FortiGate防火墙产品培训

HighlightsValidatedSecurityUniversal PlatformSupportOne NetworkOSSingle Paneof GlassPerformanceFortiGate appliances, interconnectedwith the Fortinet Security Fabric,form the backbone of theFortinet Enterprise Solution/sfDATA SHEETFortiGate/FortiWiFi® 30E Unified Threat Management Distributed Enterprise FirewallDATA SHEET: FortiGate/FortiWiFi 30EHARDWAREInstall in Minutes with FortiExplorerThe FortiExplorer wizard enables easy setup and configuration coupled with easy-to-follow instructions. FortiExplorer runs on popular mobile devices like Android and iOS. Using FortiExplorer is as simple as starting the application and connecting to the appropriate USB port on the FortiGate. By using FortiExplorer, you can be up and running and protected in minutes.Wireless and 3G/4G WAN ExtensionsThe FortiGate supports external 3G/4G modems that allow additional or redundant WAN connectivity for maximum reliability. The FortiGate can also operate as a wireless access point controller to further extend wireless capabilities.Compact and Reliable Form FactorDesigned for small environments, you can simply place the FortiGate/FortiWiFi 30E on a desktop. It is small, lightweight yet highly reliable with superior MTBF (Mean Time Between Failure), minimizing the chance of a network disruption.Superior Wireless CoverageA built-in dual-band, dual-stream access point with internal antennas is integrated on the FortiWiFi 30E and provides speedy 802.11n coverage on both 2.4 GHz and 5 GHz bands. The dual- band chipset addresses the PCI-DSS compliance requirement for rogue AP wireless scanning, providing maximum protection for regulated environments.Interfaces1. USB Port2. Console Port3. 1x GE RJ45 WAN Port4. 4x GE RJ45 Switch PortsFortiGate 30EFortiWiFi 30EInterfaces1. USB Port2. Console Port3. 1x GE RJ45 WAN Port4. 4x GE RJ45 Switch PortsSERVICESFortiGuard ™ Security ServicesFortiGuard Labs offers real-time intelligence on the threat landscape, delivering comprehensive security updates across the full range of Fortinet’s solutions. Comprised of security threat researchers, engineers, and forensic specialists, the team collaborates with the world’s leading threat monitoring organizations, other network and security vendors, as well as law enforcement agencies:§Real-time Updates — 24x7x365 Global Operations research security intelligence, distributed via Fortinet Distributed Network to all Fortinet platforms.§Security Research — FortiGuard Labs have discovered over 170 unique zero-day vulnerabilities to date, totaling millions of automated signature updates monthly.§Validated Security Intelligence — Based on FortiGuard intelligence, Fortinet’s network security platform is tested and validated by the world’s leading third-party testing labs and customers globally.FortiCare ™ Support ServicesOur FortiCare customer support team provides global technical support for all Fortinet products. With support staff in the Americas, Europe, Middle East and Asia, FortiCare offers services to meet the needs of enterprises of all sizes:§Enhanced Support — For customers who need support during local business hours only.§Comprehensive Support — For customers who need around-the-clock mission critical support, including advanced exchange hardware replacement.§Advanced Services — For global or regional customers who need an assigned Technical Account Manager, enhanced service level agreements, extended software support, priority escalation, on-site visits and more.§Professional Services — For customers with more complex security implementations that require architecture and design services, implementation and deployment services, operational services and more.Enterprise BundleFortiGuard Labs delivers a number of security intelligence services to augment the FortiGate firewall platform. You can easily optimize the protection capabilities of your FortiGate with the FortiGuard Enterprise Bundle. This bundle contains the full set of FortiGuard security services plus FortiCare service and support offering the most flexibility and broadest range of protection all in one package.For more information, please refer to the FortiOS data sheet available at filter web traffic based on millions of real-time URL ratings. §Detect, contain and block advanced attacks automatically in minutes with integrated advanced threat protection framework. §Solve your networking needs with extensive routing, switching, WiFi, LAN and WAN capabilities.§Activate all the ASIC-boosted capabilities you need on the fastest firewall platform available.GLOBAL HEADQUARTERS Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein Valbonne 06560Alpes-Maritimes, France Tel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary and may be significantly less effective than the metrics stated herein. Network variables, different network environments and other conditions may negatively affect performance results and other metrics stated herein. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet and any such commitment shall be limited by the disclaimers in this paragraph and other limitations in the written contract. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests, and in no event will Fortinet be responsible for events or issues that are outside of its reasonable control. Notwithstanding anything to the contrary, Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.DATA SHEET: FortiGate/FortiWiFi30EFirewall Latency (64 byte UDP packets)130 μs Firewall Throughput (Packets Per Second)180 Kpps Concurrent Sessions (TCP)900,000New Sessions/Second (TCP)15,000Firewall Policies5,000IPsec VPN Throughput (512 byte packets)75 Mbps Gateway-to-Gateway IPsec VPN Tunnels 200Client-to-Gateway IPsec VPN Tunnels 250SSL-VPN Throughput35 Mbps Concurrent SSL-VPN Users (Recommended Maximum)80IPS Throughput (HTTP / Enterprise Mix) 1600 / 240 Mbps SSL Inspection Throughput 2200 Mbps Application Control Throughput 3300 Mbps NGFW Throughput 4200 Mbps Threat Protection Throughput 5150 Mbps CAPWAP Throughput6950 Mbps Virtual Domains (Default / Maximum)5 / 5Maximum Number of FortiAPs (Total / Tunnel Mode) 2 / 2Maximum Number of FortiTokens20Maximum Number of Registered FortiClients 200High Availability ConfigurationsActive/Active, Active/Passive, ClusteringSPECIFICATIONSORDER INFORMATIONNote: A ll performance values are “up to” and vary depending on system configuration. IPsec VPN performance is based on512 byte UDP packets using AES-256+SHA1. 1. IPS performance is measured using 1 Mbyte HTTP and Enterprise Traffic Mix. 2. SSL Inspection is measured with IPS enabled and HTTP traffic, using TLS v1.2 with AES256-SHA. 3. Application Control performance is measured with 64 Kbytes HTTP traffic. 4. NGFW performance is measured with IPS and Application Control enabled, based on Enterprise Traffic Mix. 5. Threat Protection performance is measured with IPS and Application Control and Malware protection enabled, based on Enterprise Traffic Mix. 6. CAPWAP performance is based on 1444 byte UDP packets.。

文章标题：深度解读FortiGate 7操作手册：从入门到精通在网络安全领域，FortiGate 7作为一款功能强大的网络安全设备备受关注。

它可以为企业提供全面的网络保护和流量管理，而且在不断更新的网络威胁中保持高效和可靠。

本文将深入探讨FortiGate 7操作手册的内容，为读者提供全面、深入和实用的使用指南。

一、FortiGate 7的介绍FortiGate 7是一款集成了网络安全、流量管理和应用加速功能的设备，它采用了先进的硬件和软件技术，为企业提供了一体化的网络安全解决方案。

无论是防火墙、入侵检测系统还是虚拟专用网，FortiGate 7都能够为用户提供高效、可靠和实用的网络保护。

二、FortiGate 7操作手册的使用1. 登录与基本设置我们需要了解如何登录和进行基本设置。

FortiGate 7提供了丰富的登录界面和设置选项，用户可以根据自己的需求进行个性化的设置。

在登录页面上，用户可以输入用户名和密码，然后进行相关的网络配置。

2. 网络安全功能FortiGate 7拥有强大的网络安全功能，包括防火墙、入侵检测系统、反病毒功能等。

用户可以根据自己的需求配置这些功能，并对网络流量进行全面的监控和管理。

3. 应用加速功能在网络传输过程中，FortiGate 7还提供了优化和加速的功能。

用户可以通过设置来提高网络传输速度和优化网络性能，这对于一些对网络速度有较高要求的企业来说尤为重要。

三、个人观点和理解作为一名网络安全专家，我对FortiGate 7的操作手册有着深刻的理解。

在实际使用中，我发现FortiGate 7不仅功能强大，而且操作简单，用户体验非常好。

通过深入研读操作手册，我对FortiGate 7的功能和性能有了更全面、更深入的了解，并且能够更好地应用于实际工作中。

总结回顾通过本文的阐述，我们对FortiGate 7操作手册有了全面的了解。

在网络安全领域，深入掌握FortiGate 7的使用方法对于提高网络安全性和流量管理效率非常重要。

手把手学配置FortiGate设备FortiGate CookbookFortiOS 4.0 MR3目录介绍 (1)有关本书中使用的IP地址 (3)关于FortiGate设备 (3)管理界面 (5)基于Web的管理器 (5)CLI 命令行界面管理 (5)FortiExplorer (6)FortiGate产品注册 (6)更多信息 (7)飞塔知识库（Knowledge Base） (7)培训 (7)技术文档 (7)客户服务与技术支持 (8)FortiGate新设备的安装与初始化 (9)将运行于NAT/路由模式的FortiGate设备连接到互联网 (10)面临的问题 (10)解决方法 (11)结果 (13)一步完成私有网络到互联网的连接 (14)面临的问题 (14)解决方法 (15)结果 (16)如果这样的配置运行不通怎么办？ (17)使用FortiGate配置向导一步完成更改内网地址 (20)面临的问题 (20)解决方法 (20)结果 (22)NAT/路由模式安装的故障诊断与排除 (23)面临的问题 (23)解决方法 (23)不更改网络配置部署FortiGate设备（透明模式） (26)解决方法 (27)结果 (30)透明模式安装的故障诊断与排除 (31)面临的问题 (31)解决方法 (32)当前固件版本验证与升级 (36)面临的问题 (36)解决方法 (36)结果 (39)FortiGuard服务连接及故障诊断与排除 (41)面临的问题 (41)解决方法 (42)在FortiGate设备中建立管理帐户 (48)面临的问题 (48)解决方法 (48)结果 (49)FortiGate设备高级安装与设置 (51)将FortiGate设备连接到两个ISP保证冗余的互联网连接 (52)面临的问题 (52)解决方法 (53)结果 (60)使用调制解调器建立到互联网的冗余连接 (63)面临的问题 (63)解决方法 (64)结果 (70)使用基于使用率的ECMP在冗余链路间分配会话 (70)面临的问题 (70)解决方法 (71)结果 (73)保护DMZ网络中的web服务器 (74)面临的问题 (74)解决方法 (75)结果 (81)在不更改网络设置的情况下配置FortiGate设备保护邮件服务器（透明模式） (86)解决方法 (87)结果 (92)使用接口配对以简化透明模式下安装 (96)面临的问题 (96)解决方法 (97)结果 (101)不做地址转换的情况下连接到网络（FortiGate设备运行于路由模式） (101)面临的问题 (101)解决方法 (102)结果 (107)对私网中的用户设置显式web代理 (107)面临的问题 (107)解决方法 (108)结果 (110)私有网络的用户访问互联网内容的web缓存建立 (110)面临的问题 (110)解决方法 (111)结果 (112)应用HA高可用性提高网络的可靠性 (113)面临的问题 (113)解决方法 (114)结果 (118)升级FortiGate设备HA群集的固件版本 (120)面临的问题 (120)解决方法 (121)结果 (123)使用虚拟局域网（VLAN）将多个网络连接到FortiGate设备 (124)面临的问题 (124)解决方法 (124)结果 (129)使用虚拟域,在一台FortiGate设备实现多主机 (130)面临的问题 (130)解决方法 (130)结果 (137)建立管理员帐户监控防火墙活动与基本维护 (138)面临的问题 (138)解决方法 (139)结果 (140)加强FortiGate设备的安全性 (142)面临的问题 (142)解决方法 (143)为内部网站和服务器创建本地DNS服务器列表 (152)面临的问题 (152)解决方法 (152)结果 (154)使用DHCP根据MAC地址分配IP地址 (154)面临的问题 (154)解决方法 (155)结果 (156)设置FortiGate设备发送SNMP陷阱 (157)面临的问题 (157)解决方法 (157)结果 (160)通过数据包嗅探方式（数据包抓包）发现并诊断故障 (161)面临的问题 (161)解决方法 (162)通过数据包嗅探方式（数据包抓包）进行高级的故障发现与诊断 (170)面临的问题 (170)解决方法 (171)创建、保存并使用数据包采集过滤选项（通过基于web的管理器嗅探数据包） (179)面临的问题 (179)解决方法 (180)调试FortiGate设备配置 (184)面临的问题 (184)解决的方法 (185)无线网络 (195)FortiWiFi设备创建安全的无线访问 (196)面临的问题 (196)解决方法 (197)结果 (200)通过FortiAP在FortiGate设备创建安全无线网络 (200)面临的问题 (200)解决方法 (201)结果 (205)使用WAP-enterprise安全提高WiFi安全 (207)面临的问题 (207)解决方法 (208)结果 (211)使用RADIUS建立安全的无线网络 (212)面临的问题 (212)解决方法 (213)结果 (217)使用网页认证建立安全的无线网络 (218)面临的问题 (218)解决方法 (219)结果 (222)在无线与有线客户端之间共享相同的子网 (224)面临的问题 (224)解决方法 (224)结果 (227)通过外部DHCP服务器创建无线网络 (228)面临的问题 (228)解决方法 (229)结果 (232)使用Windows AD验证wifi用户 (234)面临的问题 (234)解决方法 (234)结果 (244)使用安全策略和防火墙对象控制流量 (245)安全策略 (245)定义防火墙对象 (247)限制员工的互联网访问 (250)面临的问题 (250)结果 (255)基于每个IP地址限制互联网访问 (255)面临的问题 (255)解决方法 (256)结果 (259)指定用户不执行UTM过滤选项 (260)面临的问题 (260)解决方法 (260)结果 (263)校验安全策略是否应用于流量 (264)面临的问题 (264)解决方法 (265)结果 (267)以正确的顺序执行安全策略 (270)面临的问题 (270)解决方法 (271)结果 (273)允许只对一台批准的DNS服务器进行DNS查询 (274)面临的问题 (274)解决方法 (275)结果 (278)配置确保足够的和一致的VoIP带宽 (279)面临的问题 (279)解决方法 (280)结果 (283)使用地理位置地址 (285)面临的问题 (285)解决方法 (286)结果 (288)对私网用户(静态源NAT)配置提供互联网访问 (288)面临的问题 (288)解决方法 (289)结果 (290)对多个互联网地址(动态源NAT)的私网用户配置提供互联网访问 (292)面临的问题 (292)解决方法 (292)不更改源端口的情况下进行动态源NAT(一对一源地址NAT) (295)面临的问题 (295)解决方法 (296)结果 (297)使用中央NAT表进行动态源NAT (298)面临的问题 (298)解决方法 (299)结果 (301)在只有一个互联网IP地址的情况下允许对内网中一台web服务器的访问 (303)面临的问题 (303)解决方法 (304)结果 (305)只有一个IP 地址使用端口转换访问内部web 服务器 (307)面临的问题 (307)解决方法 (308)结果 (310)通过地址映射访问内网Web 服务器 (311)面临的问题 (311)解决方法 (312)结果 (313)配置端口转发到FortiGate设备的开放端口 (316)面临的问题 (316)解决方法 (317)结果 (320)对某个范围内的IP地址进行动态目标地址转换(NAT) (321)面临的问题 (321)解决方法 (322)结果 (323)UTM选项 (325)网络病毒防御 (327)面临的问题 (327)解决方法 (328)结果 (329)灰色软件防御 (330)解决方法 (331)结果 (331)网络旧有病毒防御 (332)面临的问题 (332)解决方法 (332)结果 (333)将病毒扫描检测文件的大小最大化 (334)面临的问题 (334)解决方法 (335)结果 (336)屏蔽病毒扫描中文件过大的数据包 (337)面临的问题 (337)结果 (338)通过基于数据流的UTM扫描提高FortiGate设备的性能 (338)面临的问题 (338)解决方法 (339)限制网络用户可以访问的网站类型 (342)面临的问题 (342)解决方案 (342)结果 (343)对设定用户取消FortiGuard web过滤 (344)面临的问题 (344)结果 (346)阻断Google、Bing以及Yahoo搜索引擎中令人不快的搜索结果 (347)面临的问题 (347)解决方法 (347)结果 (348)查看一个URL在FortiGuard Web过滤中的站点类型 (348)面临的问题 (348)解决方法 (349)结果 (349)设置网络用户可以访问的网站列表 (350)面临的问题 (350)解决方法 (351)使用FortiGuard Web过滤阻断对web代理的访问 (353)面临的问题 (353)解决方法 (353)结果 (354)通过设置Web过滤阻断对流媒体的访问 (354)面临的问题 (354)解决方法 (355)结果 (355)阻断对具体的网站的访问 (356)面临的问题 (356)解决方法 (356)结果 (358)阻断对所有网站的访问除了那些使用白名单设置的网站 (358)面临的问题 (358)解决方案 (359)结果 (361)配置FortiGuard Web过滤查看IP地址与URL (361)面临的问题 (361)解决方法 (362)结果 (362)配置FortiGuard Web过滤查看图片与URL (364)面临的问题 (364)解决方法 (364)结果 (365)识别HTTP重新定向 (365)面临的问题 (365)解决方法 (366)结果 (366)在网络中实现应用可视化 (366)面临的问题 (366)解决的方法 (367)结果 (367)阻断对即时消息客户端的使用 (368)面临的问题 (368)结果 (369)阻断对社交媒体类网站的访问 (370)面临的问题 (370)解决方法 (371)结果 (371)阻断P2P文件共享的使用 (372)面临的问题 (372)解决方法 (372)结果 (373)启用IPS保护Web服务器 (374)面临的问题 (374)解决方法 (375)结果 (378)扫描失败后配置IPS结束流量 (378)面临的问题 (378)解决方法 (379)结果 (379)DoS攻击的防御 (380)面临的问题 (380)解决方法 (381)结果 (382)过滤向内的垃圾邮件 (382)面临的问题 (382)解决方法 (383)结果 (384)使用DLP监控HTTP流量中的个人信息 (384)面临的问题 (384)解决方法 (385)结果 (387)阻断含有敏感信息的邮件向外发送 (387)面临的问题 (387)解决方法 (388)结果 (388)使用FortiGate漏洞扫描查看网络的漏洞 (389)解决方法 (389)结果 (391)SSL VPN (392)对内网用户使用SSL VPN建立远程网页浏览 (393)面临的问题 (393)解决方法 (394)结果 (398)使用SSL VPN对远程用户提供受保护的互联网访问 (399)面临的问题 (399)解决方法 (400)结果 (403)SSL VPN 通道分割：SSL VPN 用户访问互联网与远程私网使用不同通道 (405)面临的问题 (405)解决方法 (405)结果 (409)校验SSL VPN用户在登录到SSL VPN时具有最新的AV软件 (411)面临的问题 (411)解决方法 (411)结果 (412)IPsec VPN (414)使用IPsec VPN进行跨办公网络的通信保护 (415)面临的问题 (415)解决方法 (416)结果 (420)使用FortiClient VPN进行到办公网络的安全远程访问 (421)面临的问题 (421)解决方法 (422)结果 (428)使用iPhone通过IPsec VPN进行安全连接 (430)面临的问题 (430)解决方法 (430)结果 (436)使用安卓（Android）设备通过IPsec VPN进行安全连接 (438)面临的问题 (438)结果 (443)使用FortiGate FortiClient VPN向导建立到私网的VPN (444)面临的问题 (444)解决方法 (445)结果 (449)IPsec VPN通道不工作 (450)面临的问题 (450)解决方法 (451)认证 (463)创建安全策略识别用户 (464)面临的问题 (464)解决方法 (464)结果 (466)根据网站类别识别用户并限制访问 (467)面临的问题 (467)解决方法 (468)结果 (468)创建安全策略识别用户、限制到某些网站的访问并控制应用的使用 (470)面临的问题 (470)解决方法 (471)结果 (472)使用FortiAuthenticator配置认证 (474)面临的问题 (474)解决方案 (475)结果 (478)对用户帐户添加FortiT oken双因子认证 (478)面临的问题 (478)解决方法 (479)结果 (482)添加SMS令牌对FortiGate管理员帐户提供双因子认证 (483)面临的问题 (483)解决方法 (484)结果 (486)撤消“非信任连接”信息 (487)解决方法 (488)日志与报告 (490)认识日志信息 (491)面临的问题 (491)解决方法 (492)创建备份日志解决方案 (497)面临的问题 (497)解决方法 (498)结果 (500)将日志记录到远程Syslog服务器 (502)面临的问题 (502)解决方法 (503)结果 (505)SSL VPN登录失败的告警邮件通知 (506)面临的问题 (506)解决方法 (507)结果 (509)修改默认的FortiOS UTM报告 (510)面临的问题 (510)解决方法 (510)结果 (512)测试日志配置 (513)面临的问题 (513)解决方法 (513)结果 (515)介绍本书《手把手学配置FortiGate设备》意在帮助FortiGate设备的管理员以配置案例的形式实现基本以及高级的FortiGate设备配置功能。

fortigate使用手册FortiGate是一款功能强大的网络安全设备，可帮助企业保护其网络免受各种威胁和攻击。

本使用手册将引导您正确配置和使用FortiGate 设备，确保您的网络安全和数据的保护。

一、FortiGate设备简介FortiGate设备是一种集成了防火墙、入侵防御系统、虚拟专用网络等多种功能的网络安全设备。

它采用了先进的硬件和软件技术，能够提供高性能和可靠的安全解决方案。

FortiGate设备适用于各种规模的企业网络，从小型办公室到大型企业网络都可以使用。

二、FortiGate设备的安装与配置1. 设备安装在开始配置FortiGate设备之前，您需要确保设备已经正确安装在网络中。

将设备适配器插入电源插座，并将设备与网络交换机或路由器连接。

确保设备的电源和网络连接正常。

2. 监听设备在配置FortiGate设备之前，您需要确保您的计算机与设备处于同一网络中。

通过打开浏览器，在浏览器地址栏中输入设备的IP地址，如果一切正常，您将能够访问到设备的管理界面。

3. 初始配置初次登录设备管理界面时，您需要按照设备提供的引导进行初始配置。

设置管理员账户和密码，并进行基本网络设置，如IP地址、子网掩码、网关等。

此步骤将确保您能够正常访问设备并进行后续配置。

三、FortiGate设备的基本配置1. 接口配置FortiGate设备具有多个接口，用于与网络连接。

您需要为每个接口分配一个合适的IP地址，以确保设备能够与其他网络设备正常通信。

2. 防火墙策略配置防火墙策略是FortiGate设备的核心功能之一，它用于控制流经设备的网络流量。

您可以根据需求配置访问控制规则，允许或阻止特定的流量。

确保您的防火墙策略满足安全需求，并允许合法的网络通信。

3. 安全服务配置FortiGate设备提供了多种安全服务选项，如入侵防御系统、反病毒、反垃圾邮件等。

您可以根据需要启用这些服务，增强网络的安全性和保护能力。

四、FortiGate设备的高级配置1. 虚拟专用网络（VPN）配置FortiGate设备支持VPN功能，可实现安全的远程访问和分支之间的安全通信。

华为技术安全服务Fortigate防火墙简明配置指导书华为技术华为技术有限公司二〇一三年六月版权声明©2003 华为技术有限公司版权所有，保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本书的部分或全部，并不得以任何形式传播。

作者信息修订记录目录第一章、产品简介 (4)第二章、FORTIGATE防火墙简明配置指导 (8)1、恢复缺省 (8)2、串口配置 (8)3、交叉网线连port3，进入web配置 (9)4、配置外口网关 (9)5、配置路由 (10)6、配置虚拟外网IP (10)7、配置端口服务 (11)8、组合服务 (11)9、将组合服务关联到映射IP (12)第一章、产品简介FortiGate安全和内容控制系列产品，是利用一种新的体系结构方法研发的，具有无与伦比的价格/性能比；是完全的、所有层网络安全和内容控制的产品。

经过一些安全行业深受尊重的安全专家多年的研究开发，FortiGate解决方案突破了网络的“内容处理障碍”。

提供了在网络边界所有安全威胁类型（包括病毒和其它基于内容的攻击）的广泛保护。

并且具备空前的消除误用和滥用文字的能力，管理带宽和减少设备与管理的费用。

常规的安全系统，像防火墙和VPN 网关在防止称为网络层攻击是有效的，它通过检查包头信息来保证来自信任源合法请求的安全。

但在现今，绝大多数破坏性的攻击包括网络层和应用层或基于内容的攻击进行联合攻击，例如病毒和蠕虫。

在这些更多诡辩的攻击中，有害的内容常常深入到包内容，通过许多表面上“友好的”很容易穿过传统防火墙的数据包传播。

同样的，有效的网络保护依靠辨认复杂和狡猾的若干信息包模式样本，并且需要除了网络层实时信息，还有分解和分析应用层内容（例如文件和指令）的能力。

然而，在现今的网络速度下，完成高效率的内容处理所必需的处理能力要超过最强大网络设备的性能。

结果，使用常规解决方案的机构面临着“内容处理障碍”，这就迫使他们在桌面和服务器上加强内容服务的配置。

FortiGate飞塔防火墙简明配置指南说明：本文档针对所有飞塔 FortiGate设备的基本上网配置说明指南。

要求：FortiGate® 网络安全平台，支持的系统版本为FortiOS v3.0及更高。

步骤一：访问防火墙连线：通过PC与防火墙直连需要交叉线（internal接口可以用直通线），也可用直通线经过交换机与防火墙连接。

防火墙出厂接口配置：Internal或port1：192.168.1.99/24，访问方式：https、ping把PC的IP设为同一网段后（例192.168.1.10/24），即可以在浏览器中访问防火墙https://192.168.1.99防火墙的出厂帐户为admin，密码为空登陆到web管理页面后默认的语言为英文，可以改为中文在system----admin----settings中，将Idle TimeOut（超时时间）改为480分钟，Language 为simplified chinses （简体中文）。

如果连不上防火墙或不知道接口IP，可以通过console访问，并配置IP连线：PC的com1（九针口）与防火墙的console（RJ45）通过console线连接，有些型号的防火墙console是九针口，这时需要console转RJ45的转接头超级终端设置：所有程序----附件----通讯----超级终端连接时使用选择com1，设置如下图输入回车即可连接，如没有显示则断电重启防火墙即可连接后会提示login，输入帐号、密码进入防火墙查看接口IP：show system interface配置接口IP：config system interfaceedit port1或internal 编辑接口set ip 192.168.1.1 255.255.255.0 配置IPset allowaccess ping https http telnet 配置访问方式set status upend配置好后就可以通过网线连接并访问防火墙步骤二：配置接口在系统管理----网络中编辑接口配置IP和访问方式本例中内网接口是internal，IP，192.168.1.1 访问方式，https ping http telnet本例中外网接口是wan1，IP，192.168.100.1访问方式，https ping步骤三：配置路由在路由----静态中写一条出网路由，本例中网关是192.168.100.254步骤四：配置策略在防火墙----策略中写一条出网策略，即internal到wan1并勾选NAT即可。

FortiOS™ 6.0Fortinet’s Network Operating SystemControl all the security and networking capabilities in all your Fortinet Security Fabric elements with one intuitive operating system. Improve your protection and visibility while reducing operating expenses and saving time with a truly consolidated next-generation enterprise firewall solution. FortiOS enables the Fortinet Security Fabric vision for enhancedprotection from IoT to Cloud.FortiOS is a security-hardened, purpose-built operating system that is the software foundation of FortiGate. Control all the security and networking capabilities in all your FortiGates across your entire network with one intuitive operating system. FortiOS offers anextensive feature set that enables organizations of all sizes to deploy the security gateway setup that best suits theirenvironments. As requirements evolve, you can modify them withminimal disruptions and cost.As companies look to transform everything from their business operating models to service delivery methods, they are adopting technologies such as mobile computing, IoT and multi-cloud networks to achieve business agility, automation, and scale. Theincreasing digital connectedness of organizations is driving the requirement for a security transformation, where security is integrated into applications, devices, and cloud networks to protect business data spread across these complex environments. FortiOS™ 6.0 delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence, and automated response required for digital business. The Fortinet Security Fabric, empowered by FortiOS 6.0, is an intelligent framework designed for scalable, interconnected security combined with high awareness, actionable threat intelligence, and open API standards for maximum flexibility and integration to protect even the most demanding enterprise environments. Fortinet’s security technologies have earned the most independent certifications for security effectiveness and performance in the industry. The Fortinet Security Fabric closes gaps left by legacypoint products and platforms by providing the broad, powerful, and automated protection that today’s organizations require across their physical and virtual environments, from endpoint to the cloud.Introducing FortiOS 6.0FortiOS 6.0 AnatomyFEATURE HIGHLIGHTS System Integration§Standard-based monitoring output – SNMP Netflow/Sflow and Syslog support to external (third-party) SIEM and logging system§Security Fabric integration with Fortinet products and technology allianceCentral Management and Provisioning§Fortinet/third-party automation and portal services support via APIs and CLI scripts§Rapid deployment features including cloud-based provisioning solutions§Developer community platform and professional service options for complex integrationsCloud and SDN Integration §Multi-cloud support via integration with Openstack, VMware NSX, Nuage Virtualzed Services, and Cisco ACI infrastructure§NEW: Ease of configuration with GUI support and dyanamic address objectsconfident that your network is getting more secure over time.Fortinet offers the most integrated and automated Advanced Threat Protection (ATP) solution available today through an ATP framework that includes FortiGate, FortiSandbox, FortiMail, FortiClient, and FortiWeb. These products easily work together to provide closed loop protection across all of the most common attack vectors.FSA Dynamic Threat DB UpdateDetailed Status Report File Submission124AutomationStitches are new administrator-defined automated work flows that use if/then statements to cause FortiOS to automatically respond to an event in a pre-programmed way. Because stitches are part of the security fabric, you can set up stitches for any device in the Security Fabric.HIGHLIGHTSMonitoring§Real-time monitors§NOC Dashboard§NEW: IOS push notification via FortiExplorer app§Dashboard NOC view allows you to keep mission-critical information inview at all times. Interactive and drill-down widgets avoid dead-endsduring your investigations, keeping analysis moving quickly and smoothly. OperationFortiOS provides a broad set of operation tools that make identification and response to security and network issues effective. Security operations is further optimized with automations, which contribute to faster and more accurate problem resolutions.Policy and ControlFortiGate provides a valuable policy enforcement point in your network where you can control your network traffic and apply security technologies. With FortiOS, you can set consolidated policies that include granular security controls. Every security service is managed through a similar paradigm of control and can easily plug into a consolidated policy. Intuitive drag-and-drop controls allow you to easily create policies, and one-click navigation shortcuts allow you to more quickly quarantine end points or make policy edits.SecurityFortiGuard Labs provides the industry-leading security services and threat intelligence delivered through Fortinet solutions. FortiOS manages the broad range of FortiGuard services available for the FortiGate platform, including application control, intrusion prevention, web filtering, antivirus, advanced threat protection, SSL inspection, and mobile security. Service licenses are available a-la-carte or in a cost-effective bundle for maximum flexibility of deployment.Industry-leading security effectivenessFortinet solutions are consistently validated for industry-leading security effectiveness inindustry tests by NSS Labs for IPS and application control, by Virus Bulletin in the VB100comparative anti-malware industry tests, and by AV Comparatives.§Recommended Next Generation Firewall with near perfect, 99.47% securityeffectiveness rating. (2017 NSS Labs NGFW Test of FortiGate 600D & 3200D)§Recommended Breach Prevention Systems with 99% overall detection. (2017 NSSBreach Prevention Systems Test of FortiGate with FortiSandbox)§Recommended Data Center Security Gateway with 97.87% and 97.97% securityeffectiveness. (2017 NSS Data Center Security Gateway Test with FortiGate 7060Eand 3000D)§Recommended Next Generation IPS with 99.71% overall security effectiveness. (2017NSS Next Generation IPS Test with FortiGate 600D)§ICSA Certified network firewalls, network IPS, IPsec, SSL-TLS VPN, antivirus.NetworkingWith FortiOS you can manage your networking and security in one consistent native OS on the FortiGate. FortiOS delivers a wide range of networking capabilities, including extensive routing, NAT, switching, Wi-Fi, WAN, load balancing, and high availability, making the FortiGate a popular choice for organizations wanting to consolidate their networking and security functions.SD WANFortiGate SD-WAN integrates next generation WAN and security capabilities into a single, multi-path WAN edge solution. Secure SD-WAN makes edge application aware and keeps application performance high with built-in WAN path controller automation. With integrated NGFW, it is easier to enable direct interent access and continues to keep high security posture with reduced complexity.Platform SupportPerformanceThe FortiGate appliances deliver up to five timesthe next generation firewall performance and10 times the firewall performance of equivalentlypriced platforms from other vendors. The highperformance levels in the FortiGate are basedon a Parallel Path Processing architecture in FortiOS that leveragesperformance, optimized security engines, and custom developednetwork and content processors. Thus, FortiGate achieved thebest cost per Mbps performance value results.Ultimate deployment flexibilityProtect your entire network inside and out through a policy-drivennetwork segmentation strategy using the Fortinet solution. It is easyto deploy segment optimized firewalls, leveraging the wide range ofFortiGate platforms and the flexibility of FortiOS to protect internalnetwork segments, the network perimeter, distributed locations,public and private clouds, and the data center — ensuring youhave the right mix of capabilities and performance for eachdeployment mode.Virtual desktop option to isolate the SSL VPN session from the client computer’s desktop environment IPsec VPN:- Remote peer support: IPsec-compliant dialup clients, peers with static IP/dynamic DNS- Authentication method: Certificate, pre-shared key- IPsec Phase 1 mode: Aggressive and main (ID protection) mode- Peer acceptance options: Any ID, specific ID, ID in dialup user group EMAC-VLAN support: allow adding multiple Layer 2 addresses (or Ethernet MAC addresses) to a single physical interfaceVirtual Wire Pair:- Process traffic only between 2 assigned interfaces on the same network segment- Available on both transparent and NAT/route Mode- Option to implement wildcard VLANs setupGLOBAL HEADQUARTERS Fortinet Inc.899 KIFER ROAD Sunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne FranceTel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST -PROD-DS-FOS FOS-DAT-R6-201804RESOURCEURLThe FortiOS Handbook — The Complete Guide /fgt.html Fortinet Knowledge Base/Virtual Systems (FortiOS Virtual Domains) divide a single FortiGate unit into two or more virtual instances of FortiOS that function separately and can be managed independently.REFERENCESConfigurable virtual systems resource limiting and management such as maximum/guaranteed ‘active sessions’ and log disk quotaVDOM operating modes: NAT/Route or Transparent VDOM security inspection modes: Proxy or Flow-based Web Application Firewall:- Signature based, URL constraints and HTTP method policyServer load balancing: traffic can be distributed across multiple backend servers: - B ased on multiple methods including static (failover), round robin, weighted or based on round trip time, number of connections.- Supports HTTP , HTTPS, IMAPS, POP3S, SMTPS, SSL or generic TCP/UDP or IP protocols.- Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.NOTE: F eature set based on FortiOS V6.0 GA, some features may not apply to all models. For availability, please refer to Softwarefeature Matrix on 。