Huong Dan Cau Hinh FortiGate

CNG TY CP U T PHT TRIN CNG NGH NG DNG TON CU HYPERLOGY -------------------

HNG DN CU HNH FORTIGATE FIREWALL

H ni 10/2007

Cng ty C phn u t Pht trin Cng ngh ng dng Ton Cu Hyperlogy JSC Tel: +84 4 6405636 Fax: +84 4 6405639 Website: http://www.hyperlogy.com

Mc lc1.Cc giao din ca FortiGate .......................................................................... 3 Cc n bo hiu ............................................................................................... 3 2. Cu hnh FortiGate ........................................................................................ 3 2.1. Cc cch truy nhp cu hnh FortiGate..................................................... 3 2.2. Ln u tin cu hnh FortiGate .................................................................. 3 2.3. Cc bc cu hnh ............................................................................................. 4 2.4. Cu hnh mode hot ng ca FortiGate ................................................. 4 2.5. Cu hnh cc giao din .................................................................................... 6 2.6. Cu hnh DHCP ................................................................................................... 6 2.7. Cu hnh cc a ch v vng a ch ......................................................... 8 2.8. Cu hnh cc dch v ........................................................................................ 9 2.9. Cu hnh cc Protection profile .................................................................. 12 2.10. Cu hnh cc Policy ......................................................................................... 12 2.11. Cu hnh Virtual IP .......................................................................................... 13 2.12. Cu hnh dch v AntiVirus........................................................................... 14 2.13. Cu hnh dch v AntiSpam ......................................................................... 15 2.14. Cu hnh dch v IPS...................................................................................... 16 2.15. Cu hnh dch v Web filter ......................................................................... 17 2.16. Cu hnh ghi log ............................................................................................... 19 3. Kim tra hot ng ca FortiGate ................................................ 22 3.1. Kim tra cu hnh giao din ........................................................................ 22 3.2. Kim tra cu hnh nh tuyn ..................................................................... 22 3.3. Kim tra cu hnh Policy ............................................................................... 22 3.4. Kim tra hot ng ca mng.................................................................... 23 4. Theo di hot ng ..................................................................................... 23 4.1. Mn hnh Status ............................................................................................... 23 4.2. Theo di log ....................................................................................................... 24 5. Sao lu v phc hi cu hnh ............................................................ 24 5.1. Sao lu v phc hi cu hnh ..................................................................... 24 5.2. Sao lu v phc hi ton b ....................................................................... 25 1.1. 1.2.

Gii thiu FortiGate ...................................................................................... 3

2Ti liu hng cu hnh thit b


1. Gii thiu FortiGate1.1. Cc giao din ca FortiGateConsole: Ta c th truy cp giao din dng lnh (Command Line Interface-CLI) ca FortiGate thng qua kt ni gia cng Serial ca 1 my tnh qun tr vi cng Serial ca FortiGate . Internal: y l giao din kt ni vi mng LAN ca n v .Da trn thit k ca mng cu hnh cc thng s nh IP, DHCP,DNS Server ... WAN: y l giao din kt ni vi mng Internet thng qua Modem (Lease Line,ADSL) DMZ y l giao din kt ni vi vng mng cn bo mt cao ,hn ch cc truy cp t bn ngoi Internet ,LAN... da trn cc chnh sch (Policy) do ngi qun tr t ra.Cc my ch nh Mail Server,Web Server.. thng t trong vng ny. USB: y l giao din dng backup,restore,upgrade Firmware cho FortiGate .Ngoi ra n cn dng kt ni vi modem dial-up lm ng d phng cho kt ni ra Internet.

1.2. Cc n bo hiuHin th trng thi ca FortiGate : ngun,trng thi ca cc Interface Power : c cc trng thi sau: Nhp nhy : FortiGate ang khi dng Xanh : FortiGate ang hot ng bnh thng Tt : FortiGate tt ngun Internal,WAN.DMZ c cc trng thi sau : Xanh : cp u ni ng s dng, thit b u ni n bt. Nhp nhy : mng ang hot ng trn Interface ny. Tt : cha c kt ni Link : Nu xanh l mng ang hot ng tc 100Mbps

2. Cu hnh FortiGate2.1. Cc cch truy nhp cu hnh FortiGateFortiGate h tr cc phng thc truy nhp v cu hnh sau: Console: http: https: telnet: ssh: snmp:

2.2. Ln u tin cu hnh FortiGateLn u tin c a v s dng, FortiGate c cu hnh do nh sn xut t sn bao gm: Mode hot ng mc nh: NAT Tn v Password truy nhp mc nh: admin/trng 3Ti liu hng cu hnh thit b


a ch IP mc nh ca cc giao din : Internal : 192.168.1.99/24 WAN1 : 192.168.100.99/24 WAN2 : 192.168.101.99/24 DMZ : 10.10.10.1/24 Giao thc cho php truy nhp mc nh: telnet, http, https,

2.3. Cc bc cu hnhCu hnh FortiGate cn tun theo cc bc sau: Cu hnh mode hot ng ca FortiGate: Cu hnh cc giao din Cu hnh DHCP Cu hnh cc a ch v vng a ch Cu hnh cc dch v Cu hnh cc Protection profile Cu hnh cc Policy Cu hnh Virtual IP Cu hnh dch v AntiVirus Cu hnh dch v AntiSpam Cu hnh dch v IPS Cu hnh dch v Web filter Cu hnh ghi log

2.4. Cu hnh mode hot ng ca FortiGateTrn giao din web : https Thng qua giao din Internal(hoc DMZ) cu hnh :



Tn truy cp : admin Mt khu : trng Chn "Login" , sau chn System Network

Ti ct Access hin th cho ta thy cc Mode c php hot ng trn tng giao din. Mun thay i Mode ca tng giao din ,ti cui dng ca giao din cn i Mode ta chn nt thay i Mode theo yu cu.



Console, telnet, ssh Tham kho thm trong ti liu hoc trn trang web: http://kc.forticare.com/

2.5. Cu hnh cc giao dinTrn giao din web: http, https Chn "Login" , sau chn System Network. Chn giao din cn thay i Console, telnet, ssh Tham kho thm trong ti liu hoc trn trang web: http://kc.forticare.com/

2.6. Cu hnh DHCPTrn giao din web: http, https Chn "Login" , sau chn System DHCP.Chn giao din cn thay i trong "Service"

Sau thay i tham s theo yu cu :



Tip n chn "Server", "Creat New" giao din cn cu hnh DHCP:



Cc ty chn DNS Server ,WINS Server... Console, telnet, ssh Tham kho thm trong ti liu hoc trn trang web: http://kc.forticare.com/

2.7. Cu hnh cc a ch v vng a chTrn giao din web: http, https Login vo h thng ,chn "Firewall" "Address"

Chn "Creat New" nh ngha cc vng : DMZ,LAN,... 8Ti liu hng cu hnh thit b


V d :


2.8. Cu hnh cc dch vTrn giao din web: http, https Login vo h thng ,chn "Firewall" "Service"



Predefined : y l cc dch v c nh ngha trc vi cc tn tng ng. Custom : Nu ta mun nh ngha thm cc dch v theo yu cu . V d :

Khi ta s thy :



Nu mun nhm li 1 s dch v d dng hn khi to cc Policy , ta c th to 1 nhm cc dch v v c th to 1 Policy cho ton b cc dch v trong nhm ny. 1 nhm cc dch v ny c th bao gm cc dch v Predefined v Custom.

Console, telnet, ssh Tham kho thm trong ti liu hoc trn trang web: http://kc.forticare.com/ 11Ti liu hng cu hnh thit b


2.9. Cu hnh cc Protection profileTrn giao din web: http, https Vic s dng protection profiles p dng cc thit lp bo v khc nhau cho lung thng tin m c iu khin bi cc policy ca FortiGate. Mc ch : - Cu hnh chng Virus cho cc giao thc HTTP,FTP,IMAP,POP3,SMTP. - Cu hnh lc Web cho HTTP - Cu hnh chng Spam cho IMAP,POP3,SMTP - Cho php chng xm nhp (IPS- Intrusion Prevention System) cho tt c cc dch v. Console, telnet, ssh Tham kho thm trong ti liu hoc trn trang web: http://kc.forticare.com/

2.10. Cu hnh cc PolicyTrn giao din web: http, https Login vo h thng ,chn "Firewall" "Policy"

Source : Interface/Zone :Giao din ngun Address Name: tn ca a ch ngun (a ch c nh ngha trn) Destination : Interface/Zone :Giao din ch Address Name :tn ca a ch ch (a ch c nh ngha trn) 12Ti liu hng cu hnh thit b


Service : dch v cn lp Policy Action : ACCEPT : chp nhn cc kt ni ph hp vi Policy.Ta cng c th cu hnh NAT, protection profiles, log traffic, traffic shaping, authentication, v cc dch v khc na. DENY : t chi cc kt ni ph hp vi Policy. ENCRYPT : Chn m ha to policy ny l 1 VPN IPSec (chp nhn cc gi tin IPSec ). Nh v d trn ta s c :


2.11. Cu hnh Virtual IPTrn giao din web: http, https

Name : Tn gi nh cho dch v ta cn t External Interface: Giao din Wan m ta cn nh x vo. Type Static NAT : nh x t 1 a ch Wan vo 1 a ch Private Port Forwarding :nh x t 1 port ca a ch Wan vo 1 port ca a ch Private External IP Address : a ch Wan ca giao din 13Ti liu hng cu hnh thit b


External Service Port : cng dch v ca a ch Wan Map to IP : a ch IP Private cn nh x n Map to Port :cng dch v ca a ch IP Private cn nh x n Protocol : Giao thc s dng Console, telnet, ssh Tham kho thm trong ti liu hoc trn trang web: http://kc.forticare.com/

2.12. Cu hnh dch v AntiVirusTrn giao din web: http, https Login vo h thng ,chn "Antivirus" -File Block : ta c th la chn cc nh dng File mu ,giao thc no cn kim tra ngn chng li. Ta cng c th nh ngha cc nh dng File khc bng cch to mi ...Sau chn Apply p dng ngay.

-Config : ta c th thy danh sch cc mu Virus az c cp nht vo.




2.13. Cu hnh dch v AntiSpamTrn giao din web: http, https Login vo h thng ,chn "Spam Filter" Fortiguard_AntiSpam y l 1 dch v bo v v chng Spam cho Email ( FortiShield ).N c nhim v kim tra cc a ch ngun v URL ca Email n ,nu c trong danh sch Blacklist trn FortiShield Server th s chn vic gi th ny.Bn mun s dng dch v ny th phi ng k vi nh cung cp. IP address y l a ch IP ngun m ta cn kim tra (c th l 1 a ch hay 1 di a ch).Nu ph hp th Protection Profile tng ng c thi hnh,nu khng ph hp th chuyn sang lc Spam tip theo

Email address y l vic lc Email theo a ch c th ca ngi gi hoc ton b Email ca 1 domain no .Ta c th nh du mi a ch Email l "clear" hay "spam".



MIME (Multipurpose Internet Mail Extensions) MIME thm vo Email m t kiu ni dung ,m ha ni dung.Vic Spammer thay i cc tham s ny c th lm cho b lc Virus v Spam b nh la.Ta c th s dng danh sch MIME Headers nh du Email t cc chng trnh th rc(chc chn) hay cng vi kiu ni dung m ph bin cc spam message hay dng. Banned Word Ta c th cm 1 hay nhiu t cha trong ch th ,ni dung th hoc c hai.


2.14. Cu hnh dch v IPSTrn giao din web: http, https Login vo h thng ,chn "IPS" Predefine:



y l tp hp cc signature(du hiu c trng) c nh ngha trc ,phn loi cc loi da trn kiu tn cng .Ngm nh cc nhm du hiu ny c kch hot ,1 s trong cc nhm khc th khng .Ta cng c th to ra cc signature bng ty chn Custom (t tn,du hiu,hnh ng , c ghi Log hay khng ...)

Anormaly Danh sch pht hin cc du hiu anormaly ch c cp nht khi Update Firmware. Console, telnet, ssh Tham kho thm trong ti liu hoc trn trang web: http://kc.forticare.com/

2.15. Cu hnh dch v Web filterCung cp cu hnh truy nhp thit lp cho Web Filtering khi to 1 Protection profile cho firewall. Trn giao din web: http, https Login vo h thng ,chn "Web Filtering" Content Block Kha trang Web c cha nhng t b cm ,c th l 1 t hoc 1 chui k t (text) c di ln ti 80 k t. S t b cm cao nht trong damh sch l 32.



URL Block Ta c th thm vo cc URL hoc 1 s cc URL c qung b cng khai sn c cm truy cp .Cc mc c th vo URL block list : - Cc URL y - a ch IP -Tng phn ring r ca cc URL cm cc sub-domain URL Exempt Ta c th cu hnh c th cc URL c php truy cp t Web filtering.Cc URL trong danh sch Exempt khng b qut Virus.

Category Block y l dch v c license tng t FortiShield Script Filter



Cho php lc Java Applet,Cookie v Active X


2.16. Cu hnh ghi logTrn giao din web: http, https Login vo h thng ,chn "Log & Report" Log Config : Ta c th kch hot v cu hnh lu tr cc log-message ti 1 hay nhiu ni sau : FortiLog : l 1 thit b phn tch v qun l log, c th tng hp vi cc FortiGate khc hoc cc loi firewall khc. thit lp lu tr ni dung vi 1 Protection profile ,ta cn chn Fortilog v xc nh a ch IP.

Memory : Qun l thng tin b nh h thng ca FortiGate .Lu lng v content log khng c lu li b nh m. Khi b nh y ,cc thng c nht s b ghi . Tt c cc mc ca Log s b xa khi h thng khi ng li. "Level" l la chn cch thc cnh bo .



Syslog : 1 Remote Computer chy lm my ch Syslog.(tn hoc a ch IP,port )

Web Trend : 1 Remote Computer chy NetIQ WebTrends my ch bo co thng tin firewall .



Alert E-Mail : Ch r ra Mail server v ngi nhn cho cc thng bo th v cc mc , tn sut ca cc thng bo.

SMTP Server : tn v a ch ca SMTP Server cho cc thng bo. Email from : a ch ngi gi Email to : a ch ngi nhn thng bo Authentication : thit lp xc thc SMTP SMTP user : Password : Level : Thit lp mc cnh bo, chu k i trc khi gi thng bo cnh bo Log Filter : Cu hnh cho cc log filter : lu ti u, lu loi no (traffic log,event log...)

Console, telnet, ssh 21Ti liu hng cu hnh thit b


Tham kho thm trong ti liu hoc trn trang web: http://kc.forticare.com/

3. Kim tra hot ng ca FortiGate3.1. Kim tra cu hnh giao dinMun kim tra cu hnh ca cc giao din , ta login vo h thng ,chn System-Network

Nu 1 giao din no nh du xanh c ngha l giao din "up",mu c ngha l giao din b "down".Mun bt giao din ta bm vo "Bring up"

3.2. Kim tra cu hnh nh tuynLogin vo h thng ,chn "Router" "Monitor"

Type :cho bit cc nh tuyn ca kiu c chn c th Network : cho bit cc nh tuyn ca mng c th Gateway : cho bit cc nh tuyn ca mng s dng 1 gateway c th Apply Filter : p dng cc nh tuyn theo tiu chun c ch r Up time : thi gian m nh tuyn sn sng

3.3. Kim tra cu hnh PolicyMun kim tra cu hnh ca cc giao din , ta login vo h thng ,chn "Fire wall" "Policy". Cc Policy c to ra ty theo m hnh mng c th. Lu cc yu cu ,kt ni gia cc vng a ra cc Policy hp l. Vi cc Policy c Action l "Encrypt" th c u tin cao hn Action "Accept".V vy, ta lun t chng ln trc trong cng 1 Policy ( khng ph thuc vo s th t ct ID m ch ph thuc th t t trn xung di trong 1 Policy).



3.4. Kim tra hot ng ca mngSau khi thit lp xong cc thng s theo m hnh mng ,yu cu c th , ta ln lt kim tra kt ni gia cc vng. Dng cc lnh nh Ping , Telnet n cc a ch ,cng c th kim tra cc Policy.

4. Theo di hot ng4.1. Mn hnh StatusTa login vo h thng, chn "System"-"Status". System Status : cho bit thi gian hot ng ca firewall, ng h hin ti ca h thng Unit Information : cho bit tn ca thit b ,Firmware version , FortiGuard AV Definitions, FortiGuard Intrution Definitions ,Serial Number,Operation Mode Recent Virus Detections : ch r thi gian-ngun-ch-dch v-tn Virus qut c Interface Status : cho bit tnh trng ca ton b cc giao din ca h thng ( IP,trng thi...) System Resource : tnh trng ca CPU,b nh ,s lng cc session ang active, vic s dng mng ... Automatic Refresh Interval : la chn iu khin chu k cp nht hin th tnh trng ca h thng Refresh : Cp nht hin th tnh trng ca h thng bng tay Recent Intrusion Detections : pht hin s tn cng hin thi.



4.2. Theo di logLogin vo H thng , chn "Log & Report"-"Log Access"

Ta c th theo di cc Event ,Attack,Anti-Virus,Web Filter,Spam Filter.V c th tm kim cc thng tin ( Log Search) trong khong thi gian ta yu cu ,t kha cn tm ...

5. Sao lu v phc hi cu hnh5.1. Sao lu v phc hi cu hnhFortiGate h tr vic sao lu v phc hi cu hnh 1 cch n gin v thun tin. Login vo h thng ,chn "System"-"Maintenance"



Mun lu cu hnh hin ti ca h thng ta chn System Configuration- Back up

Ta chn vo nt cho file backup ny.

( s hin th "Backup") , sau s c hng dn lu cu hnh-t tn

Mun phc hi 1 cu hnh lu, ta chn vo nt ( s hin th "Restore") .Tip n Browse n ni lu file cu hnh , ri nhn OK.Sau khi phc hi xong nn khi ng li H thng.

5.2. Sao lu v phc hi ton bMun lu cu hnh hin ti ca h thng ta chn dng All Configguration Files.Ta chn vo nt ( s hin th "Backup")



Sau nhp mt khu cho file cu hnh ny. Tip n ta chn ni lu cu hnh ny.

Mun phc hi 1 cu hnh lu, ta chn vo nt ( s hin th "Restore") .Nhp mt khu ca cu hnh khi sao lu v Browse n ni cha file cu hnh ,sau nhn OK. Sau khi phc hi xong nn khi ng li H thng.


Documents

Huong Dan Cau Hinh FortiGate