Fortinet 飞塔防火墙操作管理员手册V4.3

第1章第2章2.1 2.2 2.2.1 2.2.2 2.2.3 2.3 2.4 第3章3.1 3.2录FORTINET 配置步骤配置步骤...... 2 FORTINET 防火墙日常操作和维护命令 (29)防火墙配置......29 防火墙日常检查 (29)防火墙的会话表：（系统管理－状态－会话）......29 检查防火墙的CPU、内存和网络的使用率......31 其他检查 (31)异常处理……31 使用中技巧……32 FORTGATE 防火墙配置维护及升级步骤……33 FORTIGATE 防火墙配置维护......33 FORTIGATE 防火墙版本升级 (33)第1章Fortinet 配置步骤章1.1.1.1 Fortigate 防火墙基本配置Fortigate 防火墙可以通过“命令行”或“WEB 界面”进行配置。

本手册主要介绍后者的配置方法。

首先设定基本管理IP 地址，缺省的基本管理地址为P1 口192.168.1.99，P2 口192.168.100.99。

但是由于P1 口和P2 口都是光纤接口，因此需要使用Console 口和命令行进行初始配置，为了配置方便起见，建议将P5 口配置一个管理地址，由于P5 口是铜缆以太端口，可以直接用笔记本和交叉线连接访问。

之后通过https 方式登陆到防火墙Internal 接口，就可以访问到配置界面1.系统管理”菜单1.1 “状态”子菜单1.1.1 “状态”界面“状态”菜单显示防火墙设备当前的重要系统信息，包括系统的运行时间、版本号、OS 产品序列号、端口IP 地址和状态以及系统资源情况。

如果CPU 或内存的占用率持续超过80%，则往往意味着有异常的网络流量（病毒或网络攻击）存在。

1.1.2 “会话”显示界面Fortigate 是基于“状态检测”的防火墙，系统会保持所有的当前网络“会话”（sessions）。

这个界面方便网络管理者了解当前的网络使用状况。

美国FORTINET 公司系列产品技术手册V4.0版2004年7月北京办事处地址:北京市海淀区中关村南大街２号数码大厦Ｂ座９０３室　邮编１０００８６　电话：（010）8251 2622 传真：（010）8251 2630网站：Fortinet 内部资料2004年目 录1． 公司介绍.................................................................................................................................................................4 1.1 公司背景............................................................................................................................................................4 1.2 产品简介............................................................................................................................................................4 1.3 关键技术............................................................................................................................................................4 1.4 总裁介绍............................................................................................................................................................5 1.5 业务范围 (5)2. 产品系列介绍 (6)2.1 F ORTI G ATE -50A................................................................................................................................................7 2.2 F ORTI G ATE -60...................................................................................................................................................7 2.3 F ORTI G ATE -100.................................................................................................................................................7 2.4 F ORTI G ATE -200.................................................................................................................................................8 2.5 F ORTI G ATE -300.................................................................................................................................................8 2.6 F ORTI G ATE -400.................................................................................................................................................9 2.7 F ORTI G ATE -500.................................................................................................................................................9 2.8 F ORTI G ATE -800...............................................................................................................................................10 2.9 F ORTI G ATE -1000............................................................................................................................................10 2.10 F ORTI G ATE -3000............................................................................................................................................10 2.11 F ORTI G ATE -3600............................................................................................................................................11 2.12 F ORTI G ATE -4000............................................................................................................................................12 2.13 F ORTI G ATE -5000............................................................................................................................................13 2.14 F ORTI M ANAGER 系统. (13)3. 产品功能和特点 (14)3.1 病毒防火墙新理念........................................................................................................................................14 3.2 F ORTI G ATE 系列.............................................................................................................................................14 3.3 基于网络的防病毒........................................................................................................................................15 3.4 分区域安全管理的特色...............................................................................................................................15 3.5 VPN 功能..........................................................................................................................................................15 3.6 防火墙功能.....................................................................................................................................................16 3.7 独特的内容过滤.............................................................................................................................................16 3.8 基于网络IDS 的/IDP 功能.............................................................................................................................16 3.9 VPN 远程客户端软件....................................................................................................................................17 3.10F ORTI ASIC F 技术和ORTI OS 操作系统 (17)3.10.1 高性能并行处理................................................................................................17 3.10.2 实时体系结构...................................................................................................17 3.10.3 实时内容级智能................................................................................................17 3.10.4 提供分区间安全的虚拟系统支撑.......................................................................18 3.10.5 高可用性(HA)...................................................................................................18 3.11 F ORTI G ATE 提供整体解决方案. (18)4.FORTIGATE 防火墙典型应用方案..................................................................................................................19 4.1 中小型企业防火墙应用...............................................................................................................................19 4.2 中大型企业防火墙应用...............................................................................................................................20 4.3 分布型企业防火墙应用...............................................................................................................................21 4.4 校园网安全部署应用....................................................................................................................................22 5. 销售许可证和认证证书. (23)5.1 公安部硬件防火墙销售许可证..................................................................................................................23 5.2公安部病毒防火墙销售许可证 (23)5.3中国信息安全产品测评认证中心 (24)5.4计算机世界推荐产品奖 (24)5.5中国 (24)5.6ICSA认证证书 (25)5.7在美国获奖 (26)6.技术支持方式 (27)6.1北京办事处技术支持 (27)6.1.1 技术支持、售后服务及人员培训 (27)6.1.2 服务组织结构 (27)6.1.3 技术咨询和培训 (27)6.2F ORTI P ROTECT防护服务中心 (27)6.3F ORT P ROTECT安全防护小组 (28)6.4F ORTI P ROTECT推进式网络 (28)7.说明 (29)7.1附件：公司与产品介绍资料 (29)7.2联系我们 (29)Fortinet 内部资料2004年1．公司介绍1.1 公司背景美国Fortinet(飞塔)公司是新一代的网络安全设备的技术引领厂家。

Fortinet产品家族fortinet 的产品家族涵盖了完备的网络安全解决方案包括邮件，日志，报告，网络管理，安全性管理以及fortigate 统一安全性威胁管理系统的既有软件也有硬件设备的产品。

更多fortinet产品信息，详见/products.FortiGuard服务订制fortiguard 服务定制是全球fortinet安全专家团队建立,更新并管理的安全服务。

fortinet安全专家们确保最新的攻击在对您的资源损害或感染终端用户使用设备之前就能够被检测到并阻止。

fortiguard服务均以最新的安全技术构建，以最低的运行成本考虑设计。

fortiguard 服务订制包括：1、fortiguard 反病毒服务2、 fortiguard 入侵防护（ips）服务3、 fortiguard 网页过滤服务4、fortiguard 垃圾邮件过滤服务5、fortiguard premier伙伴服务并可获得在线病毒扫描与病毒信息查看服务。

FortiClientforticlient 主机安全软件为使用微软操作系统的桌面与便携电脑用户提供了安全的网络环境。

forticlient的功能包括：1、建立与远程网络的vpn连接2、病毒实时防护3、防止修改windows注册表4、病毒扫描forticlient还提供了无人值守的安装模式，管理员能够有效的将预先配置的forticlient分配到几个用户的计算机。

FortiMailfortimail安全信息平台针对邮件流量提供了强大且灵活的启发式扫描与报告功能。

fortimail 单元在检测与屏蔽恶意附件例如dcc（distributed checksum clearinghouse）与bayesian扫描方面具有可靠的高性能。

在fortinet卓越的fortios 与fortiasic技术的支持下，fortimail反病毒技术深入扩展到全部的内容检测功能，能够检测到最新的邮件威胁。

手把手学配置FortiGate设备FortiGate CookbookFortiOS 4.0 MR3目录介绍 (1)有关本书中使用的IP地址 (3)关于FortiGate设备 (3)管理界面 (5)基于Web的管理器 (5)CLI 命令行界面管理 (5)FortiExplorer (6)FortiGate产品注册 (6)更多信息 (7)飞塔知识库（Knowledge Base） (7)培训 (7)技术文档 (7)客户服务与技术支持 (8)FortiGate新设备的安装与初始化 (9)将运行于NAT/路由模式的FortiGate设备连接到互联网 (10)面临的问题 (10)解决方法 (11)结果 (13)一步完成私有网络到互联网的连接 (14)面临的问题 (14)解决方法 (15)结果 (16)如果这样的配置运行不通怎么办？ (17)使用FortiGate配置向导一步完成更改内网地址 (20)面临的问题 (20)解决方法 (20)结果 (22)NAT/路由模式安装的故障诊断与排除 (23)面临的问题 (23)解决方法 (23)不更改网络配置部署FortiGate设备（透明模式） (26)解决方法 (27)结果 (30)透明模式安装的故障诊断与排除 (31)面临的问题 (31)解决方法 (32)当前固件版本验证与升级 (36)面临的问题 (36)解决方法 (36)结果 (39)FortiGuard服务连接及故障诊断与排除 (41)面临的问题 (41)解决方法 (42)在FortiGate设备中建立管理帐户 (48)面临的问题 (48)解决方法 (48)结果 (49)FortiGate设备高级安装与设置 (51)将FortiGate设备连接到两个ISP保证冗余的互联网连接 (52)面临的问题 (52)解决方法 (53)结果 (60)使用调制解调器建立到互联网的冗余连接 (63)面临的问题 (63)解决方法 (64)结果 (70)使用基于使用率的ECMP在冗余链路间分配会话 (70)面临的问题 (70)解决方法 (71)结果 (73)保护DMZ网络中的web服务器 (74)面临的问题 (74)解决方法 (75)结果 (81)在不更改网络设置的情况下配置FortiGate设备保护邮件服务器（透明模式） (86)解决方法 (87)结果 (92)使用接口配对以简化透明模式下安装 (96)面临的问题 (96)解决方法 (97)结果 (101)不做地址转换的情况下连接到网络（FortiGate设备运行于路由模式） (101)面临的问题 (101)解决方法 (102)结果 (107)对私网中的用户设置显式web代理 (107)面临的问题 (107)解决方法 (108)结果 (110)私有网络的用户访问互联网内容的web缓存建立 (110)面临的问题 (110)解决方法 (111)结果 (112)应用HA高可用性提高网络的可靠性 (113)面临的问题 (113)解决方法 (114)结果 (118)升级FortiGate设备HA群集的固件版本 (120)面临的问题 (120)解决方法 (121)结果 (123)使用虚拟局域网（VLAN）将多个网络连接到FortiGate设备 (124)面临的问题 (124)解决方法 (124)结果 (129)使用虚拟域,在一台FortiGate设备实现多主机 (130)面临的问题 (130)解决方法 (130)结果 (137)建立管理员帐户监控防火墙活动与基本维护 (138)面临的问题 (138)解决方法 (139)结果 (140)加强FortiGate设备的安全性 (142)面临的问题 (142)解决方法 (143)为内部网站和服务器创建本地DNS服务器列表 (152)面临的问题 (152)解决方法 (152)结果 (154)使用DHCP根据MAC地址分配IP地址 (154)面临的问题 (154)解决方法 (155)结果 (156)设置FortiGate设备发送SNMP陷阱 (157)面临的问题 (157)解决方法 (157)结果 (160)通过数据包嗅探方式（数据包抓包）发现并诊断故障 (161)面临的问题 (161)解决方法 (162)通过数据包嗅探方式（数据包抓包）进行高级的故障发现与诊断 (170)面临的问题 (170)解决方法 (171)创建、保存并使用数据包采集过滤选项（通过基于web的管理器嗅探数据包） (179)面临的问题 (179)解决方法 (180)调试FortiGate设备配置 (184)面临的问题 (184)解决的方法 (185)无线网络 (195)FortiWiFi设备创建安全的无线访问 (196)面临的问题 (196)解决方法 (197)结果 (200)通过FortiAP在FortiGate设备创建安全无线网络 (200)面临的问题 (200)解决方法 (201)结果 (205)使用WAP-enterprise安全提高WiFi安全 (207)面临的问题 (207)解决方法 (208)结果 (211)使用RADIUS建立安全的无线网络 (212)面临的问题 (212)解决方法 (213)结果 (217)使用网页认证建立安全的无线网络 (218)面临的问题 (218)解决方法 (219)结果 (222)在无线与有线客户端之间共享相同的子网 (224)面临的问题 (224)解决方法 (224)结果 (227)通过外部DHCP服务器创建无线网络 (228)面临的问题 (228)解决方法 (229)结果 (232)使用Windows AD验证wifi用户 (234)面临的问题 (234)解决方法 (234)结果 (244)使用安全策略和防火墙对象控制流量 (245)安全策略 (245)定义防火墙对象 (247)限制员工的互联网访问 (250)面临的问题 (250)结果 (255)基于每个IP地址限制互联网访问 (255)面临的问题 (255)解决方法 (256)结果 (259)指定用户不执行UTM过滤选项 (260)面临的问题 (260)解决方法 (260)结果 (263)校验安全策略是否应用于流量 (264)面临的问题 (264)解决方法 (265)结果 (267)以正确的顺序执行安全策略 (270)面临的问题 (270)解决方法 (271)结果 (273)允许只对一台批准的DNS服务器进行DNS查询 (274)面临的问题 (274)解决方法 (275)结果 (278)配置确保足够的和一致的VoIP带宽 (279)面临的问题 (279)解决方法 (280)结果 (283)使用地理位置地址 (285)面临的问题 (285)解决方法 (286)结果 (288)对私网用户(静态源NAT)配置提供互联网访问 (288)面临的问题 (288)解决方法 (289)结果 (290)对多个互联网地址(动态源NAT)的私网用户配置提供互联网访问 (292)面临的问题 (292)解决方法 (292)不更改源端口的情况下进行动态源NAT(一对一源地址NAT) (295)面临的问题 (295)解决方法 (296)结果 (297)使用中央NAT表进行动态源NAT (298)面临的问题 (298)解决方法 (299)结果 (301)在只有一个互联网IP地址的情况下允许对内网中一台web服务器的访问 (303)面临的问题 (303)解决方法 (304)结果 (305)只有一个IP 地址使用端口转换访问内部web 服务器 (307)面临的问题 (307)解决方法 (308)结果 (310)通过地址映射访问内网Web 服务器 (311)面临的问题 (311)解决方法 (312)结果 (313)配置端口转发到FortiGate设备的开放端口 (316)面临的问题 (316)解决方法 (317)结果 (320)对某个范围内的IP地址进行动态目标地址转换(NAT) (321)面临的问题 (321)解决方法 (322)结果 (323)UTM选项 (325)网络病毒防御 (327)面临的问题 (327)解决方法 (328)结果 (329)灰色软件防御 (330)解决方法 (331)结果 (331)网络旧有病毒防御 (332)面临的问题 (332)解决方法 (332)结果 (333)将病毒扫描检测文件的大小最大化 (334)面临的问题 (334)解决方法 (335)结果 (336)屏蔽病毒扫描中文件过大的数据包 (337)面临的问题 (337)结果 (338)通过基于数据流的UTM扫描提高FortiGate设备的性能 (338)面临的问题 (338)解决方法 (339)限制网络用户可以访问的网站类型 (342)面临的问题 (342)解决方案 (342)结果 (343)对设定用户取消FortiGuard web过滤 (344)面临的问题 (344)结果 (346)阻断Google、Bing以及Yahoo搜索引擎中令人不快的搜索结果 (347)面临的问题 (347)解决方法 (347)结果 (348)查看一个URL在FortiGuard Web过滤中的站点类型 (348)面临的问题 (348)解决方法 (349)结果 (349)设置网络用户可以访问的网站列表 (350)面临的问题 (350)解决方法 (351)使用FortiGuard Web过滤阻断对web代理的访问 (353)面临的问题 (353)解决方法 (353)结果 (354)通过设置Web过滤阻断对流媒体的访问 (354)面临的问题 (354)解决方法 (355)结果 (355)阻断对具体的网站的访问 (356)面临的问题 (356)解决方法 (356)结果 (358)阻断对所有网站的访问除了那些使用白名单设置的网站 (358)面临的问题 (358)解决方案 (359)结果 (361)配置FortiGuard Web过滤查看IP地址与URL (361)面临的问题 (361)解决方法 (362)结果 (362)配置FortiGuard Web过滤查看图片与URL (364)面临的问题 (364)解决方法 (364)结果 (365)识别HTTP重新定向 (365)面临的问题 (365)解决方法 (366)结果 (366)在网络中实现应用可视化 (366)面临的问题 (366)解决的方法 (367)结果 (367)阻断对即时消息客户端的使用 (368)面临的问题 (368)结果 (369)阻断对社交媒体类网站的访问 (370)面临的问题 (370)解决方法 (371)结果 (371)阻断P2P文件共享的使用 (372)面临的问题 (372)解决方法 (372)结果 (373)启用IPS保护Web服务器 (374)面临的问题 (374)解决方法 (375)结果 (378)扫描失败后配置IPS结束流量 (378)面临的问题 (378)解决方法 (379)结果 (379)DoS攻击的防御 (380)面临的问题 (380)解决方法 (381)结果 (382)过滤向内的垃圾邮件 (382)面临的问题 (382)解决方法 (383)结果 (384)使用DLP监控HTTP流量中的个人信息 (384)面临的问题 (384)解决方法 (385)结果 (387)阻断含有敏感信息的邮件向外发送 (387)面临的问题 (387)解决方法 (388)结果 (388)使用FortiGate漏洞扫描查看网络的漏洞 (389)解决方法 (389)结果 (391)SSL VPN (392)对内网用户使用SSL VPN建立远程网页浏览 (393)面临的问题 (393)解决方法 (394)结果 (398)使用SSL VPN对远程用户提供受保护的互联网访问 (399)面临的问题 (399)解决方法 (400)结果 (403)SSL VPN 通道分割：SSL VPN 用户访问互联网与远程私网使用不同通道 (405)面临的问题 (405)解决方法 (405)结果 (409)校验SSL VPN用户在登录到SSL VPN时具有最新的AV软件 (411)面临的问题 (411)解决方法 (411)结果 (412)IPsec VPN (414)使用IPsec VPN进行跨办公网络的通信保护 (415)面临的问题 (415)解决方法 (416)结果 (420)使用FortiClient VPN进行到办公网络的安全远程访问 (421)面临的问题 (421)解决方法 (422)结果 (428)使用iPhone通过IPsec VPN进行安全连接 (430)面临的问题 (430)解决方法 (430)结果 (436)使用安卓（Android）设备通过IPsec VPN进行安全连接 (438)面临的问题 (438)结果 (443)使用FortiGate FortiClient VPN向导建立到私网的VPN (444)面临的问题 (444)解决方法 (445)结果 (449)IPsec VPN通道不工作 (450)面临的问题 (450)解决方法 (451)认证 (463)创建安全策略识别用户 (464)面临的问题 (464)解决方法 (464)结果 (466)根据网站类别识别用户并限制访问 (467)面临的问题 (467)解决方法 (468)结果 (468)创建安全策略识别用户、限制到某些网站的访问并控制应用的使用 (470)面临的问题 (470)解决方法 (471)结果 (472)使用FortiAuthenticator配置认证 (474)面临的问题 (474)解决方案 (475)结果 (478)对用户帐户添加FortiT oken双因子认证 (478)面临的问题 (478)解决方法 (479)结果 (482)添加SMS令牌对FortiGate管理员帐户提供双因子认证 (483)面临的问题 (483)解决方法 (484)结果 (486)撤消“非信任连接”信息 (487)解决方法 (488)日志与报告 (490)认识日志信息 (491)面临的问题 (491)解决方法 (492)创建备份日志解决方案 (497)面临的问题 (497)解决方法 (498)结果 (500)将日志记录到远程Syslog服务器 (502)面临的问题 (502)解决方法 (503)结果 (505)SSL VPN登录失败的告警邮件通知 (506)面临的问题 (506)解决方法 (507)结果 (509)修改默认的FortiOS UTM报告 (510)面临的问题 (510)解决方法 (510)结果 (512)测试日志配置 (513)面临的问题 (513)解决方法 (513)结果 (515)介绍本书《手把手学配置FortiGate设备》意在帮助FortiGate设备的管理员以配置案例的形式实现基本以及高级的FortiGate设备配置功能。

FortiOS™ 6.0Fortinet’s Network Operating SystemControl all the security and networking capabilities in all your Fortinet Security Fabric elements with one intuitive operating system. Improve your protection and visibility while reducing operating expenses and saving time with a truly consolidated next-generation enterprise firewall solution. FortiOS enables the Fortinet Security Fabric vision for enhancedprotection from IoT to Cloud.FortiOS is a security-hardened, purpose-built operating system that is the software foundation of FortiGate. Control all the security and networking capabilities in all your FortiGates across your entire network with one intuitive operating system. FortiOS offers anextensive feature set that enables organizations of all sizes to deploy the security gateway setup that best suits theirenvironments. As requirements evolve, you can modify them withminimal disruptions and cost.As companies look to transform everything from their business operating models to service delivery methods, they are adopting technologies such as mobile computing, IoT and multi-cloud networks to achieve business agility, automation, and scale. Theincreasing digital connectedness of organizations is driving the requirement for a security transformation, where security is integrated into applications, devices, and cloud networks to protect business data spread across these complex environments. FortiOS™ 6.0 delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence, and automated response required for digital business. The Fortinet Security Fabric, empowered by FortiOS 6.0, is an intelligent framework designed for scalable, interconnected security combined with high awareness, actionable threat intelligence, and open API standards for maximum flexibility and integration to protect even the most demanding enterprise environments. Fortinet’s security technologies have earned the most independent certifications for security effectiveness and performance in the industry. The Fortinet Security Fabric closes gaps left by legacypoint products and platforms by providing the broad, powerful, and automated protection that today’s organizations require across their physical and virtual environments, from endpoint to the cloud.Introducing FortiOS 6.0FortiOS 6.0 AnatomyFEATURE HIGHLIGHTS System Integration§Standard-based monitoring output – SNMP Netflow/Sflow and Syslog support to external (third-party) SIEM and logging system§Security Fabric integration with Fortinet products and technology allianceCentral Management and Provisioning§Fortinet/third-party automation and portal services support via APIs and CLI scripts§Rapid deployment features including cloud-based provisioning solutions§Developer community platform and professional service options for complex integrationsCloud and SDN Integration §Multi-cloud support via integration with Openstack, VMware NSX, Nuage Virtualzed Services, and Cisco ACI infrastructure§NEW: Ease of configuration with GUI support and dyanamic address objectsconfident that your network is getting more secure over time.Fortinet offers the most integrated and automated Advanced Threat Protection (ATP) solution available today through an ATP framework that includes FortiGate, FortiSandbox, FortiMail, FortiClient, and FortiWeb. These products easily work together to provide closed loop protection across all of the most common attack vectors.FSA Dynamic Threat DB UpdateDetailed Status Report File Submission124AutomationStitches are new administrator-defined automated work flows that use if/then statements to cause FortiOS to automatically respond to an event in a pre-programmed way. Because stitches are part of the security fabric, you can set up stitches for any device in the Security Fabric.HIGHLIGHTSMonitoring§Real-time monitors§NOC Dashboard§NEW: IOS push notification via FortiExplorer app§Dashboard NOC view allows you to keep mission-critical information inview at all times. Interactive and drill-down widgets avoid dead-endsduring your investigations, keeping analysis moving quickly and smoothly. OperationFortiOS provides a broad set of operation tools that make identification and response to security and network issues effective. Security operations is further optimized with automations, which contribute to faster and more accurate problem resolutions.Policy and ControlFortiGate provides a valuable policy enforcement point in your network where you can control your network traffic and apply security technologies. With FortiOS, you can set consolidated policies that include granular security controls. Every security service is managed through a similar paradigm of control and can easily plug into a consolidated policy. Intuitive drag-and-drop controls allow you to easily create policies, and one-click navigation shortcuts allow you to more quickly quarantine end points or make policy edits.SecurityFortiGuard Labs provides the industry-leading security services and threat intelligence delivered through Fortinet solutions. FortiOS manages the broad range of FortiGuard services available for the FortiGate platform, including application control, intrusion prevention, web filtering, antivirus, advanced threat protection, SSL inspection, and mobile security. Service licenses are available a-la-carte or in a cost-effective bundle for maximum flexibility of deployment.Industry-leading security effectivenessFortinet solutions are consistently validated for industry-leading security effectiveness inindustry tests by NSS Labs for IPS and application control, by Virus Bulletin in the VB100comparative anti-malware industry tests, and by AV Comparatives.§Recommended Next Generation Firewall with near perfect, 99.47% securityeffectiveness rating. (2017 NSS Labs NGFW Test of FortiGate 600D & 3200D)§Recommended Breach Prevention Systems with 99% overall detection. (2017 NSSBreach Prevention Systems Test of FortiGate with FortiSandbox)§Recommended Data Center Security Gateway with 97.87% and 97.97% securityeffectiveness. (2017 NSS Data Center Security Gateway Test with FortiGate 7060Eand 3000D)§Recommended Next Generation IPS with 99.71% overall security effectiveness. (2017NSS Next Generation IPS Test with FortiGate 600D)§ICSA Certified network firewalls, network IPS, IPsec, SSL-TLS VPN, antivirus.NetworkingWith FortiOS you can manage your networking and security in one consistent native OS on the FortiGate. FortiOS delivers a wide range of networking capabilities, including extensive routing, NAT, switching, Wi-Fi, WAN, load balancing, and high availability, making the FortiGate a popular choice for organizations wanting to consolidate their networking and security functions.SD WANFortiGate SD-WAN integrates next generation WAN and security capabilities into a single, multi-path WAN edge solution. Secure SD-WAN makes edge application aware and keeps application performance high with built-in WAN path controller automation. With integrated NGFW, it is easier to enable direct interent access and continues to keep high security posture with reduced complexity.Platform SupportPerformanceThe FortiGate appliances deliver up to five timesthe next generation firewall performance and10 times the firewall performance of equivalentlypriced platforms from other vendors. The highperformance levels in the FortiGate are basedon a Parallel Path Processing architecture in FortiOS that leveragesperformance, optimized security engines, and custom developednetwork and content processors. Thus, FortiGate achieved thebest cost per Mbps performance value results.Ultimate deployment flexibilityProtect your entire network inside and out through a policy-drivennetwork segmentation strategy using the Fortinet solution. It is easyto deploy segment optimized firewalls, leveraging the wide range ofFortiGate platforms and the flexibility of FortiOS to protect internalnetwork segments, the network perimeter, distributed locations,public and private clouds, and the data center — ensuring youhave the right mix of capabilities and performance for eachdeployment mode.Virtual desktop option to isolate the SSL VPN session from the client computer’s desktop environment IPsec VPN:- Remote peer support: IPsec-compliant dialup clients, peers with static IP/dynamic DNS- Authentication method: Certificate, pre-shared key- IPsec Phase 1 mode: Aggressive and main (ID protection) mode- Peer acceptance options: Any ID, specific ID, ID in dialup user group EMAC-VLAN support: allow adding multiple Layer 2 addresses (or Ethernet MAC addresses) to a single physical interfaceVirtual Wire Pair:- Process traffic only between 2 assigned interfaces on the same network segment- Available on both transparent and NAT/route Mode- Option to implement wildcard VLANs setupGLOBAL HEADQUARTERS Fortinet Inc.899 KIFER ROAD Sunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne FranceTel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST -PROD-DS-FOS FOS-DAT-R6-201804RESOURCEURLThe FortiOS Handbook — The Complete Guide /fgt.html Fortinet Knowledge Base/Virtual Systems (FortiOS Virtual Domains) divide a single FortiGate unit into two or more virtual instances of FortiOS that function separately and can be managed independently.REFERENCESConfigurable virtual systems resource limiting and management such as maximum/guaranteed ‘active sessions’ and log disk quotaVDOM operating modes: NAT/Route or Transparent VDOM security inspection modes: Proxy or Flow-based Web Application Firewall:- Signature based, URL constraints and HTTP method policyServer load balancing: traffic can be distributed across multiple backend servers: - B ased on multiple methods including static (failover), round robin, weighted or based on round trip time, number of connections.- Supports HTTP , HTTPS, IMAPS, POP3S, SMTPS, SSL or generic TCP/UDP or IP protocols.- Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.NOTE: F eature set based on FortiOS V6.0 GA, some features may not apply to all models. For availability, please refer to Softwarefeature Matrix on 。

FortiGate ® Virtual AppliancesConsolidated Security for Virtualized Environments Complete end-to-end security ecosystem for the software -defined datacenter. Fortinet enables and facilitates the enterprise’s journey through the datacenter consolidation process.Benefits n Protection from a broad array of threats, with support for all of the security and networking services that the FortiOS operating system offersn Increased visibility within virtualized infrastructuremonitoringn Rapid deployment capabilityn Ability to manage virtual and physical appliances from asingle pane of glass management platformn Simple licensing with no per-user feesn Support for multiple virtualization and cloud platforms n Full support for FortiHypervisor deployments enablingline-speed security in vCPE requirement n Wide array of licensing choices to fit any infrastructure requirementn VDOM-enabled models for multi-tenant environmentsFortinet delivers both physical and virtualized security appliances to secure unique data planes. It offers on oneside, unmatched performance and security capabilities, while allowing for the growth and evolution of the consolidatingdatacenter with no service degradation or bottlenecks, no compromise on security, and with an unmatched ROI — fulfilling the outcomes of a robust software-defined security framework.FortiGate virtual appliances allow you to mitigate blind spots by implementing critical security controls within your virtual infrastructure. They also allow you to rapidly provision securityinfrastructure whenever and wherever it is needed. FortiGate virtual appliances feature all of the security and networking services common to traditional hardware-based FortiGate appliances. With the addition of virtual appliances from Fortinet, you can deploy a mix of hardware and virtual appliances, operating together and managed from a common centralized managementplatform.Fortinet’s comprehensive security virtual appliance lineup supports inexcess of 16 solutions.DATA SHEETDATA SHEET | FortiGate® Virtual AppliancesPLATFORMSChoice of Form FactorFew organizations use 100% hardware or 100% virtual IT infrastructure today, creating a need for both hardware and virtual appliances in your security strategy. Fortinet allows you to build the security solution that is right for your environment with hardware and virtual appliances to secure the core and the edge and increase visibility and control over communications within the virtualized infrastructure. FortiManager virtual or physical appliances allow you to easily manage and update your Fortinet security assets — hardware, virtual, or both — from a single pane of glass.Multi-Threat SecurityUsing the advanced FortiOS™ operating system, FortiGate appliances effectively neutralize a wide range of security threats facing your virtualized environment. Whetherdeployed at the edge as a front-line defense, or deep within the virtual infrastructure for inter-zone security, FortiGate appliances protect your infrastructure with some of the most effective security available today by enabling security features you need.Gain comprehensive visibility and apply consistent controlDEPLOYMENTDATA SHEET | FortiGate® Virtual Appliances FORTINET SECURITY FABRICFortiOS™Operating SystemFortiOS, Fortinet’s leading operating system enable the convergence of high performing networking and security across the Fortinet Security Fabric delivering consistent and context-aware security posture across network endpoint, and clouds. The organically built best of breed capabilities and unified approach allows organizations to run their businesses without compromising performance or protection, supports seamless scalability, and simplifies innovation consumption.The release of FortiOS 7 dramatically expands the Fortinet Security Fabric’s ability to deliver consistent security across hybrid deployment models consisting on appliances, software and As-a-Service with SASE, ZTNA and other emerging cybersecurity solutions.Security FabricThe industry’s highest-performing cybersecurity platform,powered by FortiOS, with a rich ecosystem designed to span the extended digital attack surface, delivering fully automated, self-healing network security.§Broad: Coordinated detection and enforcement across the entire digital attack surface and lifecycle with converged networking and security across edges, clouds, endpoints and users§Integrated: Integrated and unified security, operation, and performance across different technologies, location, deployment options, and the richest Ecosystem§Automated: Context aware, self-healing network & security posture leveraging cloud-scale and advanced AI to automatically deliver near-real-time, user-to-application coordinated protection across the FabricThe Fabric empowers organizations of any size to secure and simplify their hybrid infrastructure on the journey to digital innovation.SERVICESFortiGuard™Security ServicesFortiGuard Labs offers real-time intelligence on the threat landscape, delivering comprehensive security updates across the full range of Fortinet’s solutions. Comprised of security threat researchers, engineers, and forensic specialists, the team collaborates with the world’s leading threat monitoring organizations and other network and security vendors, as well as law enforcement agencies.FortiCare™ServicesFortinet is dedicated to helping our customers succeed, and every year FortiCare services help thousands of organizations get the most from their Fortinet Security Fabric solution. We have more than 1,000 experts to help accelerate technology implementation, provide reliable assistance through advanced support, and offer proactive care to maximize security and performance of Fortinet deployments.DATA SHEET | FortiGate® Virtual AppliancesSPECIFICATIONSVM-01/01V/01SVM-02/02V/02SVM-04/04V/04SVM-08/08V/08SVM-16/16V/16SVM-32/32V/32SVM-UL/ULV/ULSTechnical SpecificationsvCPU Support (Minimum / Maximum) 1 / 1 1 / 2 1 / 4 1 / 8 1 / 16 1 / 32 1 / unlimited Storage Support (Minimum / Maximum)32 GB / 2 TB 32 GB / 2 TB 32 GB / 2 TB 32 GB / 2 TB 32 GB / 2 TB 32 GB / 2 TB 32 GB / 2 TB Wireless Access Points Controlled (Tunnel / Global)32 / 64512 / 1,024512 / 1,0241,024 / 4,0961,024 / 4,0961,024 / 4,0961,024 / 4,096Virtual Domains (Default / Maximum) *10 / 1010 / 2510 / 5010 / 50010 / 50010 / 50010 / 500Firewall Policies10,00010,00010,000200,000200,000200,000200,000Maximum Number of Registered Endpoints2,0002,0008,00020,00020,00020,00020,000Unlimited User LicenseYesYesYesYesYesYesYesNote: All performance values are “up to” and vary depending on system work Interface SupportThe maximum number of network interfaces consumable by a FortiGate instance is 24 starting with FortiGate version 6.4.0. Prior versions allow 18. The minimum number is 1. The actual number of network interfaces attachable to instances varies depending on cloud platformsand instance types, and they may not allow you to attach the greater number of interfaces to an instance than their maximum limits even while FortiGate allows up to 24.* FG-VMxxV and FG-VMxxS series do not come with a multi-VDOM feature by default. You can add it by applying separate VDOM addition perpetual licenses. See ORDER INFORMATION for VDOM SKUs.VENDORPrivate Clouds (Hypervisors)VMware ESXi v5.5 / v6.0 / v6.5 / v6.7 / v7.0VMware NSX-T* v2.3 / v2.4 / v2.5Microsoft Hyper-V Server 2008 R2 / 2012 / 2012 R2 / 2016 / 2019**Microsoft AzureStackCitrix Xen XenServer v5.6 sp2, v6.0, v6.2 and later Open source Xen v3.4.3, v4.1 and laterKVM qemu 0.12.1 & libvirt 0.10.2 and later for Red Hat Enterprise Linux / CentOS 6.4 and later /Ubuntu 16.04 LTS (generic kernel)KVM qemu 2.3.1 for SuSE Linux Enterprise Server 12 SP1 LTSS Nutanix AHV (AOS 5.10, Prism Central 5.10)***Cisco Cloud Services Platform 2100***Cisco ENCS (NFVIS 3.12.3)***** See the NSX-T on VMware Compatibility Guide for the latest supported platforms. ** FortiGate-VM 6.2.3+ supports Microsoft Hyper-V 2019.*** FortiGate-VM 6.0.3+ supports Nutanix AHV and Cisco CSP 2100.**** FortiGate-VM 6.2.3+ supports Cisco NFVIS 3.12.3.VENDORPublic Clouds (Marketplaces)Amazon AWS (including GovCloud and AWS China)VMware Cloud on AWS*VMware Cloud on Dell EMC**Microsoft Azure (including regional Azure: US Gov, Germany, and China) and AzureStack syndicationGoogle GCP (Google Cloud Platform)Oracle OCIAlibaba Cloud (AliCloud)IBM Cloud (Gen1 / Gen2)***Virtualization/Cloud Platform Support varies by model and FortiOS builds. Please refer to appropriate release notes.FG-VMxxV series require FortiOS 5.4.8+ / 5.6.1+ / 6.0.0+. * FortiGate-VM 6.0.4+ supports VMware Cloud on AWS. ** FortiGate-VM 6.2.3+ supports VMware Cloud on Dell EMC.*** IBM Cloud does not support the marketplace and requires manual deployment. FortiGate-VM 6.4.2+ supports IBM Cloud.Product SKUDescriptionFortiGate-VM01FG-VM01, FG-VM01V FortiGate-VM ‘virtual appliance’. 1x vCPU core. No VDOM by default for FG-VM01V model.FortiGate-VM02FG-VM02, FG-VM02V FortiGate-VM ‘virtual appliance’. 2x vCPU cores. No VDOM by default for FG-VM02V model.FortiGate-VM04FG-VM04, FG-VM04V FortiGate-VM ‘virtual appliance’. 4x vCPU cores. No VDOM by default for FG-VM04V model.FortiGate-VM08FG-VM08, FG-VM08V FortiGate-VM ‘virtual appliance’. 8x vCPU cores. No VDOM by default for FG-VM08V model.FortiGate-VM16FG-VM16, FG-VM16V FortiGate-VM ‘virtual appliance’. 16x vCPU cores. No VDOM by default for FG-VM016V model.FortiGate-VM32FG-VM32, FG-VM32V FortiGate-VM ‘virtual appliance’. 32x vCPU cores. No VDOM by default for FG-VM032V model.FortiGate-VMULFG-VMUL, FG-VMULV FortiGate-VM ‘virtual appliance’. Unlimited vCPU cores. No VDOM by default for FG-VMULV model.Optional Accessories/Spares SKUDescriptionVirtual Domain License Add 5FG-VDOM-5-UG Upgrade license for adding 5 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity.Virtual Domain License Add 15FG-VDOM-15-UG Upgrade license for adding 15 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity.Virtual Domain License Add 25FG-VDOM-25-UG Upgrade license for adding 25 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity.Virtual Domain License Add 50FG-VDOM-50-UGUpgrade license for adding 50 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity.Virtual Domain License Add 240FG-VDOM-240-UG Upgrade license for adding 240 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity.FortiGate-VM 6.2.2 no longer has RAM restriction on all vCPU models while prior versions still restrict RAM sizes per model. Upgrade to 6.2.2 is necessary to remove the restriction.ORDERING INFORMATIONThe following SKUs adopt the perpetual licensing scheme:available with marketplace-listed products.DATA SHEET | FortiGate® Virtual AppliancesCopyright © 2021 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other productor company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.ORDERING INFORMATIONThe following SKUs adopt the annual subscription licensing scheme:258FortiCare services (only) included 815Enterprise Bundle included 820360 Protection Bundle included 990UTP Bundle includedFortiOS 6.2.3+ and 6.4.0+ support the FortiGate-VM S-series. The FortiGate-VM S-series does not have RAM restrictions on all vCPU levels. FortiManager 6.2.3+ and 6.4.0+ support managing FortiGate-VM S-series devices.BUNDLESFortiGuard BundleFortiGuard Labs delivers a number of security intelligence services to augment the FortiGate firewall platform. You can easily optimize the protection capabilities of your FortiGate with one of these FortiGuard Bundles.Bundles 360 Protection Enterprise Protection Unified Threat ProtectionAdvanced ThreatProtectionFortiCareASE 124x724x724x7FortiGuard App Control Service ••••FortiGuard IPS Service••••FortiGuard Advanced Malware Protection (AMP) — Antivirus, Mobile Malware, Botnet, CDR, Virus Outbreak Protection and FortiSandbox Cloud Service••••FortiGuard Web and Video 2 Filtering Service •••FortiGuard Antispam Service •••FortiGuard Security Rating Service ••FortiGuard IoT Detection Service ••FortiGuard Industrial Service ••FortiConverter Service••SD-WAN Orchestrator Entitlement •SD-WAN Cloud Assisted Monitoring •SD-WAN Overlay Controller VPN Service • Fortinet SOCaaS •FortiAnalyzer Cloud •FortiManager Cloud•1. 24x7 plus Advanced Services Ticket Handling2. Available when running FortiOS 7.0。

飞塔防⽕墙⽇常维护与操作纳智捷汽车⽣活馆IT主管⽇常操作指导⽬录⼀、设备维护 (02)⼆、⽹络设备密码重置步骤 (20)三、飞塔限速设置 (05)四、飞塔SSLVPN设置及应⽤ (07)五、服务需求 (15)六、安装调试流程 (16)七、备机服务流程 (17)⼋、安装及测试 (18)九、注意事项 (19)⼀、设备维护1、登录防⽕墙内⽹登录防⽕墙，可在浏览器中https://172.31.X.254 或 https://192.168.X.254（注：登录地址中的X代表当前⽣活馆的X值），从外⽹登录可输当前⽣活馆的WAN1⼝的外⽹IP 地址（例如：https://117.40.91.123）进⼊界⾯输⼊⽤户名密码即可对防⽕墙进⾏管理和配置。

2、登录交换机从内⽹登录交换机，在浏览器输⼊交换机的管理地址即可。

http://172.31.X.253\252\251\250（注：同样登录地址中的X代表当前⽣活馆的X值）3、登录⽆线AP从内⽹登录⽆线AP，在浏览器输⼊⽆线AP的管理地址即可。

员⼯区http://172.31.X.241客户区 http://192.168.X.241（注：同样登录地址中的X代表当前⽣活馆的X值）⼆、⽹络设备密码重置步骤2.1 防⽕墙Fortigate-80C重置密码1，连上串⼝并配置好；2，给设备加电启动；3，启动完30秒内从串⼝登陆系统，⽤户名为：maintainer；4，密码：bcpb＋序列号（区分⼤⼩写）；注意:有些序列号之间有-字符,需要输⼊.如序列号为FGT-100XXXXXXX,则密码为bcpbFGT-100XXXXXXX.不然⽆法登陆.5，在命令⾏下执⾏如下系列命令重新配置“admin”的密码：config system adminedit adminset password “需要配置的新密码“end6，可以⽤新密码从Web界⾯登陆系统了。

具体命令⾏如下图设置：2.2交换机DES-3028密码重置步骤1，连上串⼝并配置好；2，给设备加电启动；3，当界⾯出现第⼆个100%时，⽴即按住shift + 6,然后出现⼀下界⾯4，按任意键，转⼊下⼀个命令⾏界⾯5，根据上图操作，最后重启设备；交换机所有配置恢复为出⼚设置。

FORTINET® PROTECT MANUAL FOR ERECTING FORTINET PROTECT FENCETable of contents1. The Betafence concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Post system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Tools for professional installation . . . . . . . . . . . . . . . . . . . . . . . . . 32. Preparation of the perimeter fence line . . . . . . . . . . . . . . . . . 43. Embedding the posts into the concrete . . . . . . . . . . . . . . . . . 64. Installation of the mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . .75. To continue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106. Supplementary fixation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 107. Supplementary indications to keep in mind . . . . . . . . . . . . . . 118. Reparation of fortinet welded mesh . . . . . . . . . . . . . . . . . . . 178.1 Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178.2 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179.Fixing of Y-extension arms with barbed wire and clipped razortape on Bekaclip posts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20A. Fixation of the Y-extension arms on straight posts. . . . . . . . . . . . . .20B. Fixation of the barbed wire on the Y-extension . . . . . . . . . . . . . . . .20C.Installation & fixation of the concertina coil on top of theY-extension arms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211.THE BETAFENCE CONCEPTPOST SYSTEMTOOLS FOR PROFESSIONAL INSTALLATIONTension combClip tongsCrimping tongsProfessional Bekaclip postsThe welded mesh is fixed to the posts using stainless steel fixing clips.For even distribution of thetension across the welded mesh.For netting 1,50 meter to 2 meterhigh.For fixing the clips to theattachment strips on the posts.For adjusting the tension(increases the crimping in thehorizontal wires of the mesh)2.PREPARATION OF THE PERIMETER FENCELINELevel the fence line as much as possible over a width of about 3 meter and over the total length: endless undulations make the erecting of the fence very difficult.Normal ground constitutionHoles can be drilled by means of a drill screwed on an excavator: see dimensions as indicated on attached shopdrawing.Sandy groundWork with precast concrete foundation blocks ( off-site or “in sito” )Make full slots following the fence line and install the foundation blocks.Fill up the slot with back fill, gravel or something alike. Level the area in front (=outside the property) over about 3 meter.Hard rocky groundDrill holes with diameter +/- 20 cm, 60 cm deep by means of an adapted widia drill screwed on an excavator: posts can be shortened.After putting the postst in the holes fill up the holes with rigid liquid concrete.In areas where there is water accumulationDepending on the dept, use longer posts or check the possibility to put the fence on another track.Important note:▪Take at least one week for hardening of the concrete▪Make wet several times a day and protect against sunshine especially when temperatures are high▪We advice to use concrete as dry as possibleSample of a propertyInner- and outer cornersVerify the details related to the direction of the fixing strip on the post when making inner- and outer-corners.OUTER CORNER3.EMBEDDING THE POSTS INTO THE CONCRETE (+ ONE WEEK FOR HARDENING)STEP 1Start embedding the corner-, first- and end- posts and the intermediate tension posts first, together with the brace posts. STEP 2Fix the brace posts properly: each hole has to be directed to the mid point of the Bekaclip post; screws have to be fixed properly. Holes diameter 8 mm for hook bolts to be drilled on site/off site by a contractor. STEP 3Tension a rope from top to top of these tension units and embed theintermediate posts properly whilst touching the rope on top of the intermediateposts to ensure the right level and direction.4.INSTALLATION OF THE MESHBekaclip post with Bekaclip tong andstainless steel clipsSTEP 1 & STEP 2Unroll two Fortinet Protect rolls over the ground in front of the posts. STEP 3Connect them by means of the Fortinet clips.Lift up the start of the roll and fix on the first post.Fix each horizontal wire to start.Horizontal wires of the welded mesh on the outside of theproperty.The overhangs directed to the top of the fence.Secure the fixation by means of double knotted tie wire all over the height of the fence. STEP 5Insert the tension comb in the welded mesh acouple of meters over the first intermediatetension unit (at least 30 meter away from the firstpost).Hang on the belt/rope between tension comb andthe scoop of the excavator and start tensioning.The welded mesh will lift up by itself.Once you have full tension (= welded mesh isperfectly straight and “feels hard”, fix the rollon the fixation strip of the tension post withclips about each 30 cm.ORVerify the distance between the lower part of the roll and ground level before fixing properly.STEP 7Do the same on each intermediate post: distance between two clips is about 40 cm.Check height above ground level on each post before fixing.OR5.TO CONTINUEOnce the first 30 linear meter are installedproperly, untension the tension comb and thebelt/rope.Connect 2 or 3 new rolls on the first end andtension by means of the tension comb, the beltand the excavator.Always check the distance between welded meshand ground level and make yourself pleased withthe tension on the welded mesh before fixing.Always fix the mesh first on the tension units(step 6 each +/- 30 linear meter) and later on theintermediate posts (step 7) .6.SUPPLEMENTARY FIXATIONSupplementary double tie wire can be added afterwards and knotted on the inside of the property. We advice once at the top, once at the bottom and once in the middle of the welded mesh.7.SUPPLEMENTARY INDICATIONS TO KEEP IN MIND1.We advice to start erecting the fence on a normal, flat and horizontal groundlevel to learn and to feel how to handle .2.Inner and outer cornersIt is very important to think about the position of the fixation strip of theBekaclip posts before embedding them into the concrete, see the details. Also think about the direction of tensioning before embedding and drilling thecorner posts: sometimes it can be better to turn the post over 90°. Ensure yourself before starting.3.Slopes▪Fix all intermediate posts/fence(detail 3).4.It is important to have some rigid ladders to allow labourers to work up to2,5 meter high .5.Never walk over the welded mesh when spread over the ground, except tojoin two rolls. Otherwise, each step damages/deforms the fence and willinfluence the look afterwards. Of course, this can be adjusted by means of the crimp tong but takes supplementary time afterwards. If there areundulations in the fence after fixing properly, they can be removed by means of the same crimp tong.Crimp tong Tension fork6.When interrupting erecting fence ( for instance after a shift/before aweekend), always fix the last end of the welded mesh on the “lastintermediate tension unit” with clips 10 to 15cm spacing between.7.Prepare the fence line as straight levelled as possible and remove all dirt(rock blocs, wooden planks,….) over a width of about 3 meter in front of the posts: this decreases damages on the welded mesh and increases safety on the job, the speed and the end look of the fence.8.In case of concrete on the lower part of the Bekaclip posts, clean them beforeeverything is hardened, otherwise it will be difficult or impossible to install the clips properly.9.If axe holes of the Fortinet Protect rolls are damaged during uncharging thecontainers, cut away two or tree meshes. Keep in mind that, when fixing two rolls together, it is important that the join is as flat as possible .10.If intermediate posts are not perfectly levelled, it is possible to adjust beforefixing the mesh by means of the black small tension forks by pushing theposts to the left or to the right: this will upgrade the look afterwards .11.Number of clips : For a 2 meter high fenceFor a 2,5 meter high fence with extension arm :12.Unloading a container :To avoid damage to the rolls, replace the standard flat forks on the forklift by round pointed beam.Make sure the forklift can drive into the container to unload to unload. Try to organise a ramp for unloading the container.Such a tool will increase the speed of unloading substantially.13.Verify the dimensions and capacities of the excavator:This is an essential tool to tension in a proper way in all conditions and eliminates working with a winch. In the mean time, the workman with the excavator can transport the heavy rolls, level and backfill the perimeter area.PROCEDURE1.Problem of broken mesh2.Hang on both sides of the mesh a tension comb as close as possible on the inside of the fence, connected with the winch.3.Pull both ends together by using the winch4.Adjust the pieces of Fortinet welded mesh and connect all parts using the Fortinet clips9.FIXING OF Y-EXTENSION ARMS WITH BARBED WIRE AND CLIPPED RAZOR TAPE ON BEKACLIP POSTSA.Fixation of the Y-extension arms on straight postsOff the site▪Enter the Bekaclip post into the small part of the extension arm. If there isa hole diameter 8 mm in the Bekaclip post. This is the part of the post tobe embedded into the concrete .▪Using the self drilling screws 4,8x25 mm, you also need a hard steel drive pen to prepare a hole, a specific bit WERA type 851/1 BDC f.i. and a drilland driver with variable speed (450..1500 r/min.) and adjustable torque(3Nm…10Nm).On site▪Install the extension arm in top of the post .▪Using the self drilling screws 4,8x25 mm : you will need the same tooling as described above AND a contra block f.i. a hammer of min. 1.25kg), toprepare a hole in the extension arm to make drilling and screwing easier .B.Fixation of the barbed wire on the Y-extension▪Unroll a 250 meter long coil of barbed wire in front of the fence.▪Fix the barbed wire on top of an Y-extension, +/- 3 cm beyond the top of the extension arm, at about 125 meter distance from the first post, therewhere you have brace posts.▪Turn the barbed wire around the Bekaclip extension arm and secure the fixation b.m.o. the standard stainless steel clip on the fixing strip.▪Fix a tensioner on both ends of the barbed wire, see drawing below, and tension the barbed wire properly.▪Start with a second layer of barbed wire in the same way, taking into account a spacing of about 20 cm from the top layer.▪Do the installation of the barbed wire on both sites of the fence simultaneously to avoid sacks in the barbed wire rope or lower tension on one of both sides of the fence.C.Installation & fixation of the concertina coil ontop of the Y-extension arms▪necessary tools:-high truck with platform or hollow tube 12 meter long about 5 forks, 3 meter long, to be arranged locally▪using a high truck passing the fence:-whilst truck is moving slowly along the fence, have the coilextended and lay down on the barbed wire ropes over 12 meter ▪using a hollow tube of >12 meter:-Extend the coil over 12 meter-Enter the tube throughout the axe hole of the coil-Fix start & end of the extended coil on the tube = 12 meterextended-Lift up the extended 12 meter long coil by means of minimum 5 forks & 5 people and drop the extended coil on the barbed wireropes▪connection of two coils by means of 3 stainless steel clips▪connection of the coil on the barbed wire ropes: with about 27 stainless steel clips between two extension arms = join each contact point between razor tape and barbed wire.。

#1 Cybersecurity Company in the WorldLeading Every Evolutionof CybersecurityNearly 3x more patents than our nearest competitor~30% of Global Firewall Shipments and counting across industriesMost 3rd Party ValidatedMore tested and proven than any other network security vendorWho is Fortinet?ComplexityAdvancedThreatsValue and ROIComplexity •Attack surface is expanding and becoming harder to maintain V&C•Handing more valuable data•Lack staff to manage best-of-breed and remote locations•Managing disparate and poorly integrated solutions•Aggregating reporting / logs •Responding to conflicting alertsAdvancedThreats •Attack tech easier to use and consume •SMBs are handling more mature data and sharing like enterprises•Attackers know SMB not as many resources to stop and security not as high priority •When business shifts, security falls away •SMBs unsure whether existing security is effectiveValue and ROI•High powered firewalls are pricey •Unsure who to believe for SMB use-case•Consumer-grade tools unable to meet future growth needs (performance/function)ComplexitySMBs are consuming more tech•How well have you been able to maintain V&C through the shift?•We’re hearing a lot of issues and worry around endpoint hygiene, how are you handling?•How many different security and networking vendors are you trying tointegrate? Across how many locations?Advanced ThreatsSMBs targeted with more sophisticated threats•Others are seeing more sophisticated malware starting to come through and are evading detection –how do you feel?•How do you vet your security to know it’s working?•How much time do you have to spend checking and working on firewall administration?Value and ROIHigh costs for performance•When you were originally comparing vendors, did you look at Fortinet’s price and performance benchmarks?•Why didn’t you choose Fortinet? Willing to take another look?Performance and SecurityVisibility and ControlMaximizing ResourcesFortinet routinely performs multiple times faster than similarlypriced competitors without sacrificing securityYear after year, Fortinet is validated by third parties as one of theleading network security vendors on the marketFortinet is consistently recognized by industry leaders andanalysts including Gartner and NSS Labs as a leader incybersecurity and has higher performance than similarly pricedcompetitor devicesFortinet boasts the broadest, most integrated security platform onthe market with products designed to work together Business Challenges/ Fortinet Solutions43% of cyberattacks target SMBsFortinet SMB Security Solutions provide a path to complete protection SMBs can take advantage of tight integration , automation , and visibility cycles, and scale as the company grows89%of SMBs considercybersecurity a top priorityWith Fortinet, we can deliver complete protection , everywhere you need itAnd we’re designed to maximize simplicity performance you need to growWe deliver this through:Our missionA complete cloud-managed networking and security platform for lean IT teamsWith proven security that automatically adapts to changing business requirements and threats but doesn’t sacrifice performanceAt a price point designed to allow any size business to get the solution they need to handle modern challenges like shifting to a hybrid workforceIntelligent enough tohandle modern threatsand requirements…built to maximizelimited resourcesYou Need ASmarter ApproachProven SecurityConsolidatedManagementMaximum ValueIntent-based policiesUnified visibility controlCentralized cloud-managementof all your Switches, APs, Firewalls and SD-WAN into a single device , the FortiGate NGFWmaintain consistency with policies built around users, devices and applications that easily scale and adapt when things changegives you the freedom to manage andtroubleshoot any device, anytime, from anywhere and save money by eliminating onsite IT staff at remote locationsA complete cloud-managed networking and security platform for lean IT teamsA complete cloud-managed networking and security platform for lean IT TeamsMaintain consistency with intent-based policies built around users, devices and applications that easily scales and adapts when things changeIntent based policies and segmentation allow you to start building towards a zero-trust networkIntegrated endpoint and network visibility enables you to control endpoint hygiene and network access based on risk Build an adaptive hybrid environment with network access controls based on endpoint risk Simplify management by consolidating visibility and control of all your Switches, APs, NGFWs and SD-WAN into a single device, the FortiGate NGFW Modernize policy management by merging control of networking and security into a single, unified policy organized on a single screen and eliminate the need to shift across poorly integrated devices, management consoles and platformsBuild a smarter more secure network around how your business operates with an understanding of users, groups, devices and applications that maintains consistency and automatically adapts as your business changesFine tune application control and enable safe, business approved capabilities while blocking other risky, potentially dangerous features without shutting down access to the entire applicationA complete cloud-managed networking and security platform for lean IT TeamsCentralized cloud-management gives you the freedom to manage and troubleshoot any device, anytime, from anywhere and save money by eliminating onsite IT staff at remote locationsDesigned for growth allowing you to scale from small local deployments to large scale, diversified enterprises (FortiDeploy)Eliminate the need for on-site IT staffZTP Cut through the noise with intuitive dashboards, monitoring and centralized logging to alert you when something’s off and automate response Comprehensive monitoring integrates real-time and historical data into practical dashboards to help you quickly understand and identify key areas of improvement and understand how your network is operatingVisualize your entire network with an easy-to-use GUI, drill downs and out of the box reporting to easily explain quickly prove complianceStop endlessly hunting through policies and logs and quickly find what you’re looking for with advanced search capabilities and fully customizable time parametersMaintain performanceImplement enterprise security and automationTrustwithout an enterprise bill that delivers threatintelligence in minutes to prevent advanced threatseven with security and decryption fully engaged thanks to Fortinet’s dedication to R&D and parallel path processingin a vendor that’s been thoroughly tested and vetted by security experts and publicly validatedPeace of mind your security works and can adapt to changing businessrequirements and threatsPeace of mind your security works and can adapt to changing business requirements and threatsImplement enterprise security and automation without an enterprise bill that delivers threat intelligence in minutes to prevent advanced threatsBroadest natively integrated security platform on the market Threat intelligence automatically shared across the entire Fortinet Security Fabric in minutes, not hours or days Automation capabilities based on IoC Trust in a vendor that’s been thoroughly tested and vetted by security experts and publicly validated Leading IPS technologyGartner critical capZTPAdv. Malware ProtectionProtects against the latest viruses, spyware and otherthreats. Includes: Antivirus, Sandboxing, Anti-Botnet, VirusOutbreak ProtectionWeb & Content FilteringProvides protection through blocking access to malicious,hacked and inappropriate websitesApplication ControlQuickly create policies to allow, deny, or restrict access toindividual applications or entire categoriesIntrusion Prevention (IPS)Provides near real-time updates and threat intelligence toproactively block attacksVPN (IPsec & SSL)Creates an encrypted tunnel to enable secure remoteaccess for employees and branch locations465K+ customer networksacross all major threat vectorsInformation feeds200+100B+ EventsML and AI platform speeds detection and protectionWorldwide team of threat hunters,researchers, analysts, tool developers and data scientistsPreventionKnown attacksDetectionUnknown attacksFirewallsWebEmailsEndpointsIntelligencePlaybooks, IRThreat sharing and intelligence derived from billions of sensorsAutomated Security•Most widely deployed NGFW on themarket •Lowest cost per protected Mbps•Integrated Secure SD-WAN•Wi-Fi 6 Ready•Indoor and Outdoor options •Strong connectivity even in dense environments•Multiple Gigabit ports •Stackable•Power over Ethernet optionsFortiGate FortiSwitch FortiAPCritical networking components tightly integrated for superior performanceFortiGate 60F Security Compute Rating ComparisonSpecificationFortiGate60F (SOC4ASIC)IndustryAverageSecurityComputeRating1Palo AltoNetworksPA-220CheckpointSG-1550Cisco MerakiMX67SophosXG125SonicWallTZ400Firewall10Gbps 2.05Gbps5x0.5Gbps1Gbps0.45Gbps7 Gbps 1.3 Gbps IPsec VPN 6.5Gbps0.8Gbps8x0.1Gbps 1.3Gbps0.2Gbps 1.5 Gbps900 MbpsIPsec GW to GWtunnels200537---50-20Threatprevention0.70Gbps0.38Gbps2x0.15Gbps0.45Gbps0.3Gbps400 Mbps600 Mbps SSL Inspection0.75Gbps0.14Gbps5x0.065Gbps--170 Mbps180 MbpsConcurrentSessions700,00080,0009x64,000500,000--125,000Connections persecond35,0008,0004x4,20014,000NA-6,000 1.Security Compute Rating: Benchmark (performance multiplier) that compares FortiGate NGFW performance vs the industry average of competing products across various categories that fall within the same price bandSupport your visionDesigned for growthStretch your budgetwith right-sized solutions and purpose-built fabric connectors that deliver turnkey deployment and deeper integration vs. basic API integrationswith a trusted platform that helps you -not one that leaves you building workarounds and adding complexity as you growdon’t overpay for performance or make sacrifices when it comes to functionality, Fortinet leads the way in ROIA smarter investment to get the networking, security and performance you need today and for the futureA smarter investment to get the networking, security and performance you need today and for the futurePrice to PerformanceConsistently recognized leader by industry analysts including Gartner, NSS and of course our customersSuperior security compute ratings compared to competitors No charge Cyber Threat Assessment Program to help discover what may be lurking in your network so you can take action Designed for GrowthRight sized options and capabilities to fit your true needs with consistent look and feel enable you to expand when you’re ready from local SD-Branch deployments to large scale enterprisesFortinet’s open ecosystem architecture enables Fortinet Security Fabric to quickly integrate with other vendors and share information and perform coordinated actionsPurpose-built Fabric Connectors deliver turnkey API-based integration with as little as a single click free of charge and facilitate real-time communications and automatic updates between Fortinet and 3rd party solutionsKey DifferentiatorsAutomated SecurityBroadest Integrated Platform Industry-leading Price to PerformanceMost Deployed NGFW in the WorldSmarter Long-term InvestmentNetworking and Security Converged The FortiGate NGFW brings advanced threat protection, IPS, web filtering, SD-WAN and more in a single device without sacrificing security or adding complexityFortiSandbox Cloud is an as-a-service Sandbox that simplifies deployments and maintenance, and reducesFortinet prides itself on limited acquisitions to grow our capabilities and continues to boast the broadest offering in the industryMultiple times better performance than similarly priced competitors with the lowest total cost of ownership (TCO)Extensive security and management-as-a-service offering for SMBs looking to take advantage of cloud security and flexibility from a single vendorFortinet has more third-party validations than any other network security vendorSecurity-Driven NetworkingAdaptive Cloud SecurityFortiGuard Security ServicesOpen EcosystemFabric Management Center -NOCZero Trust AccessFabric Management Center -SOCLAN EdgeWAN EdgeDC EdgeCloud EdgeFortiGateFortiExtender FortiAPFortiSwitch FortiSASEFortiGate SD-WANFortiProxy FortiISolator NetworkPlatformApplicationsFortiGate VMFortiDDos Cloud NetworkingFortiCASBFortiCWPFortiWebFortiMailFortiADC FortiGSLBAWS Native Azure Native FortiToken FortiNACFortiClient FortiAuthenticatorFortiMonitorFortiManagerFortiCloudEndpointBreachIncident ResponseFortiXDRFortiEDRFortiAnalyzer FortiSIEMFortiISOARFortiSandboxFortiAIFortiDeceptorFortiGuard MDRServiceSOC & NOC User SecurityUser Security Device SecurityContent Security Advanced SOC/NOCWeb SecurityConnector Fabric APIDevOpsExtended Fabric Ecosystem。

FortiGate VPN GuideFortiGate VPN指南FortiGate VPN GuideFortiGate 用户手册第二卷版本2.50 MR22003年8月8日© Copyright 2003 美国飞塔有限公司版权所有。

本手册中所包含的任何文字、例子、图表和插图，未经美国飞塔有限公司的许可，不得因任何用途以电子、机械、人工、光学或其它任何手段翻印、传播或发布。

FortiGate VPN 指南版本2.50 MR22003年8月8日注册商标本手册中提及的产品由他们各自的所有者拥有其商标或注册商标。

服从规范FCC Class A Part 15 CSA/CUS请访问以获取技术支持。

请将在本文档或任何Fortinet技术文档中发现的错误信息或疏漏之处发送到techdoc@。

目录简介 (1)Fortinet VPN (1)关于本文档 (2)文档约定 (2)Fortinet 文档 (3)Fortinet技术文档的注释 (3)客户服务和技术支持 (3)IPSec VPN (5)IPSec VPN 技术 (5)IPSec VPN 安全协议 (5)密钥管理 (6)手工密钥 (6)使用预置密钥或证书的自动互联网密钥交换(自动IKE) (6)安全组合 (7)通道协商 (7)第一阶段协商 (7)第二阶段协商 (9)网络拓扑 (9)全网状网络 (9)半网状网络拓扑 (10)星型（集线器和辐条）网络（VPN集中器） (10)与IPSec VPN产品的兼容性 (10)使用认证的IPSec VPNs (13)概述 (13)公钥密码系统 (14)证书管理的一般配置步骤 (15)获取一个签名的本地证书 (16)生成证书申请 (16)下载证书申请 (18)请求签名的本地证书 (19)领取签名的本地证书 (19)导入签名的本地证书 (20)获取一个CA证书 (20)领取一个CA证书 (20)导入一个CA证书 (20)使用证书的IPSec VPN一般配置步骤 (21)添加第一阶段配置 (21)添加第二阶段配置 (26)添加一个源地址 (28)添加目的地址 (28)FortiGate VPN 指南iii添加一个加密策略 (29)例子：单一动态VPN端点 (33)网络拓扑结构 (33)一般配置步骤 (33)配置参数 (34)配置分支机构网关 (37)配置主办公机构网关 (41)预置密钥IPSec VPN (47)概述 (47)主模式和进取模式的端点识别 (47)主模式中的用户名和密码认证 (48)进取模式的用户名和密码认证 (49)一般配置步骤 (51)添加第一阶段配置 (52)添加第二阶段配置 (57)添加一个源地址 (59)添加目的地址 (59)添加一个加密策略 (60)例子：使用预置密钥的静态VPN端点认证 (64)网络拓扑结构 (64)一般配置步骤 (64)配置参数 (65)配置分支机构网关 (67)配置主办公机构网关 (70)例子：使用单独密码的VPN端点（客户端）认证 (73)网络拓扑结构 (73)一般配置步骤 (74)为Fortinet VPN客户端（拨号用户）配置参数 (75)配置FortiGate500的参数（拨号服务器） (76)配置分支机构客户端 (79)配置主办公机构网关 (81)例子：使用单独密码的动态VPN端点（网关）认证 (85)网络拓扑结构 (85)一般配置步骤 (85)配置参数 (86)配置分支机构网关 (89)配置主办公机构网关 (92)手工密钥的IPSec VPN (97)概述 (97)一般配置步骤 (97)添加一个手工密钥VPN通道 (98)添加一个源地址 (100)iv美国飞塔有限公司添加目的地址 (100)添加一个加密策略 (101)例子：单一手工密钥端点 (104)网络拓扑结构 (104)一般配置步骤 (104)配置参数 (105)配置主办公机构网关 (106)配置分支机构网关 (109)IPSec VPN 集中器 (113)概述 (113)VPN 集中器（集线器）一般配置步骤 (114)添加一个VPN集中器 (115)VPN 辐条一般配置步骤 (116)例子：带有三个辐条的一个VPN集中器 (117)网络拓扑结构 (118)一般配置步骤 (118)配置参数 (120)IPSec VPN冗余 (127)概述 (127)一般配置步骤 (127)PPTP 和 L2TP VPNs (131)点对点隧道协议（PPTP）概述 (131)PPTP一般配置步骤 (131)将FortiGate设备配置为 PPTP网关 (133)配置PPTP的Windows98客户端 (137)配置Windows2000的PPTP客户端 (138)配置WindowsXP的PPTP客户端 (138)第二层隧道协议(L2TP) 概述 (140)L2TP一般配置步骤 (140)把FortiGate配置为L2TP网关 (142)启用L2TP并指定一个地址范围 (143)配置Windows2000客户的L2TP (145)配置WindowsXP客户的L2TP (146)VPN监视和故障排除 (149)查看VPN通道状态 (149)查看拨号VPN连接的状态 (150)测试 VPN (150)将VPN事件记录日志 (150)术语表 (153)FortiGate VPN 指南v索引 (155)vi美国飞塔有限公司FortiGate VPN 指南版本2.50 MR2简介虚拟专用网络（VPN）是一个拓展的私有网络，它由穿过共享或公共网络（例如互联网）的连接组成。

MANUAL DE USO DE FORTINET (DISTRIBUCIÓNINDEPENDIENTE)José Manuel Redondo López (Departamento de Informática)Universidad de Oviedo“Nautilus” v1.0 (2022)CONTENIDOUsando la VPN de Uniovi desde cualquier sistema operativo (Nivel 2) (2)Instalación (2)Configuración inicial (6)Conexión (8)Posibles errores (10)El servicio de Acceso Remoto (VPN) de nuestra universidad nos permite acceder desde Internet a recursos que hay conectados en la red corporativa. Una vez establecida la conexión, el ordenador de usuario estará virtualmente ubicado en la red de la Universidad. Adicionalmente, todo el tráfico generado por el dispositivo del usuario cuyo destino esté dentro de la red de la Universidad, se enviará en un formato cifrado, de manera que nadie podrá ver su contenido, aunque estemos enviándolo por Internet. La conexión de acceso remoto (VPN) permite:∙Conectarse desde Internet a ordenadores situados en la red de la Universidad de Oviedo.∙Acceder a las Bases de Datos de la Biblioteca Universitaria (dichas Bases de Datos son de uso restringido y sólo se puede acceder a ellas desde dentro de la red de la Universidad).∙Acceder a Publicaciones Periódicas, también restringidas al uso dentro de la Universidad.¿Por qué es mejor usar VPN que otras soluciones que son más sencillas de entender como exponer a Internet un escritorio remoto o RDP (puerto 3389)? Porque con escritorios remotos se han dado multitud de problemas de seguridad e intrusiones en el pasado principalmente debidos a dos motivos:1.Debilidad de las claves de entrada en sesión, que las hace vulnerables a ataques de fuerzabruta, por ejemplo. Con esto cualquier persona ajena a la universidad podrá entrar a nuestra máquina y usarla para atacar otros sistemas internos o robar nuestra información.2.Vulnerabilidades conocidas: No hace demasiado tiempo RDP tuvo una vulnerabilidadconocida muy grave que permitía a cualquiera ejecutar comandos en la máquina destino sin ni siquiera entrar en sesión de esta, quedando la máquina completamente expuesta. La única forma de librarse de estas vulnerabilidades es estar muy al día con las actualizaciones y que no seamos víctima de una antes de que el parche se pueda instalar.Por estos motivos, requerir una conexión a la VPN de Uniovi antes de poder acceder al escritorio remoto de nuestros equipos es una medida de seguridad adicional que nos garantiza que solo personas autorizadas por la Universidad para entrar en la VPN podrán hacer intentos de conexión al mismo. Gracias a la incorporación del 2FA, la probabilidad de que sea una cuenta robada ha disminuido muy significativamente. En general esta política debe aplicarse no solo con el escritorio remoto, sino con cualquier servicio que necesitemos ofrecer desde alguna máquina de la Universidad. Esto quiere decir que debemos limitar al máximo (o no usar) las solicitudes de apertura perimetral que ofrece la Universidad a máquinas de su red: https://sic.uniovi.es/atencionusuario/administradoresEl servicio VPN necesita la instalación de un cliente específico, y ésta se encuentra documentada aquí: https:///sites/PortaldeSoftwareCorporativo/SitePages/Acceso‐Remoto.aspx . No obstante, en esta actividad vamos a describir el uso del cliente Fortinet VPN, que es el que se necesita para utilizar sistemas operativos distintos de Windows o MacOS, como Android, IOS o Linux.InstalaciónLo primero que debemos hacer es descargarnos el cliente correspondiente a nuestro sistema operativo de esta dirección: https:///support/product‐downloads. De todos los productos disponibles, es necesario elegir FortiClient VPN.Aquí el comportamiento cambiará en función del sistema operativo que tengamos. Para Windows, por ejemplo, simplemente debemos instalar el cliente y reiniciar el sistema operativo para comenzar a usarlo. En el caso de Linux, todo depende del sistema gráfico que tengamos instalado y las funcionalidades que tenga implementadas.Instalación con un GUI “completo” como GnomePor ejemplo, en el caso de Gnome (GUI por defecto de Ubuntu 18.04+) veremos este dialogo al descargar. En el vemos que se nos ofrece la opción de instalar el software directamente o la de guardarlo para instalarlo posteriormente. Se recomienda la segunda, puesto que se han detectado casos en los que la instalación directa da un error relativo al formato del fichero descargado.Hecha la descarga, simplemente haciendo clic derecho sobre el archivo podremos usar la opción de“Abrir con instalar software”.Lo cual nos abre la interfaz gráfica de instalación de paquetes, donde solo tenemos que darle a instalarpara continuar.Instalación con un GUI “ligero” como XFCE4Si nuestra máquina Linux tiene un GUI ligero es posible que ciertas opciones de instalación gráfica depaquetes no estén disponibles, por lo que tenemos que hacer una instalación más bien manual. Antesde empezar, hay que destacar que se han detectado casos en los que el cliente, aunque se instalecorrectamente y haga todo el proceso de conexión hasta el final, no llega a establecer la VPN en unLinux con XFCE4, por lo que se recomienda el uso de Gnome o similar para evitar posibles problemas. En cualquier caso, al descargar el fichero tenemos este dialogo, donde no se nos ofrece la instalación, sino la apertura del fichero del paquete descargado (que es un archivo comprimido con una estructura interna especial) o su descarga. En nuestro caso solo nos es útil la segunda:Los GUIs ligeros no instalan algunos paquetes para disminuir su uso de recursos y en este caso nos falta uno que el cliente de Fortigate VPN necesita, libappindicator1. Por ello, debemos proceder a su instalación con apt install libappindicator1. Vemos que en este caso nos da un error de dependencias que podemos reparar simplemente con sudo apt –fix‐broken install, con lo que se volverá a instalar la librería necesaria.Hecho esto, ya podemos instalar el paquete con sudo dpkg ‐i <fichero descargado de la web deSi todo es correcto, tendríamos que ver esta pantalla y ya podemos proceder a la configuración inicial.Configuración inicialUna vez instalado el cliente de Fortigate VPN, podemos acceder a él mediante el menú de programas del sistema operativo (Accesorios en la imagen) o bien mediante un icono que nos aparecerá en la barra de menú superior del mismo. En cualquier caso se abrirá la pantalla de bienvenida donde tendremos que aceptar el acuerdo de licencia para usar el programa.Hecho esto, ya estamos en disposición de configurar nuestra conexión de VPN con la opción “Configure VPN” del programa.Los parámetros para una conexión a nuestra universidad son principalmente dos. El nombre de la conexión puede ser el que queramos:∙Remote Gateway: portalfn.uniovi.es∙Activar “Enable Single Sign On (SSO) for VPN Tunnel”Hecho esto, salvamos la configuración y ya podemos usar una conexión con ese nombre en adelante.Ahora ya podemos iniciar la conexión pulsando en el botón “SAML Login”. Si nos hemos equivocado al configurar la conexión o queremos cambiar algo, podemos pulsar en el botón de las tres rayashorizontales para volver a la pantalla anterior.ConexiónUna vez iniciemos la conexión, se nos preguntará en primer lugar por nuestro identificador de laUniversidad de Oviedo (incluyendo el @uniovi.es).Ahora debemos introducir nuestra password de la Intranet para continuarSi la clave es correcta, ahora nos pedirá que introduzcamos el código del sistema 2FA que hayamos introducido (tradicionalmente el que nos llega por SMS al móvil) para poder continuar. Si es correcto, veremos este dialogo de confirmación al que debemos darle OK para conectar (NOTA: este dialogo no parece que se muestre en sistemas Windows).Si todo es correcto, deberíamos ver esta pantalla de información que nos muestra nuestra IP dentro de la VPN, el tiempo que llevamos conectados y el tráfico de datos enviados y recibidos a / desde la red de Uniovi. Pulsando en “Desconectar” interrumpiremos nuestra conexión VPN.A modo de curiosidad, en línea de comandos podemos ver cómo mientras la VPN está activa tenemos un nuevo interfaz de red virtual creado, a través del cual se envían los datos a la red de la Universidad.Posibles errores¿Qué pasa si no he activado aún el 2FA?Para usar la VPN es necesario tener el 2FA activo, ya que ahora es obligatorio para toda la Universidad. Si aún no lo hubiéramos hecho por cualquier motivo, al introducir correctamente la clave de nuestro usuario se nos notificaría esto, que es lo que nos permite establecer el método 2FA que usaremos en adelante.En la pantalla siguiente podemos dar un nº de teléfono donde se nos enviará un SMS o una llamada para verificar nuestra identidad.Si elegimos enviar un mensaje de texto, ahora deberíamos recibir uno en el teléfono indicado e introducirlo en la siguiendo pantallaSi lo introducimos correctamente habremos configurado satisfactoriamente el 2FA para este servicioy todos los de Uniovi que lo requieran en adelante.Otros erroresEl servicio VPN no está disponible para personas que ya no tienen ninguna vinculación con laUniversidad de Oviedo (antiguos empleados o estudiantes, por ejemplo), y en ese caso se muestra elsiguiente error. Si consideras que es un error, debes hablar con el Causi para que lo puedan arreglar.En determinados sistemas operativos, una vez que se ha introducido la clave y el 2FA correctamente el cliente se queda parado en esta pantalla y nunca termina de avanzar.En estos casos, se cierra la ventana “Working” y se intenta otra vez desde la ventana de conexión y ya se puede establecer la conexión.。