Fortinet FortiOS 3.0 User's Manual
Contents
1. 8 Fortinet 8 Fortinet Knowledge Center 0 0 2 2 cccecceeeeceeeeeeeeeeeeeeteeeeeeeneeceeeneeeneeeeeneesneeees 9 Comments on Fortinet technical documentation 9 Customer service and technical 5 9 aaau aaan 11 Backing Up Configuration files cccccesssneeeeeeseeeeeeeseeneeeeeeseeneeeeeeeseeeeeeeseees 11 Setup Wizard csere EEE a e AE E EEE 11 FortiLog 11 LCD display CHANGES 11 Web based manager 8 065 12 Changes to the web based manager cceecceeeseeeeeeeeeeeeeeeeeeeeeseeeeeeneeseeeeenes 13 Command Line Interface Changes ccccesesseeeeeeeeeeeeeeeseeeeeeeeeeeeeeeeenenseeeeeens 13 USB SUPP 14 Area anias danasin 14 New features and CHANGES cccccccceeeeeeeeeeeeeeeeeeeneeeeneeeeeeeeeeeeeeeeeeeees 17 OV SUNN sis E 17 18 SESSIONS REA 182. 53 0 33 Backing Up your configuration ceseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeees 33 Backing up your configuration using the web based managev 33 Backing up your configuration using 6 1 94 Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Contents Upgrading your FortiGate unit cccccessseeeeeeseeeeeeeeeeeeeeeeeeeeseneeeeeeeseeeeeneeees 34 Upgrading to FortiOS 8 0 34 Upgrading using the web based 8 896 34 Upgrading using 35 Verifying the Upgrade ois 36 Reverting to FortiOS 2 0 37 Backing up your FortiOS 3 0 Configuration cccesssseeeesssseeeeeseeeeeeeeees 37 Backing up to a FortiUSB key cee 37 Downgrading to FortiOS v2 80MR11 using web based manager 38 Verifying the downgrade ceecccseeeescneteeeeeeeneenenecsen
3. Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 New features and changes New features and changes System Se Upgrade Guide for FortiOS v3 0 01 30000 031 7 20060424 There are several new features included in FortiOS 3 0 as well as changes to existing features This chapter outlines the new features as well as the changes Before you proceed to upgrade your FortiGate unit it is recommended you review this document and the following documents to familiarize yourself the new features and changes FortiGate Administration Guide FortiGate CLI Reference The following topics are included in this section e System e Firewall e VPN User e Antivirus e Intrusion Protection formerly IPS e Web Filter e AntiSpam formerly Spam Filter IM P2P new Log amp Report Note Configuration of settings in the following menus are unchanged unless otherwise stated The System menu consists of the following e Status e Network e Config Admin e Maintenance Note The DHCP menu is not included since its unchanged from FortiOS v2 80MR11 System System RTINET Status Sessions Network Config New features and changes The Status page displays the System Dashboard The System Dashboard is categorized and five new items have been added CPU memory usage statistics history FortiGuard Subscription based services and license inf
4. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit xecute restore image lt name_str gt lt tftp_ip4 gt When lt name_str gt is the name of the firmware image file and lt t ftp_ip gt is the IP address of the TFTP server For example if the firmware image file name is image out and the IP address of the TFTP server er is 192 168 1 168 enter xecute restore image out 192 168 1 168 The FortiGate unit responds with a message similar to the following This operation will replace the current firmware version Do you want to continue y n Type y RTINET The FortiGate unit uploads the firmware image file upgrades to the new firmware version and restarts This process takes a few minutes w a Upgrading your FortiGate unit Upgrading to FortiOS 3 0 Reconnect to the CLI To confirm the firmware image is successfully installed enter get system status Update antivirus and attack definitions see the FortiGate Administration Guide or from the CLI enter execute update now Verifying the upgrade RTINET After logging back into the web based manager you will notice your FortiOS v2 80MR11 configuration settings have been carried forward For example if you go to System gt Network gt Options you can see your DNS settings carried forward from your FortiOS v2 80MR11 configuration settings Even though your configuration settings have carri
5. The supported protocols are e MSN 6 0 and above ICQ 4 0 and above AIM 5 0 and above e Yahoo 6 0 and above Note The FortiGate unit is unable to block Skype uses Also if the audio blocking feature is enabled instant messaging clients are still able to send receive webcam video traffic Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 New features and changes Statistics User Log amp Report Log Config Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Log amp Report The Statistics menu provides administrators with a view of instant messaging and point to point statistics to gain insight into how these protocols are being used within the network The Overview tab provides detail statistics for all IM P2P protocols The Protocol tab displays statistics for current users blocked users and users since last reset The User menu displays which instant messenger users are connected Network administrators can analyze the list and decide which users to allow or block The Config tab enables administrators to configure what to do with unknown users The Log and Report menu has a new menu Report Log amp Report consists of the following menus e Log Config e Log Access Report The Log Config menu has a new tab Event Log The Event Log tab enables you to choose the events you want logged This menu also includes the Alert E mail tab The Alert E mail tab is the same as in FortiOS v2 80MR11
6. UPGRADE GUIDE Upgrade Guide for FortiOS 3 0 KR new www fortinet com Upgrade Guide for FortiOS 3 0 24 April 2006 01 30000 031 7 20060424 Copyright 2006 Fortinet Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of Fortinet Inc Trademarks Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBlOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the United States and or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Regulatory compliance FCC Class A Part 15 CSA CUS Contents Contents EE CUE 7 About this COCUMENE 7 Document Conventions ccccccecceeeeeeeee eee eeeeceaeeaaeeeceseeeeeeeteeteseeeneeaeees 7 Typographic
7. Network 18 E 18 19 magadece 19 Virtual 20 21 SUG 2 DYNAMIC 2 22 Taaa saai 22 ad 8 22 Add ESS 22 i waned A 22 Vinal E 22 Protection Prone i iaia 22 Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 RTIMET RTINET A Contents VPN P A 23 23 Me Reh dead eae 23 23 staves tentaineess 24 E yak 24 RAGIUS 24 E 24 Windows AN D 24 24 25 25 Saco 25 Sa
8. 3 0 Restoring your configuration settings using the web based manager OOA ON You can restore the FortiOS v2 80MR11 configuration settings using the web based manager Use the following procedure to restore these settings To restore configuration settings using the web based manager Log into the web based manager Go to System gt Maintenance gt Backup amp Restore Select the Restore icon for All Configuration Files If required enter your password for the configuration file Type the location of the file or select Browse to locate the file Select OK The FortiGate unit restores the configuration settings for FortiOS v2 80MR11 This may take a few minutes since the FortiGate unit will reboot To verify the configuration settings are restored log into the web based manager and go through the menus and tabs and verify the settings are restored Restoring your configuration settings using the CLI kh OQO N You can restore the FortiOS v2 80MR11 configuration settings using the CLI Use the following procedure to restore these settings To restore configuration settings using the CLI Make sure the TFTP server is running Copy the backup configuration file to the root directory of the TFTP server Log into the TFTP server Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192
9. CLI Reference for more information The Log Access menu has two tabs The Memory tab displays log event types that are logged to memory The FortiAnalyzer tab displays log types that are logged to the FortiAnalyzer unit An additional tab for Disk appears on FortiGate units with a hard disk Use the pull down menu to select a different log type The Report menu new to the Log and Report menu provides you with access to a full range of different reports from the FortiAnalyzer unit if connected You can choose the Basic Traffic report or access any type of FortiAnalyzer report to display logs The Basic Traffic report uses log information stored in the FortiGate unit s memory and displays the information in two types of bar graphs on the Report Access page You can choose from over a thousand of FortiAnalyzer reports to display logs Also you can customize a default report for your FortiGate unit You can also select what you want included in your report from Newsgroups to VoIP There are significant changes including new features for high availability in FortiOS 3 0 The most significant change for HA is virtual clustering where you can configure HA for individual virtual domains The virtual clustering can handle two FortiGate units per virtual cluster The FortiGate Administration Guide System Config chapter HA section FortiGate CLI Reference system chapter ha section and the FortiGate online help provides additional inf
10. block or monitor Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 New features and changes AntiSpam formerly Spam Filter The FortiGuard Web Filter menu contains the Override tab Local Categories tab and Local Ratings tab On FortiGate units with a hard disk you can create reports from the Reports tab The Override tab provides administrators with flexibility and control when blocking web pages Administrators can configure override rules that allow users to access blocked web pages if required Administrators can also create user defined categories to allow users to block groups of URLs on a per profile basis From the Local Ratings tab you can configure local ratings to specify whether the local rating is used in conjunction with the FortiGate rating or is used as an override The Local Categories tab allows you to specify user defined categories and then specify the URLs that belong to the category AntiSpam formerly Spam Filter we Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 The Antispam menu consists of the following menus Banned word e Black White list You can configure additional features for FortiGate 800 units and above In the Banned word list you can e create new antispam banned word list e view antispam banned word catalog You can also configure the following for the FortiGate 800 and above in the Black White list e add multiple email address lists create new antispam emai
11. following e Firewall e Active Directory SSL VPN You can also select the FortiGuard Web Filtering Override option on the User Group page to enable your FortiGate unit to allow FortiGuard web filtering overrides RTINET Upgrade Guide for FortiOS v3 0 24 01 30000 0317 20060424 New features and changes Antivirus File Pattern Quarantine The Antivirus menu is now located below the User menu It consists of the following menus File Pattern e Quarantine e Config The File Pattern menu has changed The columns on the File Pattern page are now Pattern Action and Enable When you select Create New you can select the pattern type of action to take either Block or Allow and whether the new file pattern should be enabled or disabled The Quarantine menu is new to the Antivirus menu It contains two tabs Quarantined Files and Config The Quarantined Files tab displays the information of each file displaying why the file was blocked You can also filter the files by file name date service status and status description The Config tab displays a list of current viruses the FortiGate unit has blocked and you can configure file and email size limits including grayware blocking Note You need to be connected to the FortiAnalyzer unit to configure file and email size limits including grayware blocking The Config menu includes the Virus List and Grayware tabs The Config tab is now located in the CLI under An
12. format e Ifthe daylight savings time feature is enabled you need to manually reset the system clock when daylight savings time ends e Report Bug to Fortinet link is only available in the CLI e FDS Registration Link is accessed by selecting System gt Status gt License Information gt Support Contract Internet browsing for IPSec now requires two policies Web Filter AntiSpam list are now specific to each protection profile This is only for FortiGate 800 units and above e Administration access for a VLAN interface in a virtual domain is unavailable in the web based manager Use the get system interface lt VLAN gt command Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Upgrade Notes Other WLAN upgrades are unsuccessfully since during the upgrade process the wireless daemon is turned off to conserve memory e Certain IPS group settings are not carried forward You need to manually configure these settings after upgrading e Lists from FortiOS 2 80MR11 cannot be restored in FortiOS 3 0 Make sure to document these lists before upgrading If you upgrade using the web based manager these lists may carry forward Use both the web based manager and CLI to verify these lists carried forward if you upgraded using the web based manager See the Release Notes FortiOS 3 0MR1 for more information RTINET Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 a Other Upgrade Notes RTINET
13. hand corner of the System Resources category Support Contract FortiGuard Subscription The expiry date and version of your support contract The subscriptions you have for your FortiGate device and displays whether they are current need updating or when they will expire Displays system alert messages These messages display any firmware upgrades or downgrades and if the system restarted The console also displays an alert message if the antivirus engine is low on memory for a specific time period Displays detail statistics for the content archive and attack logs The FortiGate image in the upper right hand corner of the web based manager displays the status of the unit s port settings When you hover your mouse over a port it displays the port name IP Netmask address link status speed including the number of packets sent and received The port appears gray if it is not connected and green if the port is connected The FortiAnalyzer image is gray when the FortiGate unit is not connected to a FortiAnalyzer unit In FortiOS 3 0 there are several features that have merged with other features See the New features and changes on page 17 for more information If you need additional information on these new features see FortiGate Administration Guide Command Line Interface changes Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 The Command Line Interface CLI commands have changed and additional co
14. networks to share networking information among the routers in the same autonomous system e BGP is an Internet routing protocol typically used by ISPs to exchange routing information between different ISP networks For example a BGP enables the sharing of network paths between the ISP network and an autonomous system that uses RIP and or OSPF to route packets within the autonomous system e Multicast enables the FortiGate unit to operate as a Protocol Independent Multicast PIM version 2 router in the root virtual domain The PIM routers throughout the network ensure only one copy of the packet is forwarded until it reaches an end point destination and at this destination copies of the packet are made only when required to deliver the information to multicast client applications requesting traffic destined for the multicast address Note The following are now in the CLI e Distribution list e Offset list e Pre fix list e Route Map e Key chain e Access list Router Firewall RTINET Monitor Firewall Policy Address ee S Service Virtual IP New features and changes The Routing Monitor tab displays the entries in the FortiGate routing table You can apply a filter to display certain routes to search for specific routing protocols The Firewall menu consists of the following menus e Policy e Address e Service e Virtual IP e Protection Profiles The Policy menu is very s
15. new features and or changes to existing features with the operating system This chapter describes these changes and features new to FortiOS 3 0 We recommend also reviewing the FortiGate CLI Reference guide for the new and revised CLI commands as well as the FortiGate Administration Guide This section includes the following e Backing up configuration files e Setup Wizard e FortiLog name change e LCD display changes e Web based manager changes e Web based manager changes Command Line Interface changes e USB support Other Backing up configuration files You now have the option to backup configuration files with or without encryption If you back up without encrypting the file the FortiGate unit saves the file in a clear text format VPN certificates are saved only when selecting the encrypted setting Setup Wizard The setup wizard is discontinued FortiLog name change The FortiLog logging appliance has been renamed to FortiAnalyzer for version 3 0 The name change better reflects the product s more robust reporting and logging features LCD display changes After upgrading to FortiOS 3 0 FortiGate units with an LCD screen will display the following main menus RTINET Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 11 Web based manager changes Upgrade Notes Figure 1 LCD main menu settings for NAT Route mode Menu Fortigat gt NAT Standalone Figure 2 LCD main menu sett
16. whether the spam action command for the mail traffic type for example smtp3 spamaction is set to pass or tag in the protection profile The score for the banned word is counted once even if the word appears multiple times in the web page Black White list IM P2P new The Black White list menu provides a way to filter incoming email if enabled in the protection profile The FortiGate unit uses both an IP address list and email list for filtering purposes The FortiGate unit compares the IP address of the message s sender to the IP address in sequence when doing an IP address list check If the FortiGate unit finds a match the action associated with the IP address is taken If there is no match then the message passes to the next enabled spam filter Email lists work the same way The IM P2P menu consists of the following menus e Statistics e User The IM P2P menu is new for FortiOS 3 0 Since instant messaging and peer to peer P2P networks have grown FortiOS 3 0 now includes a separate menu for these new technologies You can control the amount of bandwidth allocated for P2P There are extended features with the IM P2P menu available in the CLI You can use config imp2p old version command to enable older versions of IM protocols These older versions of IM protocols are able to bypass file blocking because the message types are not recognized This command provides the option to disable these older IM protocol versions
17. 168 1 168 execute ping 192 168 1 168 Update Guide for FortiOS v3 0 01 30000 0317 20060424 Reverting to FortiOS v2 80MR11 Update Guide for FortiOS v3 0 01 30000 0317 20060424 Restoring your configuration Enter the following command to copy the backup configuration file to restore the file on the FortiGate unit xecute restore allconfig lt name_str gt lt tftp_ipv4 gt lt passwrd gt Where lt name_str gt is the name of the backup configuration file and ipv4 gt is the IP address of the server and lt passwrd gt is the password you entered when you backup your configuration settings For example if the backup configuration file is confall and the IP address of the server is 192 168 1 168 and the password is ghrffdt123 xecute restore allconfig confall 192 168 1 168 ghrffdt123 The FortiGate unit responds with the message This operation will overwrite the current settings and the system will reboot Do you want to continue y n Type y The FortiGate unit uploads the backup configuration file After the file uploads a message similar to the following is displayed Getting file confall from tftp server 192 168 1 168 t Restoring files All done Rebooting This may take a few minutes Use the show shell command to verify your settings are restored or log into the web based manager See Restoring your configuration on page 40 to restore you FortiOS v2 80M
18. 18 2006 No updates FortiGuard Intrusion Definition 2 274 Wed Dec 20 00 00 00 2006 Fri Feb 3 08 55 18 2006 Installed updates Allow Push Update I Use override push IP _ Sas Port paa M Scheduled Update Update Now _ 6 Every fe H hour Daily hour C Weekly Sunday day fo H hour FortiGuard Services Use Enable Service Licence Expires cadia Cache TTL Status Vv Anti Spam Contract Tue 6 Web Filter Contract Wee e Vv Beo E Query Unknown N A fa kso 56 Default Port 53 Test Availability FortiGuard services are reachable via port Use Alternate Port 8888 53 Cay The following tabs are no longer in the Maintenance menu Virtual Domain Support tab is no longer available Shutdown is now located on System gt Status gt System Operation This menu is now an option in System gt Admin gt Settings When you enable this option you must log back into the web based manager to configure VDOM settings Both the web based manager and CLI change as follows to reflect VDOM Global and per VDOM configurations are separated only admin administrator accounts can view or configure global options admin administrator accounts can configure all VDOM configurations admin administrator accounts can connect through any interface in the root VDOM admin administrator accounts can connect through any interface that belongs to a VDOM that a regular administration account
19. 2 168 1 168 The FortiGate unit responds with the message This operation will replace the current firmware version Do you want to continue y n 6 Type y The FortiGate unit uploads the firmware image file After the file uploads a message similar to the following is displayed Get image from tftp server OK Check image OK This operation will downgrade the current firmware version Do you want to continue y n 7 Type y The FortiGate unit reverts to the old firmware version resets the configuration to factory defaults and restarts This process takes a few minutes After the FortiGate unit uploads the firmware you will need to reconfigure your IP address since the FortiGate unit reverts to default settings including its default IP address See your install guide for configuring IP addresses Reconnect to the CLI To confirm the new firmware image has been loaded enter get system status RTINET See Restoring your configuration on page 40 to restore you FortiOS v2 80MR11 configuration settings Update Guide for FortiOS v3 0 01 30000 0317 20060424 39 Restoring your configuration RTINET Reverting to FortiOS v2 80MR11 Restoring your configuration Your configuration settings may not have carried over after you have downgraded to FortiOS v2 80MR11 You can restore your configuration settings for FortiOS v2 80MR11 with the configuration file s you saved before upgrading to FortiOS
20. Administrator fnAdminTable Accounts perm No longer available Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Upgrading to FortiOS 3 0 Backing up your configuration Upgrading to FortiOS 3 0 Before you begin upgrading to FortiOS 3 0 it is recommended that you first review this chapter as well as the release notes so you can be fully aware of these new features and changes This chapter includes the following sections e Backing up your configuration e Upgrading your FortiGate unit e Verifying the upgrade Note You can now configure the FortiGate unit to perform NAT functions in Transparent mode if you network configuration requires this particular network scenario See the Release Notes FortiOS 3 0MR7 for more information Backing up your configuration we ae Upgrade Guide for FortiOS v3 0 01 30000 031 7 20060424 Fortinet recommends that you back up all configuration settings from your FortiGate unit s before upgrading to FortiOS 3 0 Use the following procedures to backup your configuration file s for FortiOS v2 80MR11 in either the web based manager or the CLI Note Always backup your configuration before upgrading to a current firmware version or when resetting to factory defaults Backing up your configuration using the web based manager Use the following procedure to backup your current configuration in the web based manager To backup your configuration file using the web based man
21. R11 configuration settings RTIMET Restoring your configuration Reverting to FortiOS v2 80MR11 RTINET Update Guide for FortiOS v3 0 42 01 30000 0317 20060424 Index Index A antispam black white list menu 28 antivirus config menu 25 file pattern menu 25 quarantine menu 25 B Backing 33 backing up 3 0 config 37 3 0 config to FortiUSB 37 3 0 to PC 37 config files in 3 0 11 config using web based manager 33 configuration 33 using the CLI 34 backup and restore 19 CLI changes 13 comments documentation 9 customer service 9 D documentation commenting on 9 Fortinet 8 downgrading v2 80MR11 using the CLI 39 v2 80MR11 using web based manager 38 F firewall address menu 22 policy menu 22 protection profiles menu 22 service menu 22 virtual IP menu 22 FortiGate documentation commenting on 9 FortiGate name changes blade 11 FortiGuard Center system menu 20 FortiLog name change 11 Fortinet customer service 9 documentation 8 Knowledge Center 9 IM P2P menu statistics menu 29 user 29 Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 intrusion protection protocol anomaly menu 26 signature menu 25 L LCD display main menu changes 11 log amp report log access menu 30 log config 29 report menu 30 merged menus and tabs in GUI 12 N New 17 new features and changes antispam 27 antivirus 25 firewall 22 HA 30 IM P2P 28 intrusion protection 25 log and report 29 rou
22. a protocol anomaly and configure the IPS action in response to detecting an anomaly If you require to revert back to default settings you can select the Reset icon You can use the CLI to configure session control based on source and destination address The protocol anomaly list is updated when the firmware image is upgraded The Web Filter menu consists of the following menus It is now located under Intrusion Protection e Content Block e URL Filter e FortiGuard Web Filter Note The lists you configured in FortiOS 2 80 may carry forward to FortiOS 3 0 if you upgrade using the web based manager Make sure to document these lists for reference to verify after the upgrade is successful See the Release Notes for FortiOS 3 0MR1 for more information The Content Block menu has a new tab called Web Content Exempt The URL Filter menu allows or blocks access to specific URLs You can also add patterns or expressions to allow or block URLs The URL Filter menu has Web URL Block tab and Web Pattern Block tab In FortiOS v2 80MR11 URL Filter used to be URL Block Web Filter is now merged with URL Filter FortiGuard Web Filter The FortiGuard Web Filter menu formerly under Web Filter gt Category Block gt Configuration is now its own menu in the Web Filter menu The FortiGuard Web is a managed web filtering solution provided by Fortinet sorting hundreds of millions of web pages into a wide range of categories for users to allow
23. able from this menu and can also be found in System gt System Information gt Operation Mode The FortiManager tab has moved to the Admin menu Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 New features and changes Admin Maintenance Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 System The Admin menu includes two new tabs along with the previous tabs the Administrators and Access Profile In the Administrators tab you can configure an access profile while configuring a new administrator The FortiManager tab is now located in the Admin menu The Settings tab is also new to the Admin menu The Maintenance menu now has only two tabs Backup and Restore and FortiGuard Center The Backup and Restore tab has several new options available for backing up and restoring configuration files From this tab you can backup or restore a configuration file and select to encrypt the configuration file You also select your Local PC or FortiUSB key if supported by the FortiGate unit to backup or restore your configuration files The Backup and Restore tab also features an Advanced option enabling you to use the FortiUSB key for automatically installing a configuration file or image file if the system restarts You can also import CLI commands Also there is a Download Debug log option You can download an encrypted debug log to a file and then send it to Fortinet Technical Support to help diagnose problems with
24. ackup your configuration to your PC 1 Go to System gt Maintenance gt Backup amp Restore 2 Select Local PC from Backup Configuration to list If you want to encrypt your configuration file to save VPN certificates select the Encrypt configuration file checkbox and enter a password then enter it again to confirm 3 Select Apply Backing up to a FortiUSB key You can also backup your FortiOS 3 0 configuration to the FortiUSB key Before proceeding ensure the FortiUSB key is inserted in the FortiGate unit USB port Use the following procedure to backup your configuration onto your FortiUSB rs Note Always make sure the FortiGate unit is shutdown and powered off when you insert the FortiUSB key into the key into the FortiGate unit s USB port To backup your configuration using the FortiUSB key 1 Go to System gt Maintenance gt Backup amp Restore 2 Select USB Disk from Backup Configuration to list If you want to encrypt your configuration file to save VPN certificates select the Encrypt configuration file checkbox and enter a password then enter it again to confirm 3 Select Apply Update Guide for FortiOS v3 0 01 30000 031 7 20060424 37 Downgrading to FortiOS v2 80MR11 using web based manager Reverting to FortiOS v2 80MR11 RTIMET Downgrading to FortiOS v2 80MR11 using web based manager kh OO N When you downgrade to FortiOS v2 80MR11 only the following settings are retai
25. ager Go to System gt Maintenance gt Backup amp Restore For All Configuration Files select the Backup icon Select OK Save the file Note You can enter a password to encrypt the configuration file when backing up RTINET Upgrading your FortiGate unit RTINET Upgrading to FortiOS 3 0 Backing up your configuration using the CLI Use the following procedure to backup up your current configuration in the CLI To backup your configuration file using the CLI Backup the configuration file Enter execute backup allconfig lt filename gt lt address_ip gt This may take a few minutes After successfully backing up your configuration file s either from the CLI or the web based manager proceed with the upgrade to FortiOS 3 0 Upgrading your FortiGate unit A You can upgrade to FortiOS 3 0 using either the web based manager or CLI Use the following procedures to upgrade your existing firmware version to FortiOS 3 0 If upgrading to FortiOS 3 0 is unsuccessful go to Reverting to FortiOS v2 80MR11 on page 37 to downgrade to FortiOS 2 80MR11 If your upgrade is successful and your FortiGate unit has a hard drive you can use the Boot alternate firmware option located on the Backup and Restore page This option enables you to have two firmware images such as FortiOS 2 80MR11 and FortiOS 3 0 for downgrading upgrading purposes Use the Fortinet Knowlege Center article 2 80MR11 to 3 0MR1 upgrade do
26. d new features for FortiOS 3 0 e New features and changes Provides information on what has changed from FortiOS v2 80MR11 e Upgrading to FortiOS 3 0 Describes how to install FortiOS 3 0 including addressing issues about FortiOS 3 0 backing up your current configuration settings re establishing connections after the upgrade and verifying the upgrade installed successfully e Reverting to FortiOS v2 80MR11 Describes how to downgrade your FortiGate unit to FortiOS v2 80MR11 and includes how to restore your configuration settings for FortiOS v2 80MR11 Document conventions Upgrade Guide for FortiOS v3 0 01 30000 031 7 20060424 The following document conventions are used in this guide In the examples private IP addresses are used for both private and public IP addresses e Notes and Cautions are used to provide important information Note Highlights useful additional information Caution Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment RTINET N Fortinet documentation RTINET Introduction Typographic conventions FortiGate documentation uses the following typographical conventions Convention Example Keyboard input In the Gateway Name field type a name for the remote VPN peer or client for example Central_Office_1 Code examples config sys global set ips open enab
27. ed forward you should verify these settings Verifying your settings also gives you an opportunity to familiarize yourself with the new features and changes in FortiOS 3 0 You can verify your configuration settings by going through each menu and tab in the web based manager e using the show shell command in the CLI Also check to make sure the administrative access settings you configured for your FortiGate unit were carried forward Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Reverting to FortiOS v2 80MR11 Backing up your FortiOS 3 0 configuration Reverting to FortiOS v2 80MR11 You may need to revert to a pervious firmware version if the upgrade did not install successfully The following sections will help you to backup your current FortiOS 3 0 configuration downgrade to FortiOS v2 80MR11 and restore your FortiOS v2 80MR11 configuration The following topics are included in this section e Backing up your FortiOS 3 0 configuration e Downgrading to FortiOS v2 80MR11 using web based manager e Downgrading to FortiOS v2 80MR11 using the CLI Backing up your FortiOS 3 0 configuration If you have configured additional settings in FortiOS 3 0 it is recommended that you back up your FortiOS 3 0 configuration before downgrading to FortiOS v2 80MR11 This ensures you have a current configuration file for FortiOS 3 0 if you decide to upgrade Use the following procedure to backup your configuration onto your PC To b
28. eeeeedseanaeneesseaaeaeeneteas 38 Downgrading to FortiOS v2 80MR11 using the 99 Restoring your configuration cccceeee centr eeeeeeeeeeeeeeeneeeeeeeeeneeeeeneseeneneeeeeeneees 40 Restoring your configuration settings using the web based manager 40 Restoring your configuration settings using the 40 DEN 49 Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 RTIMET RTINET Contents Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Introduction About this document Introduction Over the past year Fortinet has been developing testing and refining a new operating system for your FortiGate unit FortiOS 3 0 is a more dynamic and robust operating system offering you even better protection blocking and monitoring features for your network The Upgrade Guide provides you with information on FortiOS 3 0 and addresses any issues that may arise concerning your current configuration With these new features and improvements to existing features you need to know how they may or may not affect your current configuration The guide provides you with information on backing up your current configuration and installing FortiOS 3 0 on your FortiGate unit About this document This document contains the following chapters e Upgrade Notes Provides information on changes an
29. has been assigned a regular administration account can only configure the VDOM it is assigned to and access the FortiGate interface belonging to that VDOM a regular administration account can create a VLAN subinterface in its own VDOM on a physical interface in its own VDOM Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 New features and changes Router Static Dynamic we is Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 e an administration account with access profile that provides read and write access to e only the admin administrator account can configure a VDOM unless you create and assign a regular administrator to that VDOM The Router menu consists of the following menus Static e Dynamic Monitor The Static menu has two tabs Policy Route and Static Route The Policy Route tab was previously a menu in the Router menu The Dynamic menu is new and includes four tabs to configure Routing Information Protocol RIP Open Shortest Path First OSPF Border Gateway Protocol BGP and Multicast protocols Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers including learning about routers and networks advertised by neighboring routers RIP protocol is a distance vector routing protocol for small networks or similar networks e OSPF is slightly different and is a link state routing protocol most often used in large
30. imilar to the menu in FortiOS 2 80MR11 However there is no advanced option when you are creating a new policy Also there is authentication and traffic shaping checkboxes along with two additional options Protection Profile and Log Allowed Traffic When you select Traffic Shaping you can then select guaranteed bandwidth maximum bandwidth and the traffic priority The Address menu now has the option to select the type of address you are creating The type of address can be Subnet IP Range or Fully Qualified Domain Name FQDN Note The FQDN should be used with caution since it presents security risks The Custom tab has a new look in the Service menu From the Custom tab you can add as many TCP UDP protocols that you need to the custom service The Virtual IP has additional options and the IP Pool menu is now a tab included in this menu Protection Profiles The Protection Profiles menu has two additional options for you to select from the IM P2P and Logging option Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 New features and changes VPN we ye IPSec SSL Certificates Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 VPN The VPN menu contains the following menus IPSec SSL Certificates The VPN menu has several significant changes for FortiOS 3 0 Configuration of VPNs has also significantly changed It is recommended you read the Release Notes FortiOS 3 0MR1 to revie
31. important to periodically retrieve certificate revocation lists from CA web sites to ensure clients that have revoked certificates cannot establish a connection with the FortiGate unit Note After downloading a CRL from a CA web site save the CRL on a computer that has management access to the FortiGate unit RTINET User New features and changes User The User menu consists of the following menus e Local e Radius LDAP Windows AD e User Group Local The Local menu is unchanged Radius The Radius menu is unchanged LDAP The LDAP menu is unchanged However it now has the Common Name Identifier Distinguished Name and Server Port fields on the LDAP page The Server Secret field is now located in the CLI under Radius in the User chapter See the FortiGate CLI Reference for more information Windows AD The Windows AD menu new for FortiOS 3 0 enables you to configure your FortiGate unit on a Windows Active Directory AD network so it can transparently authenticate the user without asking for their username and password From the Windows AD menu you can create a new Windows AD server and delete edit or refresh the server A Note The Fortinet Server Authentication Extensions FSAE is included on your Fortinet S Documentation and tools CD or from the Technical Support website at https support fortinet com User Group The User Group menu is unchanged However you can now choose the type of user group from the
32. ing for Transparent mode Menu Fortigat gt Transparent Standalone Web based manager changes RTINET The system dashboard in FortiOS 3 0 has been enhanced with various system information now categorized and additional features added to better monitor your FortiGate unit Figure 3 System Dashboard of a FortiGate 60 Forrisrare 60 sonde WEB CONFIG E system System Information Router Serial Number FGT 602803030702 Uptime 3 day s 16 hour s 23 min s Os System Time Fri Mar 10 07 42 56 2006 Change vpn Host Name Fortigate 60 Change l User Firmware Version Fortigate 60 3 00 build0236 060303 Update aler message Sonsele p gt Operation Mode NAT Change 2006 03 06 15 20 10 System restart antivirus intrusion Protection License Information Support Contract 3 000 Register 2006 03 06 15 17 46 Firmware upgraded by admin 2006 03 06 15 05 52 System restart a 2006 03 06 15 04 24 System restart web Filter FortiGuard Subscriptions a 2006 03 06 15 03 46 Firmware upgraded by admin y Antivirus 1 Antispam Definitions 6 355 Update Statistics Since 2006 03 06 15 20 33 zaj E imsp2p Intrusion Protection N A sessions 7 current sessions Details IPS Definitions 2 279 Update Content Archive N LogaReport Web Filtering Not Licensed 3 HTTP 0 URLs visited Details AntiSpam Not Licensed 3 1 Email 0 emails sent Details 0 emails rece
33. ings and internal network IP address are correct The downgrade may change your configuration settings to default settings Update Guide for FortiOS v3 0 01 30000 0317 20060424 Reverting to FortiOS v2 80MR11 Downgrading to FortiOS v2 80MR11 using web based manager Downgrading to FortiOS v2 80MR11 using the CLI Use the following procedure to downgrade to FortiOS v2 80MR11 in the CLI If you have created additional settings in FortiOS 3 0 make sure you back up your configuration before downgrading See Backing up your FortiOS 3 0 configuration on page 37 for more information To downgrade using the CLI Make sure the TFTP server is running Copy the firmware image file to the root directory of the TFTP server Log into the FortiGate CLI Make sure the FortiGate unit can connect to the TFTP server kh ON You can use the following command to ping the computer running the TFTP server For example if the TFTP server s IP address is 192 168 1 168 execute ping 192 168 1 168 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit xecute restore image tftp lt name_str gt ipv4 gt Where lt name_str gt is the name of the firmware image file and lt tftp_ipv4 gt is the IP address of the TFTP server For example if the firmware image file name is image out and the IP address of the TFTP server er is 192 168 1 168 enter xecute restore image tftp image out 19
34. ived System Resources FTP O URLs visited Details EfForanner 0 files uploaded 0 files downloaded IM 0 file transfers Details 0 chat sessions 0 messages Attack Log viruses caught Details CPU Usage 6 Memory Usage 62 IPS_0 attacks blocked Details Spam 0 spams detected Details Web 0 URLs blocked Details Automatic Refresh Interval none Refresh Now System Operation Reboot 31 0 3 Days 16 Hours REAL TIME NETWORK PROTECTION System Information Serial Number Up Time System Time Host Name The FortiGate device s serial number The amount in days hours and minutes the FortiGate device has been running The day month and time the FortiGate device has for its specified time zone The name of the FortiGate device Select Update to change the host name Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Upgrade Notes Changes to the web based manager System Resources License Information Alert Message Console Statistics Firmware Version Operation Mode CPU usage Memory usage Changes to the web based manager The current firmware version Select Update to install new firmware The mode the FortiGate device is running in Select Update to change the operation mode The CPU usage amount in percent The amount of memory used in percent The history of these and other resources is available by selecting the History icon in the top right
35. l address list create new antispam IP address list e view antispam IP address list catalog The previous options available from the web based manager in FortiOS v2 80MR11 are now available in the CLI See the FortiGate CLI Reference for more information This includes FortiGuard AntiSpam IP Address DNSBL and ORDBL MIME Headers and Email Address If the MIME header check is enabled for POP3 IMAP or SMTP and any change is made to the Protection Profile such as IP address check banned word check or logging oversized files enabled through the web based manager the MIME header check is disabled Also the clear action for banned words in an email is now available in the CLI to support upgrade Since the clear action is no longer a valid spam action in FortiOS 3 0 avoid using it when configuring banned words Note The Black White lists are not separate You may need to re enable MIME Headers when you upgrade to FortiOS 3 0 IM P2P new Banned word New features and changes The Banned word menu still controls spam by blocking email messages containing specific words or patterns The Action column on the Banned Word page is now Score and is reflected when configuring a new banned word Score is a numerical weighting applied to banned word If the score is greater than the spamwordthreshold value set in the protection profile the page is processed according to
36. lae PEPE 222d asa 25 Intrusion Protection formerly IPS cccccesseeeeeeseeeeseeeeeeeeeeeeeneeseenseeneeseenees 25 SIGUA O era 25 ANOMALY nE EEEE EEEE EEEE 26 Protocol Dec der a a aa a 26 Web 26 cee 26 E 26 FortiGuard Web Filter 26 AntiSpam formerly Spam Filter ccccsssseeeeeeeesseeeeeeeeeseeeeeeeeesseeeeeeensenenens 27 ald soit Hadas 28 Black White listiiies ted deqeiaviddedcecavidddeee weed 28 28 Hele 29 ar E aSa 29 29 Log Glo a ile Perpemirer rer ree errr pester cere peer er errr errr rrer peer r ec 29 LOG ACCESS E 30 ss 30 a a pe E E 30 Upgrading the HA cluster for FortiOS 83 0 31 SNMP MIBs and traps Changes cccsessessesseessensseesseeesseesseesesseseseensseensees 31 In depth SNMP trap 8 65 31 In depth MIB file name 8 65 31 Upgrading to
37. le end CLI command syntax config firewall policy edit id integer set http_retry count lt retry_integer gt set natip lt address_ipv4mask gt end Document names FortiGate Administration Guide Menu commands Go to VPN gt IPSEC gt Phase 1 and select Create New Program output Welcome Variables lt address_ipv4 gt Fortinet documentation The most up to date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http docs forticare com The following FortiGate product documentation is available e FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit FortiGate Installation Guide Describes how to install a FortiGate unit Includes a hardware reference default configuration information installation procedures connection procedures and basic configuration procedures Choose the guide for your product model number FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit including how to define FortiGate protection profiles and firewall policies how to apply intrusion prevention antivirus protection web content filtering and spam filtering and how to configure a VPN FortiGate online help Provides a context sensitive and searchable version of the Administration Guide in HTML format You can acces
38. mmands added See the FortiGate CLI Reference for more information Also some FortiOS 2 80MR11 web based manager features have been moved to the CLI See the New features and changes on page 17 for information on these changes RTIMET USB support RTINET USB support we gt Other Upgrade Notes The USB is supported in FortiOS 3 0 The FortiUSB key purchased separately enables you to backup configuration files and restore backed up configuration files You can even configure the FortiGate unit to automatically install a firmware image and restore configuration settings on a system reboot using the FortiUSB key For more information see the nstall Guide for your FortiGate unit The following FortiGate units support the FortiUSB key e FortiGate 60 60M FortiWiFi 60 e FortiWiFi 60A 60AM e FortiGate 100A e FortiGate 200A e FortiGate 300A e FortiGate 400A e FortiGate 500A e FortiGate 800 800F e FortiGate 5001SX e FortiGate 5001FA2 e FortiGate 5002FB2 Note The FortiGate unit only supports the FortiUSB key available from Fortinet The following are other issues you should be aware of not included in the above sections or in New features and changes on page 17 e Antivirus scanning blocking and quarantine is available for instant messaging file transfers with AIM MSN Yahoo and ICQ e The Antivirus monitor is configured in the CLI e Calendar date is represented in YYYY MM DD
39. ned e Operation mode e Interface IP Management IP e Route static table e DNS settings e parameters settings e Admin user account e Session helpers e System accprofiles Use the following procedure to downgrade to FortiOS v2 80MR11 in the web based manager If you have created additional settings in FortiOS 3 0 make sure you back up your configuration before downgrading See for more Backing up your FortiOS 3 0 configuration on page 37 information To downgrade using the web based manager Go to System gt Status gt Firmware Version Select Update Type the location of the firmware version or select Browse Select OK The following message appears The new image does not support CC mode Do you want to continue to upgrade Select OK The following message appears This version will downgrade the current firmware version Are you sure you want to continue Select OK The FortiGate unit uploads the firmware image file reverts to the old firmware version resets the configuration restarts and displays the FortiGate login This process takes a few minutes Log into the web based manager Go to System gt Unit Information to verify the Firmware Version has changed to FortiOS v2 80MR11 Verifying the downgrade After successfully downgrading to FortiOS 2 80MR11 verify your connections and settings If you are unable to connect to the web based manager make sure your administration access sett
40. ng certificate requests installing signed certificates importing CA root certificates and certificate revocation lists and backing up and restoring installed certificates and private keys FortiGate VLANs and VDOMs User Guide Describes how to configure VLANs and VDOMS in both NAT Route and Transparent mode Includes detailed examples Fortinet Knowledge Center The knowledge center contains troubleshooting and how to articles FAQs technical notes and more Visit the Fortinet Knowledge Center at http kc forticare com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com Customer service and technical support Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly configure easily and operate reliably in your network Please visit the Fortinet Technical Support web site at http support fortinet com to learn about the technical support services that Fortinet provides RTINET Customer service and technical support Introduction RTINET Upgrade Guide for FortiOS v3 0 10 01 30000 0317 20060424 Upgrade Notes Backing up configuration files Upgrade Notes Before downloading FortiOS 3 0 it is recommended that you read this chapter to learn about on the
41. ormation Image of the FortiGate unit s port status settings e Image of a FortiAnalyzer unit and its connectivity status to the FortiGate unit An AV IPS Content statistics summary table The System Dashboard also displays a login monitor that displays how many administrators are logged in This feature provides administrators with system configuration write access profiles to disconnect other admin users if required You can even refresh the FortiGate system and shutdown the FortiGate unit from this page See Web based manager changes on page 12 for more information on the System Dashboard The Sessions information is now located in System gt Status gt Statistics The Network tab appears in the System menu Modem settings for the FortiGate 60 FortiWiFi 60 and the FortiGate 50A are only available through the CLI See the FortiGate CLI Reference for more information The Options tab now has Dead Gateway Detection previously in System gt Config gt Options The tabs for this menu have changed The Time tab information is now located in System gt Status gt System Information gt System Time The Options tab is now available in System gt Admin gt Settings This tab also includes Virtual Domain Configuration Web Administration Ports including Web Administration The Web Administration is now called Language HA SNMP v1 v2c and Replacement Messages tabs are still in the Config menu Operation Mode is avail
42. ormation on changes to existing features and new features in FortiOS 3 0 In the System menu HA is now a tab in System gt Config gt HA You can configure HA settings for your FortiGate unit from this tab However Unit Priority setting is now Device Priority and Override Master is now enabled by default Note The FortiGate High Availability HA Guide will be available soon Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 New features and changes SNMP MIBs and traps changes Upgrading the HA cluster for FortiOS 3 0 The following procedure will help you upgrade a FortiOS 2 80 HA cluster to FortiOS 3 0 You can use either the web based manager or the execute restore imag CLI command and a TFTP server to upgrade the cluster To upgrade the cluster 1 Backup the configurations of the primary unit See Backing up your configuration on page 33 2 Install the firmware image on the primary unit This may take a few minutes since the primary unit will upgrade the subordinate units as well The FortiGate units in the cluster will reboot once or twice during the upgrade ie Note The primary subordinate roles may change during the upgrade if HA override is not Cs enabled before upgrading SNMP MIBs and traps changes In FortiOS 3 0 the trap file is combined into the MIB file there is only one MIB file to download and install to your SNMP management system SNMP traps and variables that used hyphens for example x
43. providing immediate notification of issues occurring on the FortiGate unit such as system failures or network attacks In the Log Setting tab you can test the connectivity between the FortiGate unit and the FortiAnalyzer unit to check connection status Figure 6 Test connectivity feature in Log and Report FortiAnalyzer Hostname FortiGate Device ID tran Connection Status FortiAnalyzer 400 FGT 602803030702 Registered Q Disk Space MB Allocated Space Used Space Total Free Space 1000 0 457313 Privileges Log Report Content Archive Quarantine Tx Rx Tx Rx Tx Rx mys Rx Also instead of configuring the connection between the two devices you can enable a new feature called FortiDiscovery to automatically discover and connect to a FortiAnalyzer unit The FortiDiscovery feature uses HELLO packets to locate the FortiAnalyzer unit s that are on the network within the same subnet HA HA lt a Log Access Report New features and changes The web trends option and traffic filtering are now available in the CLI See the FortiGate CLI Reference for more information Logging options for various protocols and traffic is now in the Protection Profiles menu Note Log filter is now included in Firewall gt Protection Profile gt Logging You can also enable this feature in the CLI Also Traffic Filter is now available in the CLI See the FortiGate
44. r FortiOS v3 0 01 30000 0317 20060424 KR new www fortinet com KR new www fortinet com
45. s online help from the web based manager as you work FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Introduction Customer service and technical support FortiGate Log Message Reference Available exclusively from the Fortinet Knowledge Center the FortiGate Log Message Reference describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units FortiGate High Availability User Guide Contains in depth information about the FortiGate high availability feature and the FortiGate clustering protocol FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks FortiGate IPSec VPN User Guide Provides step by step instructions for configuring IPSec VPNs using the web based manager e FortiGate SSL VPN User Guide Compares FortiGate IPSec VPN and FortiGate SSL VPN technology and describes how to configure web only mode and tunnel mode SSL VPN access for remote users through the web based manager FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web based manager FortiGate Certificate Management User Guide Contains procedures for managing digital certificates including generati
46. t OK The FortiGate unit uploads the firmware image file upgrades to the new firmware version restarts and displays the FortiGate login This process may take a few minutes Once the upgrade is successfully installed Ping to your FortiGate unit to verify there is still a connection e Clear the browser s cache and log into the web based manager After logging back into the web based manager you should save your configuration settings that carried forward Some settings may have carried forward from FortiOS 2 80MR11 while others may not have such as certain IPS group settings Go to System gt Maintenance gt Backup and Restore to save the configuration settings that carried forward Note After upgrading to FortiOS 3 0 perform an Update Now to retrieve the latest AV NIDS signatures from the FortiGuard Distribution Network FDN as the signatures included in the firmware may be older than those currently available on the FDN Upgrading using the CLI Use the following procedures to upgrade to FortiOS 3 0 in the CLI To upgrade to FortiOS 3 0 using the CLI Make sure the TFTP server is running Copy the new firmware image file to the root directory of the TFTP server Log into the CLI Make sure the FortiGate unit can connect to the TFTP server You can use the following command to ping the computer running the TFTP server For example if the IP address of the TFTP server is 192 168 1 168 execute ping 192 168 1 168
47. ter 21 system 17 system admin 19 system config 18 system maintenance 19 system network 18 system sessions 18 system status 18 user 24 vpn 23 web filter 26 R restoring configuration 40 using the CLI 40 using web based manager 40 reverting backing up 3 0 config 37 router dynamic menu 21 monitor menu 22 static 21 S setup wizard 11 System Dashboard alert message console 13 license information 12 13 statistics 13 system information 12 system resources 13 RTIMET system menu admin 19 backup and restore 19 config 18 maintenance 19 network 18 sessions 18 status 18 T technical support 9 U upgrade notes 11 12 13 14 backing up config 11 backing up config files 11 backing up config v2 80MR11 33 CLI changes 13 name change FortiLog 11 other 14 setup wizard 11 USB support 14 web based manager 12 web based manager changes 13 upgrading 3 0 using the CLI 35 3 0 using web based manager 34 config using CLI 34 Index FortiGate unit to 3 0 34 using the web based manager 34 using web based manager 33 USB support 14 user LDAP menu 24 local menu 24 radius menu 24 user group menu 24 windowsAD menu 24 verifying downgrade to v2 80MR11 38 upgrade to 3 0 36 vpn certificates menu 23 IPSec menu 23 SSL menu 23 WwW web filter content block menu 26 FortiGuard Web filter menu 26 URL filter menu 26 web based manager changes 12 Upgrade Guide fo
48. tivirus Service See the FortiGate CLI Reference for more information Intrusion Protection formerly IPS we Signature Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 The Intrusion Protection menu consists of the following menus e Signature e Anomaly Note Make sure to document all FortiOS 2 80 IPS group settings before upgrading to FortiOS 3 0 since certain IPS group settings are not carried forward and must be configured manually See the Release Notes FortiOS 3 0MR1 for more information The Signature menu is unchanged However you can now view the severity level of pre defined signatures and custom signatures Also you can reset the pre defined signatures to their default settings if you changed them When creating new custom signatures on the Custom page you can specify the severity level for the custom signature Antivirus RTIMET N a Web Filter RTINET Anomaly New features and changes The Anomaly menu detects and identifies network traffic that attempts to take advantage of known exploits When you are creating a new anomaly you can now specify the severity and instead of selecting Logging you now select Packet Log The field called Parameters is no longer available Protocol Decoder Web Filter ea Content Block URL Filter The Protocol Decoder menu new for FortiOS 3 0 displays protocol anomalies for logging purposes You can enable or disable logging for
49. w known issues and changes for configuring VPNs Note VPN settings may need to be reconfigured after you upgrade to FortiOS 3 0 Also VPN IPSec Phase 2 settings source and destination ports are reset to zero during the upgrade Note The CLI command auto negotiate replaces the Ping generator feature The auto negotiate is disabled by default and is available for both IPSec tunnels in the IPSec Phase 2 configuration for both IPSec tunnels The IPSec menu has changed to reflect the way you configure VPNs Phase 1 and Phase 2 tabs are merged with the new AutoKey IKE tab The Ping Generator tab is now available in the CLI See the FortiGate CLI Reference for more information The SSL menu is new for FortiOS 3 0 There are two tabs Config and Monitor where you can configure SSL VPNs and monitor The Secure Socket Layer uses a cryptographic system that uses two keys to encrypt data a public key and private key If you require SSL version 2 encryption for compatibility with older browsers you can enable this protocol through the CLI in the VPN chapter See the FortiGate CLI Reference for more information on SSL Also you can enable the use of digital certificates for authenticating remote clients The Certificates menu has a new tab Certificate Revocation List CRL The FortiGate unit uses CRLs to ensure certificates belonging to CAs and remote clients are valid From the CRL tab you can also import these types of certificates It is
50. wngrade dual boot to configure a dual boot configuration for your FortiGate unit You may need to reconfigure some configuration settings in FortiOS 3 0 See the Release Notes FortiOS 3 0MR1 for more information Note Make sure you have upgraded to FortiOS v2 80MR11 before upgrading to FortiOS 3 0 Upgrading to FortiOS 3 0 A es This section describes the procedures for upgrading to FortiOS 3 0 using either the web based manager or CLI Upgrading using the web based manager You can use the web based manager to upgrade to FortiOS 3 0 Use the following procedure for upgrading to FortiOS 3 0 Note Before proceeding make sure you back up your configuration Also it is recommended you use the CLI to upgrade to FortiOS 3 0 However a TFTP upgrade reverts all current firewall configurations to factory default settings Use the web based manager if you want to carry forward certain FortiOS 2 80MR11 settings To upgrade to FortiOS 3 0 using the web based manager Copy the firmware image file to your management computer Log into the web based manager Go to System gt Status gt Unit Information Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Upgrading to FortiOS 3 0 we te kh OO N Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 Upgrading your FortiGate unit Under Unit Information select Update Type the path and filename of the firmware image file or select Browse and locate the file Selec
51. xx yyy have dropped the hyphen and capitalized the second term xxxYyy The v3 0 MIB file also has more in depth descriptions and supports models To see these changes contact Fortinet technical support to obtain the MIB file In depth SNMP trap changes The following table displays trap name changes including additional trap names for FortiOS 3 0 FortiOS v3 0 trap name status FortiOS v2 8 trap name status fnFMTrapIfChange New fnFMTrapConfChange New No longer available fnTrapHaStateChange No longer available fnTrapiIdsPortScan No longer available fnTrapImTableFull In depth MIB file name changes The following table displays trap name changes including additional trap names for FortiOS 3 0 Location FortiOS v3 0 FortiOS v2 8 trap name status trap name status System fnSysDiskCapacity New ain fnSysDiskUsage New Upgrade Guide for FortiOS v3 0 01 30000 0317 20060424 31 SNMP MIBs and traps changes New features and changes fnSysMemCapacity New HA fnHaLBSchedule fnHaSchedule fnHaGroupID fnHaGroupID fnHaPriority No longer available fnHaOverride No longer available fnHaAutoSync No longer available Options fnOptAuthTimeout New fnOptionLanguage New fnOptLcdProtection New Management fnManSysSerial New fnManIfName New fnManIfIp New fnManIfMask New
52. your FortiGate unit Figure 4 Backup and Restore page m Backup m Restore Backup configuration to Local PC Restore configuration from Local PC Filename Browse Encrypt configuration file Password Password a confirm M aa Backup GED Y Advanced USB Auto Install Import CLI Commands Download Debug Log m USB Auto Install M On system restart automatically update FortiGate configuration file if default filename is available on the USB disk yscofgi M On system restart automatically update FortiGate firmware if default image name is available on the USB disk FGT_60 v300 build0241 FORTINET out Default configuration file name Default image name m Import Bulk CLI Commands Upload Fe __ Download Debug Log System RTIMET New features and changes The FortiGuard Center previously the Update Center displays several options for enabling the FortiGate unit to connect to the Fortinet Distribution Network FDN and for updating antivirus and attack definitions You can also test the availability of FortiGuard services from this page Figure 5 FortiGuard Center page FortiGuard Distribution Network FDN Status Refresh Push Update I use override server address Update Version Expiry date Last update attempt Last Update Status FortiGuard AV Definition 6 318 Wed Dec 20 00 00 00 2006 Fri Feb 3 08 55
Download Pdf Manuals
Related Search