Fortinet FortiGate 50A User Manual Page 180
- Page / 272
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
180 Fortinet Inc.
Key management IPSec VPN
Key management
There are three basic elements in any encryption system:
• an algorithm that changes information into code,
• a cryptographic key that serves as a secret starting point for the algorithm,
• a management system to control the key.
IPSec provides two ways to handle key exchange and management:
• Manual Keys
• Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
Manual Keys
When using manual keys, matching security settings must be entered at both ends of
the tunnel. These settings, which include both the encryption and authentication keys,
must be kept secret so that unauthorized parties cannot decrypt the data, even if they
know which encryption algorithm is being used.
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates
For using multiple tunnels, an automated system of key management is required.
IPSec supports the automated generation and negotiation of keys using the Internet
Key Exchange protocol. This method of key management is referred to as AutoIKE.
Fortinet supports AutoIKE with pre-shared keys and AutoIKE with certificates.
AutoIKE with pre-shared keys
If both peers in a session are configured with the same pre-shared key, they can use it
to authenticate themselves to each other. The peers do not send the key to each
other. Instead, as part of the security negotiation process, they use it in combination
with a Diffie-Hellman group to create a session key. The session key is used for
encryption and authentication and is automatically regenerated by IKE during the
communication session.
Pre-shared keys are similar to manual keys in that they require the network
administrator to distribute and manage matching information at the VPN peer sites.
Whenever a pre-shared key changes, the administrator must update both sites.
AutoIKE with certificates
This method of key management involves a trusted third party, the certificate authority
(CA). Each peer in a VPN is first required to generate a set of keys, known as a
public/private key pair. The CA signs the public key for each peer, creating a signed
digital certificate. The peer then contacts the CA to retrieve their own certificates, plus
that of the CA. After the certificates are uploaded to the FortiGate units and
appropriate IPSec tunnels and policies are configured, the peers are ready to
communicate. As they do, IKE manages the exchange of certificates, sending signed
digital certificates from one peer to another. The signed digital certificates are
validated by the presence of the CA certificate at each end. With authentication
complete, the IPSec tunnel is then established.
In some respects, certificates are simpler to manage than manual keys or pre-shared
keys. For this reason, certificates are best suited to large network deployments.
- Installation and 1
- Configuration Guide 1
- Table of Contents 3
- 4 Fortinet Inc 4
- 6 Fortinet Inc 6
- 8 Fortinet Inc 8
- 10 Fortinet Inc 10
- Contents 11
- 12 Fortinet Inc 12
- Introduction 13
- Document conventions 14
- Fortinet documentation 15
- 16 Fortinet Inc 16
- Getting started 17
- Package contents 18
- Mounting 18
- Powering on 19
- 20 Fortinet Inc 20
- 22 Fortinet Inc 22
- 24 Fortinet Inc 24
- Strict content profile 25
- 26 Fortinet Inc 26
- Scan content profile 26
- Web content profile 26
- Unfiltered content profile 27
- NAT/Route mode 27
- 28 Fortinet Inc 28
- Transparent mode 28
- Configuration options 28
- Setup wizard 28
- 30 Fortinet Inc 30
- Next steps 31
- 32 Fortinet Inc 32
- NAT/Route mode installation 33
- 34 Fortinet Inc 34
- Using the setup wizard 35
- 36 Fortinet Inc 36
- FortiGate-50A 37
- Configuring your networks 38
- Completing the configuration 38
- 40 Fortinet Inc 40
- Transparent mode installation 41
- Changing to Transparent mode 43
- 46 Fortinet Inc 46
- General configuration steps 47
- 48 Fortinet Inc 48
- CLI configuration steps 48
- 50 Fortinet Inc 50
- 52 Fortinet Inc 52
- System status 53
- 54 Fortinet Inc 54
- 56 Fortinet Inc 56
- 58 Fortinet Inc 58
- 60 Fortinet Inc 60
- 62 Fortinet Inc 62
- Backing up system settings 64
- Restoring system settings 64
- Changing to NAT/Route mode 66
- Restarting the FortiGate unit 66
- 68 Fortinet Inc 68
- System status System status 69
- Session list 70
- 72 Fortinet Inc 72
- 74 Fortinet Inc 74
- Scheduling updates 76
- Adding an override server 77
- Enabling push updates 78
- 80 Fortinet Inc 80
- 82 Fortinet Inc 82
- Registering FortiGate units 83
- 84 Fortinet Inc 84
- FortiCare Service Contracts 84
- 86 Fortinet Inc 86
- 88 Fortinet Inc 88
- 90 Fortinet Inc 90
- 92 Fortinet Inc 92
- Network configuration 93
- 94 Fortinet Inc 94
- Viewing the interface list 94
- 96 Fortinet Inc 96
- 98 Fortinet Inc 98
- Configuring routing 100
- 102 Fortinet Inc 102
- Configuring the routing table 102
- Policy routing 103
- Configuring DHCP services 104
- Configuring a DHCP server 105
- 106 Fortinet Inc 106
- 108 Fortinet Inc 108
- Configuring modem settings 108
- Disconnecting the modem 109
- 110 Fortinet Inc 110
- Viewing modem status 110
- Backup mode configuration 110
- Standalone mode configuration 110
- 112 Fortinet Inc 112
- RIP configuration 113
- 114 Fortinet Inc 114
- 116 Fortinet Inc 116
- Adding RIP filters 117
- 118 Fortinet Inc 118
- 120 Fortinet Inc 120
- System configuration 121
- Changing system options 122
- 124 Fortinet Inc 124
- Configuring SNMP 125
- 126 Fortinet Inc 126
- 4 Select Apply 127
- 128 Fortinet Inc 128
- FortiGate MIBs 128
- FortiGate traps 129
- General FortiGate traps 129
- System traps 129
- Firewall configuration 131
- Replacement messages 133
- 134 Fortinet Inc 134
- Customizing alert emails 134
- NIDS event 135
- Virus alert 135
- Block alert 135
- 136 Fortinet Inc 136
- 138 Fortinet Inc 138
- Addresses 138
- Services 139
- Schedules 139
- Content profiles 139
- Adding firewall policies 140
- 142 Fortinet Inc 142
- VPN Tunnel 142
- Traffic Shaping 142
- Authentication 143
- Anti-Virus & Web filter 143
- Configuring policy lists 144
- Policy matching in detail 145
- Adding addresses 147
- 148 Fortinet Inc 148
- Editing addresses 148
- Deleting addresses 148
- 150 Fortinet Inc 150
- 152 Fortinet Inc 152
- Adding custom ICMP services 153
- Adding custom IP services 153
- Grouping services 153
- Creating one-time schedules 155
- Creating recurring schedules 155
- 156 Fortinet Inc 156
- Adding schedules to policies 156
- Virtual IPs 157
- 158 Fortinet Inc 158
- Adding static NAT virtual IPs 158
- 160 Fortinet Inc 160
- IP pools 161
- 162 Fortinet Inc 162
- Adding an IP pool 162
- IP pools and dynamic NAT 162
- IP/MAC binding 163
- 164 Fortinet Inc 164
- Adding IP/MAC addresses 165
- Enabling IP/MAC binding 165
- Default content profiles 167
- Adding content profiles 167
- 168 Fortinet Inc 168
- 170 Fortinet Inc 170
- Users and authentication 171
- 172 Fortinet Inc 172
- Configuring RADIUS support 174
- Configuring LDAP support 175
- 176 Fortinet Inc 176
- Deleting LDAP servers 176
- Configuring user groups 177
- 178 Fortinet Inc 178
- Deleting user groups 178
- IPSec VPN 179
- Key management 180
- Manual key IPSec VPNs 181
- AutoIKE IPSec VPNs 182
- IPSec VPN AutoIKE IPSec VPNs 183
- 184 Fortinet Inc 184
- Configuring advanced options 185
- 186 Fortinet Inc 186
- 188 Fortinet Inc 188
- Managing digital certificates 190
- 6 Configure the key 191
- 192 Fortinet Inc 192
- Obtaining CA certificates 192
- Configuring encrypt policies 193
- 194 Fortinet Inc 194
- Adding a source address 194
- Adding a destination address 194
- Adding an encrypt policy 195
- IPSec VPN concentrators 196
- 198 Fortinet Inc 198
- Adding a VPN concentrator 198
- 200 Fortinet Inc 200
- Viewing VPN tunnel status 201
- 202 Fortinet Inc 202
- Testing a VPN 202
- PPTP and L2TP VPN 203
- 204 Fortinet Inc 204
- 206 Fortinet Inc 206
- 208 Fortinet Inc 208
- Configuring L2TP 209
- 210 Fortinet Inc 210
- 212 Fortinet Inc 212
- 214 Fortinet Inc 214
- Detecting attacks 215
- 216 Fortinet Inc 216
- Viewing the signature list 217
- Viewing attack descriptions 217
- 218 Fortinet Inc 218
- Preventing attacks 220
- Logging attacks 222
- Manual message reduction 223
- 224 Fortinet Inc 224
- Antivirus protection 225
- Antivirus scanning 226
- File blocking 227
- 228 Fortinet Inc 228
- Viewing the virus list 229
- 230 Fortinet Inc 230
- Web filtering 231
- Content blocking 232
- Clearing the Banned Word list 233
- 234 Fortinet Inc 234
- URL blocking 235
- 236 Fortinet Inc 236
- Uploading a URL block list 236
- 238 Fortinet Inc 238
- Adding a Cerberian user 238
- Script filtering 240
- Exempt URL list 241
- 242 Fortinet Inc 242
- Uploading a URL Exempt List 242
- 244 Fortinet Inc 244
- Email filter 245
- Email banned word list 246
- Email block list 248
- Email exempt list 249
- Adding a subject tag 250
- Logging and reporting 251
- 252 Fortinet Inc 252
- Filtering log messages 253
- Configuring traffic logging 254
- Enabling traffic logging 255
- 256 Fortinet Inc 256
- Adding traffic filter entries 256
- Configuring alert email 257
- 258 Fortinet Inc 258
- Testing alert email 258
- Enabling alert email 258
- Glossary 259
- 260 Fortinet Inc 260
- Glossary 261
- 262 Fortinet Inc 262
- 264 Fortinet Inc 264
- 266 Fortinet Inc 266
- 268 Fortinet Inc 268
- 270 Fortinet Inc 270
- 272 Fortinet Inc 272
Related products and manuals for Hardware Fortinet FortiGate 50A
Hardware Fortinet FortiGate 620B User Manual
(62 pages)
(62 pages)
Hardware Fortinet FortiGate 100 User Manual
(272 pages)
(272 pages)
Hardware Fortinet FortiGate 5020 User Manual
(14 pages)
(14 pages)
Hardware Fortinet FortiLog-400 User Manual
(124 pages)
(124 pages)
© 2020, manymanuals.com. All rights reserved. | 2.959 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals