73Changing the FortiWiFi host name ................................................................................... 74Changing the FortiWiFi firmware ...................................................................................... 74Upgrading to a new firmware version ........................................................................... 74Reverting to a previous firmware version...................................................................... 76Installing firmware images from a system reboot using the CLI ................................... 79Testing a new firmware image before installing it ......................................................... 81Manual virus definition updates ........................................................................................ 82Manual attack definition updates ...................................................................................... 83Displaying the FortiWiFi serial number ............................................................................. 84Displaying the FortiWiFi up time ....................................................................................... 84Backing up system settings .............................................................................................. 84Restoring system settings................................................................................................. 84Restoring system settings to factory defaults ................................................................... 85Changing to Transparent mode ........................................................................................ 85Changing to NAT/Route mode.......................................................................................... 86Restarting the FortiWiFi unit ............................................................................................. 86Shutting down the FortiWiFi unit....................................................................................... 86System status ................................................................................................................... 87Viewing CPU and memory status ................................................................................. 87Viewing sessions and network status ........................................................................... 88Viewing virus and intrusions status............................................................................... 89Session list........................................................................................................................ 90Virus and attack definitions updates and registration..................................... 93Updating antivirus and attack definitions .......................................................................... 93Connecting to the FortiResponse Distribution Network ................................................ 94Manually initiating antivirus and attack definitions updates .......................................... 95Configuring update logging ........................................................................................... 96Scheduling updates .......................................................................................................... 96Enabling scheduled updates......................................................................................... 96Adding an override server............................................................................................. 97Enabling scheduled updates through a proxy server.................................................... 98Enabling push updates ..................................................................................................... 98Enabling push updates ................................................................................................. 99Push updates when FortiWiFi IP addresses change .................................................... 99Enabling push updates through a NAT device............................................................ 100

Contents6 Fortinet Inc.Registering FortiGate and FortiWiFi units....................................................................... 104FortiCare Service Contracts........................................................................................ 104Registering the FortiWiFi unit...................................................................................... 105Updating registration information.................................................................................... 107Recovering a lost Fortinet support password.............................................................. 107Viewing the list of registered FortiGate and FortiWiFi units ........................................ 107Registering a new FortiWiFi unit................................................................................. 108Adding or changing a FortiCare Support Contract number......................................... 108Changing your Fortinet support password .................................................................. 109Changing your contact information or security question ............................................. 109Downloading virus and attack definitions updates ...................................................... 110Registering a FortiWiFi unit after an RMA ...................................................................... 110Network configuration....................................................................................... 113Configuring interfaces..................................................................................................... 113Viewing the interface list ............................................................................................. 114Changing the administrative status of an interface ..................................................... 114Configuring an interface with a manual IP address .................................................... 114Configuring an interface for DHCP ............................................................................. 115Configuring an interface for PPPoE............................................................................ 116Adding a secondary IP address to an interface .......................................................... 116Adding a ping server to an interface ........................................................................... 117Controlling administrative access to an interface........................................................ 117Changing the MTU size to improve network performance.......................................... 118Configuring traffic logging for connections to an interface .......................................... 118Configuring the management interface in Transparent mode..................................... 119Wireless configuration................................................................................................. 120Adding DNS server IP addresses ................................................................................... 122Configuring routing.......................................................................................................... 122Adding a default route................................................................................................. 122Adding destination-based routes to the routing table.................................................. 123Adding routes in Transparent mode............................................................................ 124Configuring the routing table....................................................................................... 124Policy routing .............................................................................................................. 125Configuring DHCP services ............................................................................................ 126Configuring a DHCP relay agent................................................................................. 126Configuring a DHCP server ........................................................................................ 127

ContentsFortiWiFi-60 Installation and Configuration Guide 7Configuring the modem interface.................................................................................... 129Connecting a modem to the FortiWiFi unit.................................................................. 130Configuring modem settings ....................................................................................... 130Connecting to a dialup account................................................................................... 131Disconnecting the modem .......................................................................................... 131Viewing modem status................................................................................................ 131Backup mode configuration ........................................................................................ 132Standalone mode configuration .................................................................................. 132Adding firewall policies for modem connections ......................................................... 133RIP configuration............................................................................................... 135RIP settings..................................................................................................................... 135Configuring RIP for FortiWiFi interfaces ......................................................................... 137Adding RIP filters ............................................................................................................ 139Adding a RIP filter list.................................................................................................. 139Assigning a RIP filter list to the neighbors filter........................................................... 140Assigning a RIP filter list to the incoming filter ............................................................ 140Assigning a RIP filter list to the outgoing filter............................................................. 141System configuration ........................................................................................ 143Setting system date and time.......................................................................................... 143Changing system options................................................................................................ 144Adding and editing administrator accounts..................................................................... 145Adding new administrator accounts ............................................................................ 146Editing administrator accounts.................................................................................... 146Configuring SNMP .......................................................................................................... 147Configuring the FortiWiFi unit for SNMP monitoring ................................................... 148Configuring FortiWiFi SNMP support.......................................................................... 148FortiWiFi MIBs ............................................................................................................ 150FortiWiFi traps............................................................................................................. 151Fortinet MIB fields ....................................................................................................... 152Replacement messages ................................................................................................. 155Customizing replacement messages .......................................................................... 155Customizing alert emails............................................................................................. 156Firewall configuration........................................................................................ 159Default firewall configuration........................................................................................... 160Interfaces .................................................................................................................... 161Addresses ................................................................................................................... 161Services ...................................................................................................................... 161Schedules ................................................................................................................... 162Content profiles........................................................................................................... 162Adding firewall policies.................................................................................................... 162Firewall policy options................................................................................................. 163

Contents8 Fortinet Inc.Configuring policy lists .................................................................................................... 167Policy matching in detail ............................................................................................. 167Changing the order of policies in a policy list.............................................................. 168Enabling and disabling policies................................................................................... 168Addresses....................................................................................................................... 169Adding addresses ....................................................................................................... 169Editing addresses ....................................................................................................... 170Deleting addresses ..................................................................................................... 170Organizing addresses into address groups ................................................................ 171Services .......................................................................................................................... 172Predefined services .................................................................................................... 172Adding custom TCP and UDP services ...................................................................... 174Adding custom ICMP services .................................................................................... 175Adding custom IP services.......................................................................................... 175Grouping services ....................................................................................................... 176Schedules ....................................................................................................................... 177Creating one-time schedules ...................................................................................... 177Creating recurring schedules ...................................................................................... 178Adding schedules to policies....................................................................................... 179Virtual IPs........................................................................................................................ 180Adding static NAT virtual IPs ...................................................................................... 180Adding port forwarding virtual IPs ............................................................................... 182Adding policies with virtual IPs.................................................................................... 184IP pools........................................................................................................................... 184Adding an IP pool........................................................................................................ 185IP Pools for firewall policies that use fixed ports......................................................... 185IP pools and dynamic NAT ......................................................................................... 185IP/MAC binding............................................................................................................... 186Configuring IP/MAC binding for packets going through the firewall............................ 186Configuring IP/MAC binding for packets going to the firewall ..................................... 187Adding IP/MAC addresses.......................................................................................... 188Viewing the dynamic IP/MAC list ................................................................................ 188Enabling IP/MAC binding ............................................................................................ 188Content profiles............................................................................................................... 189Default content profiles ............................................................................................... 190Adding content profiles ............................................................................................... 190Adding content profiles to policies .............................................................................. 192Users and authentication.................................................................................. 193Setting authentication timeout......................................................................................... 194Adding user names and configuring authentication........................................................ 194Adding user names and configuring authentication .................................................... 194Deleting user names from the internal database ........................................................ 195

ContentsFortiWiFi-60 Installation and Configuration Guide 9Configuring RADIUS support.......................................................................................... 196Adding RADIUS servers ............................................................................................. 196Deleting RADIUS servers ........................................................................................... 196Configuring LDAP support .............................................................................................. 197Adding LDAP servers.................................................................................................. 197Deleting LDAP servers................................................................................................ 198Configuring user groups.................................................................................................. 199Adding user groups..................................................................................................... 199Deleting user groups................................................................................................... 200IPSec VPN........................................................................................................... 201Key management............................................................................................................ 202Manual Keys ............................................................................................................... 202Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates ..... 202Manual key IPSec VPNs................................................................................................. 203General configuration steps for a manual key VPN.................................................... 203Adding a manual key VPN tunnel ............................................................................... 203AutoIKE IPSec VPNs...................................................................................................... 205General configuration steps for an AutoIKE VPN ....................................................... 205Adding a phase 1 configuration for an AutoIKE VPN.................................................. 205Adding a phase 2 configuration for an AutoIKE VPN.................................................. 210Managing digital certificates............................................................................................ 212Obtaining a signed local certificate ............................................................................. 212Obtaining CA certificates ............................................................................................ 214Configuring encrypt policies............................................................................................ 215Adding a source address ............................................................................................ 216Adding a destination address...................................................................................... 216Adding an encrypt policy............................................................................................. 217IPSec VPN concentrators ............................................................................................... 218VPN concentrator (hub) general configuration steps.................................................. 219Adding a VPN concentrator ........................................................................................ 220VPN spoke general configuration steps...................................................................... 221Monitoring and Troubleshooting VPNs ........................................................................... 223Viewing VPN tunnel status.......................................................................................... 223Viewing dialup VPN connection status ....................................................................... 223Testing a VPN............................................................................................................. 224PPTP and L2TP VPN.......................................................................................... 225Configuring PPTP ........................................................................................................... 225Configuring the FortiWiFi unit as a PPTP gateway..................................................... 225Configuring a Windows 98 client for PPTP ................................................................. 228Configuring a Windows 2000 client for PPTP ............................................................. 229Configuring a Windows XP client for PPTP ................................................................ 229

Contents10 Fortinet Inc.Configuring L2TP............................................................................................................ 231Configuring the FortiWiFi unit as an L2TP gateway.................................................... 231Configuring a Windows 2000 client for L2TP.............................................................. 233Configuring a Windows XP client for L2TP ................................................................. 235Network Intrusion Detection System (NIDS) ................................................... 237Detecting attacks ............................................................................................................ 237Selecting the interfaces to monitor.............................................................................. 238Disabling monitoring interfaces................................................................................... 238Configuring checksum verification .............................................................................. 238Viewing the signature list ............................................................................................ 239Viewing attack descriptions......................................................................................... 239Disabling NIDS attack signatures ............................................................................... 240Adding user-defined signatures .................................................................................. 240Preventing attacks .......................................................................................................... 242Enabling NIDS attack prevention ................................................................................ 242Enabling NIDS attack prevention signatures .............................................................. 242Setting signature threshold values.............................................................................. 242Logging attacks............................................................................................................... 244Logging attack messages to the attack log................................................................. 244Reducing the number of NIDS attack log and email messages.................................. 244Antivirus protection........................................................................................... 247General configuration steps............................................................................................ 247Antivirus scanning........................................................................................................... 248File blocking.................................................................................................................... 249Blocking files in firewall traffic ..................................................................................... 249Adding file patterns to block........................................................................................ 249Blocking oversized files and emails ................................................................................ 250Configuring limits for oversized files and email........................................................... 250Exempting fragmented email from blocking.................................................................... 250Viewing the virus list ....................................................................................................... 251Web filtering ....................................................................................................... 253General configuration steps............................................................................................ 253Content blocking ............................................................................................................. 254Adding words and phrases to the Banned Word list ................................................... 254Clearing the Banned Word list .................................................................................... 255Backing up the Banned Word list................................................................................ 255Restoring the Banned Word list .................................................................................. 256URL blocking................................................................................................................... 257Configuring FortiWiFi Web URL blocking ................................................................... 257Configuring FortiWiFi Web pattern blocking ............................................................... 259

ContentsFortiWiFi-60 Installation and Configuration Guide 11Configuring Cerberian URL filtering................................................................................ 260Installing a Cerberian license key ............................................................................... 260Adding a Cerberian user............................................................................................. 260Configuring Cerberian web filter ................................................................................. 261Enabling Cerberian URL filtering ................................................................................ 262Script filtering .................................................................................................................. 262Enabling script filtering................................................................................................ 262Selecting script filter options ....................................................................................... 262Exempt URL list .............................................................................................................. 263Adding URLs to the URL Exempt list .......................................................................... 263Downloading the URL Exempt List ............................................................................. 264Uploading a URL Exempt List..................................................................................... 264Email filter........................................................................................................... 267General configuration steps............................................................................................ 267Email banned word list.................................................................................................... 268Adding words and phrases to the email banned word list........................................... 268Downloading the email banned word list .................................................................... 269Uploading the email banned word list ......................................................................... 269Email block list ................................................................................................................ 270Adding address patterns to the email block list........................................................... 270Downloading the email block list................................................................................. 270Uploading an email block list ...................................................................................... 271Email exempt list............................................................................................................. 271Adding address patterns to the email exempt list ....................................................... 272Adding a subject tag ....................................................................................................... 272Logging and reporting....................................................................................... 273Recording logs................................................................................................................ 273Recording logs on a remote computer........................................................................ 274Recording logs on a NetIQ WebTrends server ........................................................... 274Recording logs in system memory.............................................................................. 275Log message levels .................................................................................................... 275Filtering log messages.................................................................................................... 276Configuring traffic logging ............................................................................................... 277Enabling traffic logging................................................................................................ 278Configuring traffic filter settings................................................................................... 278Adding traffic filter entries ........................................................................................... 279Viewing logs saved to memory ....................................................................................... 280Viewing logs................................................................................................................ 280Searching logs ............................................................................................................ 280

Contents12 Fortinet Inc.Configuring alert email.................................................................................................... 281Adding alert email addresses...................................................................................... 281Testing alert email....................................................................................................... 282Enabling alert email .................................................................................................... 282Glossary ............................................................................................................. 283Index .................................................................................................................... 287

FortiWiFi-60 Installation and Configuration Guide Version 2.50FortiWiFi-60 Installation and Configuration Guide 13IntroductionFortiGate and FortiWiFi Antivirus Firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. FortiGate and FortiWiFi Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. FortiGate and FortiWiFi Antivirus Firewalls are ICSA-certified for firewall, IPSec, and antivirus services.The FortiWiFi-60 Antivirus Firewall is a dedicated easily managed security device that delivers a full suite of capabilities that include:• application-level services such as virus protection and content filtering,• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.The FortiWiFi-60 Antivirus Firewall uses Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge, where they are most effective at protecting your networks. The FortiWiFi series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.The FortiWiFi-60 model is ideally suited for small businesses, remote offices, retail stores, and broadband telecommuter sites. The FortiWiFi-60 Antivirus Firewall features dual WAN link support for redundant internet connections, and an integrated 4-port switch that eliminates the need for an external hub or switch. Networked devices connect directly to the FortiWiFi-60 unit.The FortiWiFi-60 provides a secure, wireless LAN solution that combines mobility and flexibility with the enterprise-class FortiWiFi Antivirus Firewall features. The FortiWiFi is a Wi-Fi certified, wireless LAN transceiver that uses a two mini-PCI radios that are IEEE 802.11b and IEEE 802.11g-compliant and that can be upgraded to future radio technologies.The FortiWiFi serves as the connection point between wireless and wired networks or as the center point of a stand-alone wireless network. FortiWiFi-60 security features include WEP, VPN over the wireless network, and firewall policies that can include user authentication to control access.INTERNALDMZ4321LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100WAN1 WA N2PWR WLAN

14 Fortinet Inc.Antivirus protection IntroductionAntivirus protectionFortiWiFi ICSA-certified antivirus protection scans web (HTTP), file transfer (FTP), and email (SMTP, POP3, and IMAP) content as it passes through the FortiWiFi unit. If a virus is found, antivirus protection removes the file containing the virus from the content stream and forwards a replacement message to the intended recipient.For extra protection, you can configure antivirus protection to block specified file types from passing through the FortiWiFi unit. You can use the feature to stop files that might contain new viruses.If the FortiWiFi unit contains a hard disk, infected or blocked files can be quarantined. The FortiWiFi administrator can download quarantined files so that they can be virus scanned, cleaned, and forwarded to the intended recipient. You can also configure the FortiWiFi unit to automatically delete quarantined files after a specified time.The FortiWiFi unit can send email alerts to system administrators when it detects and removes a virus from a content stream. The web and email content can be in normal network traffic or encrypted IPSec VPN traffic.ICSA Labs has certified that FortiGate and FortiWiFi Antivirus Firewalls:• detect 100% of the viruses listed in the current In The Wild List (www.wildlist.org),• detect viruses in compressed files using the PKZip format,• detect viruses in email that has been encoded using uuencode format,• detect viruses in email that has been encoded using MIME encoding,• log all actions taken while scanning.Web content filteringWeb content filtering can scan all HTTP content protocol streams for URLs or web page content. If there is a match between a URL on the URL block list, or a web page contains a word or phrase that is in the content block list, the FortiWiFi unit blocks the web page. The blocked web page is replaced with a message that you can edit using the FortiWiFi web-based manager.You can configure URL blocking to block all or some of the pages on a web site. Using this feature, you can deny access to parts of a web site without denying access to it completely.To prevent unintentionally blocking legitimate web pages, you can add URLs to an exempt list that overrides the URL blocking and content blocking lists.Web content filtering also includes a script filter feature that can block unsecure web content such as Java applets, cookies, and ActiveX.You can use the Cerberian URL blocking to block unwanted URLs.

Introduction Email filteringFortiWiFi-60 Installation and Configuration Guide 15Email filteringEmail filtering can scan all IMAP and POP3 email content for unwanted senders or unwanted content. If there is a match between a sender address pattern on the email block list, or an email contains a word or phrase in the banned word list, the FortiWiFi adds an email tag to the subject line of the email. The recipient can use the mail client software to filter messages based on the email tag.You can configure email blocking to tag email from all or some senders within organizations that are known to send spam email. To prevent unintentionally tagging email from legitimate senders, you can add sender address patterns to an exempt list that overrides the email block and banned words lists.FirewallThe FortiWiFi ICSA-certified firewall protects your computer networks from Internet threats. ICSA has granted FortiWiFi firewalls version 4.0 firewall certification, providing assurance that FortiWiFi firewalls successfully screen and secure corporate networks against a range of threats from public or other untrusted networks.After basic installation of the FortiWiFi unit, the firewall allows users on the protected network to access the Internet while blocking Internet access to internal networks. You can configure the firewall to put controls on access to the Internet from the protected networks and to allow controlled access to internal networks.FortiWiFi policies include a range of options that:• control all incoming and outgoing network traffic,• control encrypted VPN traffic,• apply antivirus protection and web content filtering,• block or allow access for all policy options,• control when individual policies are in effect,• accept or deny traffic to and from individual addresses,• control standard and user defined network services individually or in groups,• require users to authenticate before gaining access,• include traffic shaping to set access priorities and guarantee or limit bandwidth for each policy,• include logging to track connections for individual policies,• include Network Address Translation (NAT) mode and Route mode policies,• include mixed NAT and Route mode policies.The FortiWiFi firewall can operate in NAT/Route mode or Transparent mode.

16 Fortinet Inc.Network intrusion detection IntroductionNAT/Route modeIn NAT/Route mode, you can create NAT mode policies and Route mode policies.• NAT mode policies use network address translation to hide the addresses in a more secure network from users in a less secure network.• Route mode policies accept or deny connections between networks without performing address translation.Transparent modeTransparent mode provides the same basic firewall protection as NAT mode. Packets that the FortiWiFi unit receives are forwarded or blocked according to firewall policies. The FortiWiFi unit can be inserted in the network at any point without having to make changes to your network or its components. However, VPN and some advanced firewall features are available only in NAT/Route mode.Network intrusion detectionThe FortiWiFi Network Intrusion Detection System (NIDS) is a real-time network intrusion detection sensor that detects and prevents a variety of suspicious network activity. NIDS uses attack signatures to identify more than 1000 attacks. You can enable and disable the attacks that the NIDS detects. You can also write user-defined detection attack signatures.NIDS prevention detects and prevents many common denial of service and packet-based attacks. You can enable and disable prevention attack signatures and customize attack signature thresholds and other parameters.To notify system administrators of the attack, the NIDS records the attack and any suspicious traffic to the attack log, and can be configured to send alert emails.Fortinet updates NIDS attack definitions periodically. You can download and install updated attack definitions manually or you can configure the FortiWiFi unit to automatically check for and download attack definition updates.VPNUsing FortiWiFi virtual private networking (VPN), you can provide a secure connection between widely separated office networks or securely link telecommuters or travellers to an office network.

Introduction Secure installation, configuration, and managementFortiWiFi-60 Installation and Configuration Guide 17VPN features include the following:• Industry standard and ICSA-certified IPSec VPN, including:• IPSec, ESP security in tunnel mode,• DES, 3DES (triple-DES), and AES hardware accelerated encryption,• HMAC MD5 and HMAC SHA1 authentication and data integrity,• AutoIKE key based on pre-shared key tunnels,• IPSec VPN using local or CA certificates,• Manual Keys tunnels,• Diffie-Hellman groups 1, 2, and 5,• Aggressive and Main Mode,• Replay Detection,• Perfect Forward Secrecy,• XAuth authentication,• Dead peer detection.• PPTP for easy connectivity with the VPN standard supported by the most popular operating systems.• L2TP for easy connectivity with a more secure VPN standard, also supported by many popular operating systems.• Firewall policy based control of IPSec VPN traffic.• IPSec NAT traversal so that remote IPSec VPN gateways or clients behind a NAT can connect to an IPSec VPN tunnel.• VPN hub and spoke using a VPN concentrator to allow VPN traffic to pass from one tunnel to another through the FortiWiFi unit.• IPSec Redundancy to create a redundant AutoIKE key IPSec VPN connection to a remote network.Secure installation, configuration, and managementThe first time you power on the FortiWiFi unit, it is already configured with default IP addresses and security policies. Connect to the web-based manager, set the operating mode, and use the Setup wizard to customize FortiWiFi IP addresses for your network, and the FortiWiFi unit is ready to protect your network. You can then use the web-based manager to customize advanced FortiWiFi features.You can also create a basic configuration using the FortiWiFi command line interface (CLI).Web-based managerUsing HTTP or a secure HTTPS connection from any computer running Internet Explorer, you can configure and manage the FortiWiFi unit. The web-based manager supports multiple languages. You can configure the FortiWiFi unit for HTTP and HTTPS administration from any FortiWiFi interface.

18 Fortinet Inc.Secure installation, configuration, and management IntroductionYou can use the web-based manager to configure most FortiWiFi settings. You can also use the web-based manager to monitor the status of the FortiWiFi unit. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service. Once you are satisfied with a configuration, you can download and save it. The saved configuration can be restored at any time.Figure 1: The FortiWiFi web-based manager and setup wizardCommand line interfaceYou can access the FortiWiFi command line interface (CLI) by connecting a management computer serial port to the FortiWiFi RS-232 serial console connector. You can also use Telnet or a secure SSH connection to connect to the CLI from any network that is connected to the FortiWiFi unit, including the Internet.The CLI supports the same configuration and monitoring functionality as the web-based manager. In addition, you can use the CLI for advanced configuration options that are not available from the web-based manager. This Installation and Configuration Guide contains information about basic and advanced CLI commands. For a more complete description about connecting to and using the FortiWiFi CLI, see the FortiGate CLI Reference Guide.

$Introduction Document conventionsFortiWiFi-60 Installation and Configuration Guide 19Logging and reportingThe FortiWiFi unit supports logging for various categories of traffic and configuration changes. You can configure logging to:• report traffic that connects to the firewall,• report network services used,• report traffic that was permitted by firewall policies,• report traffic that was denied by firewall policies,• report events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking,• report attacks detected by the NIDS,• send alert email to system administrators to report virus incidents, intrusions, and firewall or VPN events or violations.Logs can be sent to a remote syslog server or a WebTrends NetIQ Security Reporting Center and Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most FortiWiFi units to log the most recent events and attacks detected by the NIDS to the system memory.Document conventionsThis guide uses the following conventions to describe CLI command syntax.• angle brackets < > to indicate variable keywordsFor example:execute restore config <filename_str>You enter restore config myfile.bak<xxx_str> indicates an ASCII string variable keyword.<xxx_integer> indicates an integer variable keyword.<xxx_ip> indicates an IP address variable keyword.• vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywordsFor example:set system opmode {nat | transparent}You can enter set system opmode nat or set system opmode transparent• square brackets [ ] to indicate that a keyword is optionalFor example:get firewall ipmacbinding [dhcpipmac]You can enter get firewall ipmacbinding orget firewall ipmacbinding dhcpipmac$

20 Fortinet Inc.Fortinet documentation IntroductionFortinet documentationInformation about FortiGate and FortiWiFi products is available from the following User Manual volumes:• Volume 1: FortiWiFi-60 Installation and Configuration GuideDescribes installation and basic configuration for the FortiWiFi unit. Also describes how to use FortiWiFi firewall policies to control traffic flow through the FortiWiFi unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP, and email content passing through the FortiWiFi unit.• Volume 2: FortiGate VPN GuideContains in-depth information about FortiGate IPSec VPN using certificates, pre-shared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.• Volume 3: FortiGate Content Protection GuideDescribes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.• Volume 4: FortiGate NIDS GuideDescribes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.• Volume 5: FortiGate Logging and Message Reference GuideDescribes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.• Volume 6: FortiGate CLI Reference GuideDescribes the FortiGate CLI and contains a reference to all FortiGate CLI commands.The FortiWiFi online help also contains procedures for using the FortiWiFi web-based manager to configure and manage the FortiWiFi unit.Comments on Fortinet technical documentationYou can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

Introduction Customer service and technical supportFortiWiFi-60 Installation and Configuration Guide 21Customer service and technical supportFor antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.You can also register FortiWiFi Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time.Fortinet email support is available from the following addresses:For information on Fortinet telephone support, see http://support.fortinet.com.When requesting technical support, please provide the following information:• Your name• Company name•Location• Email address• Telephone number• FortiWiFi unit serial number• FortiWiFi model• FortiWiFi FortiOS firmware version• Detailed description of the problemamer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin America and South America.apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore, Malaysia, all other Asian countries, and Australia.eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland Europe, Africa, and the Middle East.

22 Fortinet Inc.Customer service and technical support Introduction

FortiWiFi-60 Installation and Configuration Guide Version 2.50FortiWiFi-60 Installation and Configuration Guide 23Getting startedThis chapter describes unpacking, setting up, and powering on a FortiWiFi Antivirus Firewall unit. When you have completed the procedures in this chapter, you can proceed to one of the following:• If you are going to operate the FortiWiFi unit in NAT/Route mode, go to “NAT/Route mode installation” on page 41.• If you are going to operate the FortiWiFi unit in Transparent mode, go to “Transparent mode installation” on page 59.This chapter describes:•Warnings•Package contents•Mounting•Powering on•Connecting to the web-based manager•Connecting to the command line interface (CLI)•Factory default FortiWiFi configuration settings•Planning the FortiWiFi configuration•FortiGate model maximum values matrix•Next stepsWarnings!Caution: To comply with FCC radio frequency (RF) exposure limits, dipole antennas should be located at a minimum of 7.9 inches (20 cm) or more from the body of all persons.!Caution: Do not operate a wireless network device near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use.

24 Fortinet Inc.Package contents Getting startedPackage contentsThe FortiWiFi-60 package contains the following items:• FortiWiFi-60 Antivirus Firewall• one orange crossover ethernet cable• one gray regular ethernet cable• one null modem cable• FortiWiFi-60 Quick Start Guide• CD containing the FortiGate and FortiWiFi user documentation• one power cable and AC adapterFigure 2: FortiWiFi-60 package contentsMountingThe FortiWiFi-60 unit can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.Dimensions• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)Weight• 1.5 lb. (0.68 kg)Power requirements• DC input voltage: 12 V• DC input current: 3 ANull-Modem Cable(RS-232)Ethernet Cables:Orange - CrossoverGrey - Straight-throughPower Cable Power SupplyFortiWiFi-60QuickStart GuideCopyright 2003 Fortinet Incorporated. All rights reserved.TrademarksProducts mentioned in this document are trademarks.INTERNALDMZ4321LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100WAN1 WA N2PWR WLANPowerLEDWLANLEDWAN 1,2InterfaceDMZInterfaceInternalInterfaceFrontInternal Interface,switch connectors1,2,3,4Back1234Console USB WAN2 WA N1 DMZDC+12VInternalPowerConnectionRS-232 SerialConnectionUSBWAN2 DMZWAN1DocumentationINTERNALDMZ4321LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100WAN1 WAN2PWR WLAN

Getting started Powering onFortiWiFi-60 Installation and Configuration Guide 25Environmental specifications• Operating temperature: 32 to 104°F (0 to 40°C)• Storage temperature: -13 to 158°F (-25 to 70°C)• Humidity: 5 to 95% non-condensingWireless Connectivity• Antenna type: Dual external fixed antenna• Antenna range: 802.11b/g:2.4GHz• Antenna Gain: 5dBiBasic WiFi installation guidelinesBecause the FortiWiFi-60 is a radio device, it is susceptible to common causes of interference that can reduce throughput and range. Follow these basic guidelines to ensure the best possible performance:• Install the access point in an area where large steel structures such as shelving units, bookcases, and filing cabinets do not block the radio signals to and from the access point.• Install the access point away from microwave ovens. Microwave ovens operate on the same frequency as the access point and can cause signal interference.Powering onTo power on the FortiWiFi-60 unit1Connect the AC adapter to the power connection at the back of the FortiWiFi-60 unit.2Connect the AC adapter to the power cable.3Connect the power cable to a power outlet.The FortiWiFi-60 unit starts. The Power and WAN LEDS light.Table 1: FortiWiFi-60 LED indicatorsLED State DescriptionPower Green The FortiWiFi unit is powered on.Off The FortiWiFi unit is powered off.WAN Green Traffic on WAN link.Link(Internal DMZWAN1WAN2)Green The correct cable is in use and the connected equipment has power.Flashing Green Network activity at this interface.Off No link established.100(Internal DMZWAN1WAN2)Green The interface is connected at 100 Mbps.

26 Fortinet Inc.Connecting to the web-based manager Getting startedConnecting to the web-based managerUse the following procedure to connect to the web-based manager for the first time. Configuration changes made with the web-based manager are effective immediately without resetting the firewall or interrupting service.To connect to the web-based manager, you need:• a computer with an ethernet connection,• Internet Explorer version 4.0 or higher,• an ethernet cable.• a crossover cable or an ethernet hub and two ethernet cables.To connect to the web-based manager1Set the IP address of the computer with an ethernet connection to the static IP address 192.168.1.2 and a netmask of 255.255.255.0.You can also configure the management computer to obtain an IP address automatically using DHCP. The FortiWiFi DHCP server assigns the management computer an IP address in the range 192.168.1.1 to 192.168.1.254.2Using the ethernet cable, connect the internal interface of the FortiWiFi unit to the computer ethernet connection.3Start Internet Explorer and browse to the address https://192.168.1.99 (remember to include the “s” in https://).The FortiWiFi login is displayed.4Type admin in the Name field and select Login.The Register Now window is displayed. Use the information in this window to register your FortiWiFi unit so that Fortinet can contact you for firmware updates. You must also register to receive updates to the FortiWiFi virus and attack definitions.Figure 3: FortiWiFi loginNote: You can use the web-based manager with recent versions of most popular web browsers. The web-based manager is fully supported for Internet Explorer version 4.0 or higher.

Getting started Connecting to the command line interface (CLI)FortiWiFi-60 Installation and Configuration Guide 27Connecting to the command line interface (CLI)As an alternative to the web-based manager, you can install and configure the FortiWiFi unit using the CLI. Configuration changes made with the CLI are effective immediately without resetting the firewall or interrupting service.To connect to the FortiWiFi CLI, you need:• a computer with an available communications port,• the null modem cable included in your FortiWiFi package,• terminal emulation software such as HyperTerminal for Windows.To connect to the CLI1Connect the null modem cable to the communications port of your computer and to the FortiWiFi Console port.2Make sure that the FortiWiFi unit is powered on.3Start HyperTerminal, enter a name for the connection, and select OK.4Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the null modem cable and select OK.5Select the following port settings and select OK.6Press Enter to connect to the FortiWiFi CLI.The following prompt is displayed:FortiWiFi-60 login:7Type admin and press Enter twice.The following prompt is displayed:Type ? for a list of commands.For information about how to use the CLI, see the FortiGate CLI Reference Guide.Note: The following procedure describes how to connect to the CLI using Windows HyperTerminal software. You can use any terminal emulation program.Bits per second 9600Data bits 8Parity NoneStop bits 1Flow control None

28 Fortinet Inc.Factory default FortiWiFi configuration settings Getting startedFactory default FortiWiFi configuration settingsThe FortiWiFi unit is shipped with a factory default configuration. The default configuration allows you to connect to and use the FortiWiFi web-based manager to configure the FortiWiFi unit onto the network. To configure the FortiWiFi unit onto the network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configure routing, if required.If you plan to operate the FortiWiFi unit in Transparent mode, you can switch to Transparent mode from the factory default configuration and then configure the FortiWiFi unit onto the network in Transparent mode.Once the network configuration is complete, you can perform additional configuration tasks such as setting system time, configuring virus and attack definition updates, and registering the FortiWiFi unit.The factory default firewall configuration includes a single network address translation (NAT) policy that allows users on your internal network to connect to the external network, and stops users on the external network from connecting to the internal network. You can add more policies to provide more control of the network traffic passing through the FortiWiFi unit.The factory default content profiles can be used to apply different levels of antivirus protection, web content filtering, and email filtering to the network traffic that is controlled by firewall policies.•Factory default DHCP configuration•Factory default NAT/Route mode network configuration•Factory default Transparent mode network configuration•Factory default firewall configuration•Factory default content profilesFactory default DHCP configurationWhen the FortiWiFi unit is first powered on, the WAN1 interface is configured to receive its IP address by connecting to a DHCP server. If your ISP provides IP addresses using DHCP, no other configuration is required for this interface.The FortiWiFi unit can also function as a DHCP server for your internal network. You can configure the TCP/IP settings of the computers on your internal network to obtain an IP address automatically from the FortiWiFi unit DHCP server. For more information about the FortiWiFi DHCP server, see “Configuring DHCP services” on page 126.

Getting started Factory default FortiWiFi configuration settingsFortiWiFi-60 Installation and Configuration Guide 29Factory default NAT/Route mode network configurationWhen the FortiWiFi unit is first powered on, it is running in NAT/Route mode and has the basic network configuration listed in Table 4. This configuration allows you to connect to the FortiWiFi unit web-based manager and establish the configuration required to connect the FortiWiFi unit to the network. In Table 4 HTTPS management access means you can connect to the web-based manager using this interface. Ping management access means this interface responds to ping requests.Table 2: FortiWiFi Internal interface DHCP Server default configurationEnable DHCP ;Starting IP 192.168.1.101Ending IP 192.168.1.200Netmask 255.255.255.0Lease Duration 7 daysDefault Route 192.168.1.99DNS IP 192.168.1.99WINS IP 192.168.1.99Table 3: FortiWiFi WLAN interface DHCP Server default configurationEnable DHCP ;Starting IP 192.168.2.101Ending IP 192.168.2.200Netmask 255.255.255.0Lease Duration 7 daysDefault Route 192.168.2.99DNS IP 192.168.2.99WINS IP 192.168.2.99Table 4: Factory default NAT/Route mode network configurationAdministratoraccountUser name: adminPassword: (none)Internal interfaceIP: 192.168.1.99Netmask: 255.255.255.0Management Access: HTTPS, PingWAN1 interface Addressing Mode: DHCPManagement Access: PingWAN2 interfaceIP: 192.168.101.99Netmask: 255.255.255.0Management Access: Ping

30 Fortinet Inc.Factory default FortiWiFi configuration settings Getting startedFactory default Transparent mode network configurationIf you switch the FortiWiFi unit to Transparent mode, it has the default network configuration listed in Table 5.DMZ interfaceIP: 10.10.10.1Netmask: 255.255.255.0Management Access: HTTPS, PingWLAN interfaceIP: 192.168.100.99Netmask: 255.255.255.0Management Access:Geography: WorldChannel: 5Security: noneKey: noneSSID: FortinetTable 4: Factory default NAT/Route mode network configuration (Continued)Table 5: Factory default Transparent mode network configuration Administratoraccount User name: adminPassword: (none)Management IP IP: 10.10.10.1Netmask: 255.255.255.0DNS Primary DNS Server: 207.194.200.1Secondary DNS Server: 207.194.200.129Management accessInternal HTTPS, PingWAN1 PingWAN2 PingDMZ HTTPS, PingWirelessGeography WorldChannel 5Security NoneKey NoneSSID fortinet

Getting started Factory default FortiWiFi configuration settingsFortiWiFi-60 Installation and Configuration Guide 31Factory default firewall configurationThe factory default firewall configuration is the same in NAT/Route and Transparent mode.Table 6: Factory default firewall configuration Internal Address Internal_All IP: 0.0.0.0 Represents all of the IP addresses on the internal network.Mask: 0.0.0.0WAN1 Address WAN1_All IP: 0.0.0.0 Represents all of the IP addresses on the network connected to the WAN1 interface.Mask: 0.0.0.0WAN2 Address WAN2_All IP: 0.0.0.0 Represents all of the IP addresses on the network connected to the WAN2 interface.Mask: 0.0.0.0WLANAddress WLAN_All IP: 0.0.0.0 Represents all of the IP addresses on the network connected to the WLAN interface.Mask: 0.0.0.0DMZAddress DMZ_All IP: 0.0.0.0 Represents all of the IP addresses on the network connected to the DMZ interface.Mask: 0.0.0.0Recurring Schedule Always The schedule is valid at all times. This means that the firewall policy is valid at all times.Firewall Policy Internal->WAN1 Firewall policy for connections from the internal network to the WAN1 network.Source Internal_All The policy source address. Internal_All means that the policy accepts connections from any internal IP address.Destination WAN1_All The policy destination address. WAN1_All means that the policy accepts connections with a destination address to any IP address on the external (WAN1) network.Firewall Policy Internal->WAN2 Firewall policy for connections from the internal network to the WAN2 network.Source Internal_All The policy source address. Internal_All means that the policy accepts connections from any internal IP address.Destination WAN2_All The policy destination address. WAN2_All means that the policy accepts connections with a destination address to any IP address on the external (WAN2) network.Firewall Policy WLAN->WAN1 Firewall policy for connections from the WLAN network to the WAN1 network.Source WLAN_All The policy source address. Internal_All means that the policy accepts connections from any WLAN IP address.Destination WAN1_All The policy destination address. WAN1_All means that the policy accepts connections from the wireless network with a destination address to any IP address on the external (WAN1) network.

36 Fortinet Inc.Planning the FortiWiFi configuration Getting startedYou can add security policies to control whether communications through the FortiWiFi unit operate in NAT or Route mode. Security policies control the flow of traffic based on the source address, destination address, and service of each packet. In NAT mode, the FortiWiFi unit performs network address translation before it sends the packet to the destination network. In Route mode, there is no translation.By default, the FortiWiFi unit has a NAT mode security policy that allows users on the internal network to securely download content from the external network. No other traffic is possible until you have configured further security policies.You typically use NAT/Route mode when the FortiWiFi unit is operating as a gateway between private and public networks. In this configuration, you would create NAT mode policies to control traffic flowing between the internal, private network and the external, public network (usually the Internet).In addition, you can use NAT/Route mode when the FortiWiFi-60 is operating as a gateway for your wireless network. In this configuration you would create NAT mode policies to control traffic flowing between the wireless network and the Internet as well as between the wireless network and other networks (such as the internal or DMZ networks).If you have multiple internal networks, such as a DMZ network in addition to the internal, private network, you could create route mode policies for traffic flowing between them.Figure 4: Example NAT/Route mode network configurationTransparent modeIn Transparent mode, the FortiWiFi unit is invisible to the network. Similar to a network bridge, all FortiWiFi interfaces must be on the same subnet. You only have to configure a management IP address so that you can make configuration changes. The management IP address is also used for antivirus and attack definition updates.You typically use the FortiWiFi unit in Transparent mode on a private network behind an existing firewall or behind a router. The FortiWiFi unit performs firewall functions as well as antivirus and content scanning but not VPN.FortiWiFi-60 Unitin NAT/Route modeInternal networkWireless networkInternal192.168.1.99WLAN192.168.40.1192.168.1.3192.168.40.4WAN1204.23.1.5NAT mode policies controllingtraffic between internal andexternal networks.NAT mode policies controllingtraffic between WLAN andexternal networks.NAT mode policies controllingtraffic between WLAN andinternal networks.InternetINTERNALDMZ4321LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100WAN1 WAN2PWR WLAN

Getting started Planning the FortiWiFi configurationFortiWiFi-60 Installation and Configuration Guide 37Figure 5: Example Transparent mode network configurationYou can connect up to four network segments to the FortiWiFi unit to control traffic between these network segments.• WAN1 can connect to the external firewall or router. • Internal can connect to the internal network.• DMZ and WAN2 can connect to other network segments.• WLAN connects to the wireless network.In Transparent mode the wireless network is on the same subnet as the private network. Using Transparent mode firewall policies you can control the flow of traffic from the wireless network segment to other network segments.Configuration optionsOnce you have selected Transparent or NAT/Route mode operation, you can complete the configuration plan and begin to configure the FortiWiFi unit.You can use the web-based manager setup wizard or the command line interface (CLI) for the basic configuration of the FortiWiFi unit.Setup wizardIf you are configuring the FortiWiFi unit to operate in NAT/Route mode (the default), the setup wizard prompts you to add the administration password and the internal interface address. The setup wizard also prompts you to choose either a manual (static) or a dynamic (DHCP or PPPoE) address for the WAN1 interface. Using the wizard, you can also add DNS server IP addresses and a default route for the WAN1 interface.In NAT/Route mode you can also change the configuration of the FortiWiFi DHCP server to supply IP addresses for the computers on your internal network. You can also configure the FortiWiFi to allow Internet access to your internal Web, FTP, or email servers.Using the web-based manager you can also add a DHCP server configuration to the WLAN interface to supply IP addresses to the computers on your wireless network. You can also add firewall policies to allow Internet access from the wireless network.FortiWiFi-60 Unitin Transparent mode10.10.10.1Management IP10.10.10.3WAN1WLANInternal10.10.10.2Transparent mode policies controlling traffic between internal and external networks.204.23.1.5(firewall, router)Gateway topublic network Internal networkINTERNALDMZ4321LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100WAN1 WAN 2PWR WLANWireless network10.10.10.5 Transparent mode policies controllingtraffic between WLAN andinternal networks.Transperent mode policies controllingtraffic between WLAN andinternal networks.Internet

38 Fortinet Inc.Planning the FortiWiFi configuration Getting startedIf you are configuring the FortiWiFi unit to operate in Transparent mode, you can switch to Transparent mode from the web-based manager and then use the setup wizard to add the administration password, the management IP address and gateway, and the DNS server addresses. CLIIf you are configuring the FortiWiFi unit to operate in NAT/Route mode, you can add the administration password and all interface addresses. You can also use the CLI to configure the WAN1 interface for either a manual (static) or a dynamic (DHCP or PPPoE) address. Using the CLI, you can also add DNS server IP addresses and a default route for the WAN1 interface.In NAT/Route mode you can also change the configuration of the FortiWiFi DHCP server to supply IP addresses for the computers on your internal network.Using the CLI you can also add a DHCP server configuration to the WLAN interface to supply IP addresses to the computers on your wireless network. You can also add firewall policies to allow Internet access from the wireless network.If you are configuring the FortiWiFi unit to operate in Transparent mode, you can use the CLI to switch to Transparent mode, Then you can add the administration password, the management IP address and gateway, and the DNS server addresses.

Getting started FortiGate model maximum values matrixFortiWiFi-60 Installation and Configuration Guide 39FortiGate model maximum values matrixTable 11: FortiGate maximum values matrixFortiGate model50 60** 100 200 300 400 500 800 1000 3000 3600 4000Routes 500 500 500 500 500 500 500 500 500 500 500 500Policy routing gateways 500 500 500 500 500 500 500 500 500 500 500 500Administrative users 500 500 500 500 500 500 500 500 500 500 500 500VLANsubinterfaces N/A N/A N/A 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096* 4096*Zones N/A N/A N/A 100 100 100 100 100 200 300 500 500Virtual domains N/AN/AN/A1632646464128512512512DHCP address scopes 32 32 32 32 32 32 32 32 32 32 32 32DHCP reserved IP/MAC pairs 10 20 30 30 50 50 100 100 200 200 200 200Firewall policies 200 500 1000 2000 5000 5000 20000 20000 50000 50000 50000 50000Firewall addresses 500 500 500 500 3000 3000 6000 6000 10000 10000 10000 10000Firewall address groups 500 500 500 500 500 500 500 500 500 500 500 500Firewall custom services 500 500 500 500 500 500 500 500 500 500 500 500Firewall service groups 500 500 500 500 500 500 500 500 500 500 500 500Firewall recurring schedules 256 256 256 256 256 256 256 256 256 256 256 256Firewall onetime schedules 256 256 256 256 256 256 256 256 256 256 256 256Firewall virtual IPs 500 500 500 500 500 500 500 500 500 500 500 500Firewall IP pools 50 50 50 50 50 50 50 50 50 50 50 50IP/MAC binding table entries 500 500 500 500 500 500 500 500 500 500 500 500Firewall content profiles 32 32 32 32 32 32 32 32 32 32 32 32User names 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000Radius servers 666666666666LDAP servers 666666666666User groups 100 100 100 100 100 100 100 100 100 100 100 100Total number of user group members300 300 300 300 300 300 300 300 300 300 300 300* Includes the number of physical interfaces. **FortiGate-60 and FortiWiFi-60.

40 Fortinet Inc.Next steps Getting startedNext stepsNow that your FortiWiFi unit is operating, you can proceed to configure it to connect to networks:• If you are going to operate the FortiWiFi unit in NAT/Route mode, go to “NAT/Route mode installation” on page 41.• If you are going to operate the FortiWiFi unit in Transparent mode, go to “Transparent mode installation” on page 59.IPSec remote gateways (Phase 1)20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000IPSec VPN tunnels (Phase 2) 20 50 80 200 1500 1500 3000 3000 5000 5000 5000 5000IPSec VPN concentrators 500 500 500 500 500 500 500 500 500 500 500 500PPTP users 500 500 500 500 500 500 500 500 500 500 500 500L2TP users 500 500 500 500 500 500 500 500 500 500 500 500NIDS user-defined signatures 100 100 100 100 100 100 100 100 100 100 100 100Antivirus file block patterns 56 56 56 56 56 56 56 56 56 56 56 56Web filter and email filter lists Limit varies depending on available system memory. Fortinet recommends limiting total size of web and email filter lists to 4 Mbytes or less. If you want to use larger web filter lists, consider using Cerberian web filtering.Log setting traffic filter entries 50 50 50 50 50 50 50 50 50 50 50 50Table 11: FortiGate maximum values matrixFortiGate model50 60** 100 200 300 400 500 800 1000 3000 3600 4000* Includes the number of physical interfaces. **FortiGate-60 and FortiWiFi-60.

FortiWiFi-60 Installation and Configuration Guide Version 2.50FortiWiFi-60 Installation and Configuration Guide 41NAT/Route mode installationThis chapter describes how to install the FortiWiFi unit in NAT/Route mode. To install the FortiWiFi unit in Transparent mode, see “Transparent mode installation” on page 59.This chapter describes:•Installing the FortiWiFi unit using the default configuration•Preparing to configure NAT/Route mode•Using the setup wizard•Using the command line interface•Connecting the FortiWiFi unit to your networks•Configuring your networks•Completing the configuration•Configuration example: Multiple connections to the InternetInstalling the FortiWiFi unit using the default configurationDepending on your requirements, you may be able to deploy the FortiWiFi unit without changing its factory default configuration. If the factory default settings in Table 12 are compatible with your requirements, all you need to do is configure your internal network and then connect the FortiWiFi unit.Table 12: FortiWiFi unit factory default configurationFirewall Policies Four NAT policies allow users on the internal network and on the wireless network to access any Internet service through the WAN1 and WAN2 interfaces. No other traffic is allowed. All web, ftp, and email traffic is scanned for viruses.WAN1 and WAN2 interfacesUsing DHCP, WAN1 and WAN2 get their IP addresses from your ISP. The FortiWiFi-60 unit also gets DNS server IPs from these interfaces.DHCP Server on internal and wireless networksInternal Starting IP: 192.168.1.10, Ending IP: 192.168.1.200,Default route: 192.168.1.99, DNS server: 192.168.1.99WLAN Starting IP: 192.168.2.10, Ending IP: 192.168.2.200,Default route: 192.168.2.99, DNS server: 192.168.2.99WLAN IP: 192.168.2.99, Channel: 5, SSID: fortinet

42 Fortinet Inc.Preparing to configure NAT/Route mode NAT/Route mode installationTo use the factory default configuration, follow these steps to install the FortiWiFi unit:1Configure the TCP/IP settings of the computers on your internal network to obtain an IP address automatically using DHCP. Refer to your computer documentation for assistance.2Turn on DHCP for the computers on your wireless network as well. If required, configure wireless settings to use channel 5 and SSID fortinet.3Complete the procedure in the section “Connecting the FortiWiFi unit to your networks” on page 47.Changing the default configurationYou can use the procedures in this chapter to change the default configuration. For example, if your ISP assigns IP addresses using PPPoE instead of DHCP, you only need to change the configuration of the WAN1 interface. Use the information in the rest of this chapter to change the default configuration as required.This chapter also describe how to change your wireless networking channel and SSID, and how to improve the security of your wireless network by enabling WEP and entering a WEP key.Preparing to configure NAT/Route modeUse Table 13 to gather the information that you need to customize NAT/Route mode settings.Table 13: NAT/Route mode settingsAdministrator password:Internal interfaceIP: _____._____._____._____Netmask: _____._____._____._____WAN1 interfaceIP: _____._____._____._____Netmask: _____._____._____._____Default Gateway: _____._____._____._____Primary DNS Server: _____._____._____._____Secondary DNS Server: _____._____._____._____WAN2 interface IP: _____._____._____._____Netmask: _____._____._____._____

NAT/Route mode installation Preparing to configure NAT/Route modeFortiWiFi-60 Installation and Configuration Guide 43Advanced NAT/Route mode settingsUse Table 14 to gather the information that you need to customize advanced FortiWiFi NAT/Route mode settings.Internal servers Web Server: _____._____._____._____SMTP Server: _____._____._____._____POP3 Server: _____._____._____._____IMAP Server: _____._____._____._____FTP Server: _____._____._____._____If you provide access from the Internet to a web server, mail server, IMAP server, or FTP server installed on an internal network, add the IP addresses of the servers here.Table 13: NAT/Route mode settingsTable 14: Advanced FortiWiFi NAT/Route mode settingsWAN1 interfaceDHCP: If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required.PPPoE: User name:Password:If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password.WAN2 interfaceDHCP: If your Internet Service Provider (ISP) supplies you with an IP address using DHCP, no further information is required.PPPoE: User name:Password:If your ISP supplies you with an IP address using PPPoE, record your PPPoE user name and password.DHCP serverStarting IP: _____._____._____._____Ending IP: _____._____._____._____Netmask: _____._____._____._____Default Route: _____._____._____._____DNS IP: _____._____._____._____The FortiWiFi unit contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network.

44 Fortinet Inc.Using the setup wizard NAT/Route mode installationDMZ interfaceUse Table 15 to record the IP address and netmask of the FortiWiFi DMZ interface if you are configuring it during installation.Wireless settingsUse Table 16 to record the IP address and netmask of the FortiWiFi-60 WLAN interface if you are configuring it during installation. If you are configuring wireless networking you should also configure the wireless Service Set ID (SSID) and channel. See “Wireless configuration” on page 120 for more information.Using the setup wizardFrom the web-based manager, you can use the setup wizard to create the initial configuration of your FortiWiFi unit. To connect to the web-based manager, see “Connecting to the web-based manager” on page 26.Starting the setup wizard1Select Easy Setup Wizard (the middle button in the upper-right corner of the web-based manager).2Use the information that you gathered in Table 13 on page 42 to fill in the wizard fields. Select the Next button to step through the wizard pages.3Confirm your configuration settings and then select Finish and Close.Reconnecting to the web-based managerIf you used the setup wizard to change the IP address of the internal interface, you must reconnect to the web-based manager using a new IP address. Browse to https:// followed by the new IP address of the internal interface. Otherwise, you can reconnect to the web-based manager by browsing to https://192.168.1.99.Table 15: DMZ interface (Optional)DMZ IP: _____._____._____._____ Netmask: _____._____._____._____Table 16: Wireless settings (Optional)WLAN IP: _____._____._____._____ Netmask: _____._____._____._____Geography: World Americas EMEA Japan Israel Channel:Security: None WEP Key:SSID:Note: If you use the setup wizard to configure internal server settings, the FortiWiFi unit adds port forwarding virtual IPs and firewall policies for each server. For each server located on your internal network the FortiWiFi unit adds a WAN1->Internal policy. For each server located on your DMZ network, the FortiWiFi unit adds a WAN1->DMZ policy.

NAT/Route mode installation Using the command line interfaceFortiWiFi-60 Installation and Configuration Guide 45You have now completed the initial configuration of your FortiWiFi unit, and you can proceed to “Connecting the FortiWiFi unit to your networks” on page 47.Using the command line interfaceAs an alternative to using the setup wizard, you can configure the FortiWiFi unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the command line interface (CLI)” on page 27.Configuring the FortiWiFi unit to operate in NAT/Route modeUse the information that you gathered in Table 13 on page 42 to complete the following procedures.Configuring NAT/Route mode IP addresses1Log into the CLI if you are not already logged in.2Set the IP address and netmask of the internal interface to the internal IP address and netmask that you recorded in Table 13 on page 42. Enter:set system interface internal mode static ip <IP address> <netmask>Exampleset system interface internal mode static ip 192.168.1.1 255.255.255.03Set the IP address and netmask of the WAN1 interface to the IP address and netmask that you recorded in Table 13 on page 42.To set the manual IP address and netmask, enter:set system interface wan1 mode static ip <IP address> <netmask>Exampleset system interface wan1 mode staticip 204.23.1.5 255.255.255.0To set the WAN1 interface to use DHCP, enter:set system interface wan1 mode dhcp connection enableTo set the WAN1 interface to use PPPoE, enter:set system interface wan1 mode pppoe username<user name> password <password> connectionenableExampleset system interface wan1 mode pppoe username user@domain.com password mypass connection enable

$46 Fortinet Inc.Using the command line interface NAT/Route mode installation4Optionally set the IP address and netmask of the WAN2 interface to the IP address and netmask that you recorded in Table 13 on page 42.To set the manual IP address and netmask, enter:set system interface wan2 mode static ip <IP address> <netmask>Exampleset system interface wan2 mode staticip 34.3.21.35 255.255.255.0To set the WAN2 interface to use DHCP, enter:set system interface wan2 mode dhcp connection enableTo set the WAN2 interface to use PPPoE, enter:set system interface wan2 mode pppoe username<user name> password <password> connectionenableExampleset system interface wan2 mode pppoe username user@domain.com password mypass connection enable5Optionally set the IP address and netmask of the DMZ interface to the DMZ IP address and netmask that you recorded in Table 15 on page 44. Enter:set system interface dmz mode static ip <IP address> <netmask>Exampleset system interface dmz mode static ip 10.10.10.2 255.255.255.06Optionally set the IP address and netmask of the WLAN interface to the WLAN IP address and netmask that you recorded in Table 16 on page 44. Enter:set system interface wlan mode static ip <IP address> <netmask>Exampleset system interface wlan mode static ip 192.168.40.1 255.255.255.07Optionally set the wireless configuration using the information that you recorded in Table 16 on page 44. Enter:set system interface wlan wireless geography {World | Americas | EMEA | Israel | Japan} channel <channel_number> ssid <ssid_name> security WEP key <WEP_key>Exampleset system interface wlan wireless geography Americas channel 10 ssid My_SSID security WEP key My_Wep_Key8Confirm that the addresses are correct. Enter:get system interfaceThe CLI lists the IP address, netmask and other settings for each of the FortiWiFi interfaces.9Set the primary DNS server IP addresses. Enterset system dns primary <IP address>Exampleset system dns primary 293.44.75.21$

NAT/Route mode installation Connecting the FortiWiFi unit to your networksFortiWiFi-60 Installation and Configuration Guide 4710 Optionally, set the secondary DNS server IP addresses. Enterset system dns secondary <IP address>Exampleset system dns secondary 293.44.75.2211 Set the default route to the Default Gateway IP address (not required for DHCP and PPPoE).set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1 <gateway_ip>Exampleset system route number 0 dst 0.0.0.0 0.0.0.0 gw1 204.23.1.2Connecting the FortiWiFi unit to your networksWhen you have completed the initial configuration, you can connect the FortiWiFi unit between your internal network and the Internet.There are seven 10/100 BaseTX connectors on the back of the FortiWiFi-60 unit:• Four Internal ports for connecting to your internal network,• One WAN1 port for connecting to your public switch or router and the Internet,• One WAN 2 port for connecting to a second public switch or router and the Internet for a redundant Internet connection,• One DMZ port for connecting to a DMZ network.To connect the FortiWiFi unit:1Connect the Internal interface connectors to PCs and other network devices in your internal network.The Internal interface functions as a switch, allowing up to four devices to be connected to the internal network and the internal interface.2Connect the WAN1 interface to the Internet.Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN1 interface to the internal or LAN connection of your DSL or cable modem.3Optionally connect the WAN2 interface to the Internet.Connect to the public switch or router, usually provided by a different Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN2 interface to the internal or LAN connection of your DSL or cable modem.4Optionally, connect the DMZ interface to your DMZ network.You can use a DMZ network to provide access from the Internet to a web server or other server without installing the servers on your internal network.Note: You can also connect the WAN1 and WAN2 interfaces to different Internet connections to provide a redundant connection to the Internet.

48 Fortinet Inc.Configuring your networks NAT/Route mode installationFigure 6: FortiWiFi-60 NAT/Route mode connectionsConfiguring your networksIf you are operating the FortiWiFi unit in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the FortiWiFi interface to which they are connected. For your internal network, change the default gateway address of all computers and routers connected directly to your internal network to the IP address of the FortiWiFi internal interface. For the wireless network, change the default gateway address of all computers on the wireless network to the IP address of the wlan interface. For your DMZ network, change the default gateway address of all computers and routers connected directly to your DMZ network to the IP address of the FortiWiFi DMZ interface. For the external network, route all packets to the FortiWiFi WAN1 or WAN 2 interface.If you are using the FortiWiFi unit as the DHCP server for your internal network, configure the computers on your internal network for DHCP.Make sure that the connected FortiWiFi unit is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address.INTERNALDMZ4321LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100WAN1 WAN 2PWR WLANFortiWiFi-60DMZDMZ NetworkMail ServerWeb ServerInternal NetworkWAN2WAN1InternetBroadband (cable or DSL)T1Wireless NetworkInternal

NAT/Route mode installation Completing the configurationFortiWiFi-60 Installation and Configuration Guide 49Completing the configurationUse the information in this section to complete the initial configuration of the FortiWiFi unit.Configuring the DMZ interfaceIf you are planning to configure a DMZ network, you might want to change the IP address of the DMZ interface. Use the following procedure to configure the DMZ interface using the web-based manager.1Log into the web-based manager.2Go to System > Network > Interface.3For the dmz interface, select Modify .4Change the IP address and Netmask as required.5Select Apply.Configuring the WLAN interfaceIf you are planning to configure a wireless network, you might want to change the IP address of the WLAN interface and configure your wireless settings. Use the information in “Wireless configuration” on page 120 to complete the FortiWiFi-60 wireless configuration.1Log into the web-based manager.2Go to System > Network > Interface.3For the wlan interface, select Modify .4Change the IP address and Netmask as required.5Set Geography to your location and select a channel.6Set Security to WEP (recommended) and enter a WEP key.7Change the SSID if required.8Select OK.Configuring the WAN2 interfaceIf you are planning to configure a second internet connection using the WAN2 interface, you might want to change the IP address of the WAN2 interface. Use the following procedure to configure the WAN2 interface using the web-based manager.1Log into the web-based manager.2Go to System > Network > Interface.3For the wan2 interface, select Modify .4Change the IP address and Netmask as required.5Select Apply.

NAT/Route mode installation Configuration example: Multiple connections to the InternetFortiWiFi-60 Installation and Configuration Guide 51Configuration example: Multiple connections to the InternetThis section describes some basic routing and firewall policy configuration examples for a FortiWiFi unit with multiple connections to the Internet (see Figure 7). In this topology, the organization operating the FortiWiFi unit uses two Internet service providers to connect to the Internet. The FortiWiFi unit is connected to the Internet using the WAN1 and WAN2 interfaces. The WAN1 interface connects to gateway 1, operated by ISP1 and the WAN2 interface connects to gateway 2, operated by ISP2.By adding ping servers to interfaces, and by configuring routing you can control how traffic uses each Internet connection. With this routing configuration is place you can proceed to create firewall policies to support multiple internet connections.This section provides some examples of routing and firewall configurations to configure the FortiWiFi unit for multiple internet connections. To use the information in this section you should be familiar with FortiWiFi routing (see “Configuring routing” on page 122) and FortiWiFi firewall configuration (see “Firewall configuration” on page 159).The examples below show how to configure destination-based routing and policy routing to control different traffic patterns.•Configuring Ping servers•Destination based routing examples•Policy routing examples•Firewall policy example

52 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installationFigure 7: Example multiple Internet connection configurationConfiguring Ping serversUse the following procedure to make Gateway 1 the ping server for the WAN1 interface and Gateway 2 the ping server for the WAN2 interface.1Go to System > Network > Interface.2For the WAN1 interface, select Modify .• Ping Server: 1.1.1.1• Select Enable Ping Server•Select OK3For the WAN2 interface, select Modify .• Ping Server: 2.2.2.1• Select Enable Ping Server•Select OKINTERNALDMZ4321LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100WAN1 WAN2PWR WLANInternal NetworkWAN2WAN1InternalInternetExternal Network #1 100.100.100.0External Network #2200.200.200.0Gateway #1: 1.1.1.1 Gateway #2: 2.2.2.1ISP1 ISP22.2.2.21.1.1.2192.168.1.99192.168.1.0

54 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installationLoad sharingYou can also configure destination routing to direct traffic through both gateways at the same time. If users on your internal network connect to the networks of ISP1 and ISP2, you can add routes for each of these destinations. Each route can include a backup destination to the network of the other ISP.The first route directs all traffic destined for the 100.100.100.0 network to gateway 1 with the IP address 1.1.1.1. If this router is down, traffic destined for the 100.100.100.0 network is re-directed to gateway 2 with the IP address 2.2.2.1.Load sharing and primary and secondary connectionsYou can combine these routes into a more complete multiple internet connection configuration. In the topology shown in Figure 7 on page 52, users on the Internal network would connect to the Internet to access web pages and other Internet resources. However, they may also connect to services, such as email, provided by their ISPs. You can combine the routes described in the previous examples to provide users with a primary and backup connection to the Internet, while at the same time routing traffic to each ISP network as required.The routing described below allows a user on the internal network to connect to the Internet through gateway 1 and ISP1. At the same time, this user can also connect through the DMZ interface to gateway 2 to access a mail server maintained by ISP2.Adding the routes using the web-based manager1Go to System > Network > Routing Table.2Select New to add the default route for primary and backup links to the Internet.• Destination IP: 0.0.0.0• Mask: 0.0.0.0• Gateway #1: 1.1.1.1• Gateway #2: 2.2.2.1• Device #1: wan1• Device #2: wan2•Select OK.Table 18: Load sharing routesDestination IP‘ Mask Gateway #1 Device #1 Gateway #2 Device #2100.100.100.0 255.255.255.0 1.1.1.1 wan1 2.2.2.1 wan2200.200.200.0 255.255.255.0 2.2.2.1 wan2 1.1.1.1 wan1

56 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installationPolicy routing examplesPolicy routing can be added to increase the control you have over how packets are routed. Policy routing works on top of destination-based routing. This means you should configure destination-based routing first and then build policy routing on top to increase the control provided by destination-based routing.For example, if you have used destination-based routing to configure routing for dual internet connections, you can use policy routing to apply more control to which traffic is sent to which destination route. This section describes the following policy routing examples, based on topology similar to that shown in Figure 7 on page 52.Differences are noted in each example. The policy routes described in these examples only work if you have already defined destination routes similar to those described in the previous section.•Routing traffic from internal subnets to different external networks•Routing a service to an external networkFor more information about policy routing, see “Policy routing” on page 125.Routing traffic from internal subnets to different external networksIf the FortiWiFi unit provides internet access for multiple internal subnets, you can use policy routing to control the route that traffic from each network takes to the Internet. For example, if the internal network includes the subnets 192.168.10.0 and 192.168.20.0 you can enter the following policy routes:1Enter the following command to route traffic from the 192.168.10.0 subnet to the 100.100.100.0 external network:set system route policy 1 src 192.168.10.0 255.255.255.0 dst 100.100.100.0 255.255.255.0 gw 1.1.1.12Enter the following command to route traffic from the 192.168.20.0 subnet to the 200.200.200.0 external network:set system route policy 2 src 192.168.20.0 255.255.255.0 dst 200.200.200.0 255.255.255.0 gw 2.2.2.1Routing a service to an external networkYou can use the following policy routes to direct all HTTP traffic (using port 80) to one external network and all other traffic to the other external network.1Enter the following command to route all HTTP traffic using port 80 to the next hop gateway with IP address 1.1.1.1.set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 protocol 6 port 80 80 gw 1.1.1.12Enter the following command to route all other traffic to the next hop gateway with IP address 2.2.2.1.Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 gw 2.2.2.1

58 Fortinet Inc.Configuration example: Multiple connections to the Internet NAT/Route mode installationRestricting access to a single Internet connectionIn some cases you might want to limit some traffic to only being able to use one Internet connection. For example, in the topology shown in Figure 7 on page 52 the organization might want its mail server to only be able to connect to the SMTP mail server of ISP1. To do this, you add a single Internal->WAN1 firewall policy for SMTP connections. Because redundant policies have not been added, SMTP traffic from the Internet network is always connected to ISP1. If the connection to ISP1 fails the SMTP connection is not available.

FortiWiFi-60 Installation and Configuration Guide Version 2.50FortiWiFi-60 Installation and Configuration Guide 59Transparent mode installationThis chapter describes how to install your FortiWiFi unit in Transparent mode. If you want to install the FortiWiFi unit in NAT/Route mode, see “NAT/Route mode installation” on page 41.This chapter describes:•Preparing to configure Transparent mode•Using the setup wizard•Using the command line interface•Connecting the FortiWiFi unit to your networks•Completing the configuration•Transparent mode configuration examplesPreparing to configure Transparent modeUse Table 20 to gather the information that you need to customize Transparent mode settings.Wireless settingsIf you are configuring wireless networking Use Table 21 to record the wireless Service Set ID (SSID) and channel. See “Wireless configuration” on page 120 for more information.Table 20: Transparent mode settingsAdministrator Password:Management IPIP: _____._____._____._____Netmask: _____._____._____._____Default Gateway: _____._____._____._____The management IP address and netmask must be valid for the network from which you will manage the FortiWiFi unit. Add a default gateway if the FortiWiFi unit must connect to a router to reach the management computer.DNS Settings Primary DNS Server: _____._____._____._____Secondary DNS Server: _____._____._____._____

60 Fortinet Inc.Using the setup wizard Transparent mode installationUsing the setup wizardFrom the web-based manager, you can use the setup wizard to create the initial configuration of your FortiWiFi unit. To connect to the web-based manager, see “Connecting to the web-based manager” on page 26.Changing to Transparent modeThe first time that you connect to the FortiWiFi unit, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager:1Go to System > Status.2Select Change to Transparent Mode.3Select Transparent in the Operation Mode list.4Select OK.The FortiWiFi unit changes to Transparent mode.To reconnect to the web-based manager, change the IP address of your management computer to 10.10.10.2. Connect to the internal or DMZ interface and browse to https:// followed by the Transparent mode management IP address. The default FortiWiFi Transparent mode management IP address is 10.10.10.1.Starting the setup wizard1Select Easy Setup Wizard (the middle button in upper-right corner of the web-based manager).2Use the information that you gathered in Table 20 on page 59 to fill in the wizard fields. Select the Next button to step through the wizard pages.3Confirm your configuration settings and then select Finish and Close.Reconnecting to the web-based managerIf you changed the IP address of the management interface while you were using the setup wizard, you must reconnect to the web-based manager using the new IP address. Browse to https:// followed by the new IP address of the management interface. Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.Table 21: Wireless settings (Optional)Geography: World Americas EMEA Japan Israel Channel:Security: None WEP Key:SSID:

Transparent mode installation Using the command line interfaceFortiWiFi-60 Installation and Configuration Guide 61Using the command line interfaceAs an alternative to the setup wizard, you can configure the FortiWiFi unit using the command line interface (CLI). To connect to the CLI, see “Connecting to the command line interface (CLI)” on page 27. Use the information that you gathered in Table 20 on page 59 to complete the following procedures.Changing to Transparent mode1Log into the CLI if you are not already logged in.2Switch to Transparent mode. Enter:set system opmode transparentAfter a few seconds, the login prompt appears.3Type admin and press Enter.The following prompt appears:Type ? for a list of commands.4Confirm that the FortiWiFi unit has switched to Transparent mode. Enter:get system statusThe CLI displays the status of the FortiWiFi unit. The last line shows the current operation mode.Operation mode: TransparentConfiguring the Transparent mode management IP address1Log into the CLI if you are not already logged in.2Set the management IP address and netmask to the IP address and netmask that you recorded in Table 20 on page 59. Enter:set system management ip <IP address> <netmask>Exampleset system management ip 10.10.10.2 255.255.255.03Confirm that the address is correct. Enter:get system managementThe CLI lists the management IP address and netmask.Configure the Transparent mode default gateway1Log into the CLI if you are not already logged in.2Set the default route to the default gateway that you recorded in Table 20 on page 59.Enter:set system route number <number> gateway <IP address>Exampleset system route number 1 gw1 204.23.1.2You have now completed the initial configuration of the FortiWiFi unit.

$62 Fortinet Inc.Connecting the FortiWiFi unit to your networks Transparent mode installationConfiguring wireless settings1Log into the CLI if you are not already logged in.2Set the wireless configuration using the SSID and channel that you recorded in Table 21 on page 60. Enter:set system interface wlan wireless geography {World | Americas | EMEA | Israel | Japan} channel <channel_number> ssid <ssid_name> security WEP key <WEP_key>Exampleset system interface wlan wireless geography Americas channel 10 ssid My_SSID security WEP key My_Wep_KeyConnecting the FortiWiFi unit to your networksWhen you have completed the initial configuration, you can connect the FortiWiFi unit between your internal network and the Internet using the Internal and WAN1 interfaces. You can also connect networks to the DMZ interface and the WAN2 interface.There are seven 10/100Base-TX connectors on the FortiWiFi-60:• Four Internal ports for connecting to your internal network,• WAN1 for connecting to the Internet,• DMZ and WAN2 which can be connected to networks.To connect the FortiWiFi unit running in Transparent mode:1Connect the Internal interface connectors to PCs and other network devices in your internal network.The Internal interface functions as a switch, allowing up to four devices to be connected to the internal network and the internal interface.2Connect the WAN1 interface to the Internet.Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the WAN1 interface to the internal or LAN connection of your DSL or cable modem.3Optionally connect the WAN2 and DMZ interfaces to other networks.$

Fortinet FORTIWIFI-60 Wireless Firewall User Manual users manual 1

Fortinet, Inc Wireless Firewall users manual 1

Contents

users manual 1

Navigation menu

Namespaces

Views

Navigation